lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ad59e599-9d6e-211a-957b-410a43eccbdb@huaweicloud.com>
Date: Mon, 19 Aug 2024 09:17:25 +0800
From: Yu Kuai <yukuai1@...weicloud.com>
To: Damien Le Moal <dlemoal@...nel.org>, Yu Kuai <yukuai1@...weicloud.com>,
 Zheng Qixing <zhengqixing@...wei.com>, cassel@...nel.org
Cc: linux-ide@...r.kernel.org, linux-kernel@...r.kernel.org,
 yi.zhang@...wei.com, yangerkun@...wei.com, "yukuai (C)" <yukuai3@...wei.com>
Subject: Re: [PATCH -next] ata: libata: Fix memory leak for error path in
 ata_host_alloc()

Hi,

在 2024/08/16 18:32, Damien Le Moal 写道:
> On 8/16/24 15:42, Yu Kuai wrote:
>> 在 2024/08/16 11:58, Zheng Qixing 写道:
>>> In ata_host_alloc(), if ata_port_alloc(host) fails to allocate memory
>>> for a port, the allocated 'host' structure is not freed before returning
>>> from the function. This results in a potential memory leak.
>>>
>>> This patch adds a kfree(host) before the error handling code is executed
>>> to ensure that the 'host' structure is properly freed in case of an
>>> allocation failure.
>>>
>>> Signed-off-by: Zheng Qixing <zhengqixing@...wei.com>
> 
> I did not receive this patch and I do not see it on the list either. Something
> went wrong...
> Can you resend please ? Thanks.
> 
>>> ---
>>>    drivers/ata/libata-core.c | 4 +++-
>>>    1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
>>> index e4023fc288ac..f27a18990c38 100644
>>> --- a/drivers/ata/libata-core.c
>>> +++ b/drivers/ata/libata-core.c
>>> @@ -5663,8 +5663,10 @@ struct ata_host *ata_host_alloc(struct device *dev, int n_ports)
>>>    	}
>>>    
>>>    	dr = devres_alloc(ata_devres_release, 0, GFP_KERNEL);
>>> -	if (!dr)
>>> +	if (!dr) {
>>> +		kfree(host);
>>>    		goto err_out;
>>> +	}
>>
>> Looks correct, dev_set_drvdata(dev, host) is not called yet.
>> ata_devres_release won't free host in this case.
>>
>> I'll suggest to return NULL directly here, and then the 'err_out'
>> tag can be removed as well.
> 
> I do not think so. Since devres_open_group() was called, need to call either
> devres_remove_group() or devres_release_group().

Yes, you're right.

Thanks,
Kuai

> 
>>
>> Anyway, with or without the cleanup:
>> Reviewed-by: Yu Kuai <yukuai3@...wei.com>>
>> Thanks!
>>>    
>>>    	devres_add(dev, dr);
>>>    	dev_set_drvdata(dev, host);
>>>
>>
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ