lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Z8nK3uFkspy61yjP@arm.com>
Date: Thu, 6 Mar 2025 16:18:38 +0000
From: Catalin Marinas <catalin.marinas@....com>
To: Cristian Marussi <cristian.marussi@....com>
Cc: Alice Ryhl <aliceryhl@...gle.com>, Sudeep Holla <sudeep.holla@....com>,
	linux-arm-kernel@...ts.infradead.org, arm-scmi@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [Bug report] Memory leak in scmi_device_create

On Thu, Mar 06, 2025 at 03:47:27PM +0000, Cristian Marussi wrote:
> On Thu, Mar 06, 2025 at 02:36:16PM +0000, Catalin Marinas wrote:
> > This loop in scmi_device_create() looks strange:
> > 
> > 	list_for_each_entry(rdev, phead, node) {
> > 		struct scmi_device *sdev;
> > 
> > 		sdev = __scmi_device_create(np, parent,
> > 					    rdev->id_table->protocol_id,
> > 					    rdev->id_table->name);
> > 		/* Report errors and carry on... */
> > 		if (sdev)
> > 			scmi_dev = sdev;
> > 		else
> > 			pr_err("(%s) Failed to create device for protocol 0x%x (%s)\n",
> > 			       of_node_full_name(parent->of_node),
> > 			       rdev->id_table->protocol_id,
> > 			       rdev->id_table->name);
> > 	}
> > 
> > We can override scmi_dev a few times in the loop and lose the previous
> > sdev allocations. Is this intended?
> 
> Yes...it is weird..but by design I would say :P ...
> 
> ...because this is called to instantiate one single device OR instantiate at
> once all the multiple devices needed for a protocol: in this latter case it
> returns just one of the created devices to signal success or NULL if all the
> devices' creation failed....we dont need to keep the allocated devices references
> anyway here since on success those devices are now referenced and kept on the
> SCMI bus, so they can be searched/scanned/destroyed from there.

Not sure why the pointer isn't found, device_add() should link it with
the parent. Unless something else fails, the parent is freed and the
linked devices unreachable. I'm not familiar at all with this code, I
just saw kmemleak and thought of replying.

The loop is still weird, scmi_chan_setup() seems to use the pointer to
scmi_device for something more meaningful than a pass/fail check. Also
the overall result is based only on what the last __scmi_device_create()
return value was, irrespective of the previous iterations of the loop.
You do have a pr_err() but no early bailing out of the loop on failure.
I'm curious if there are any SCMI errors in the Alice's kernel log.

-- 
Catalin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ