| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250611141637.0000546b@huawei.com>
Date: Wed, 11 Jun 2025 14:16:37 +0100
From: Jonathan Cameron <Jonathan.Cameron@...wei.com>
To: Li Ming <ming.li@...omail.com>
CC: <dave@...olabs.net>, <dave.jiang@...el.com>, <alison.schofield@...el.com>,
<vishal.l.verma@...el.com>, <ira.weiny@...el.com>,
<dan.j.williams@...el.com>, <shiju.jose@...wei.com>,
<linux-cxl@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 1/1] cxl/edac: Fix potential memory leak issues
On Wed, 11 Jun 2025 11:35:42 +0800
Li Ming <ming.li@...omail.com> wrote:
> In cxl_store_rec_gen_media() and cxl_store_rec_dram(), use kmemdup() to
> duplicate a cxl gen_media/dram event to store the event in a xarray by
> xa_store(). The cxl gen_media/dram event allocated by kmemdup() should
> be freed in the case that the xa_store() fails.
>
> Fixes: 0b5ccb0de1e2 ("cxl/edac: Support for finding memory operation attributes from the current boot")
> Signed-off-by: Li Ming <ming.li@...omail.com>
Good fine but I'm not sure this is the best fix.
> ---
> base-commit: 87b42c114cdda76c8ad3002f2096699ad5146cb3 cxl/fixes
> ---
> drivers/cxl/core/edac.c | 10 ++++++----
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/cxl/core/edac.c b/drivers/cxl/core/edac.c
> index 2cbc664e5d62..b4c5c23a45d4 100644
> --- a/drivers/cxl/core/edac.c
> +++ b/drivers/cxl/core/edac.c
> @@ -1086,13 +1086,13 @@ static void cxl_del_overflow_old_recs(struct xarray *rec_xarray)
> int cxl_store_rec_gen_media(struct cxl_memdev *cxlmd, union cxl_event *evt)
> {
> struct cxl_mem_err_rec *array_rec = cxlmd->err_rec_array;
> - struct cxl_event_gen_media *rec;
> void *old_rec;
>
> if (!IS_ENABLED(CONFIG_CXL_EDAC_MEM_REPAIR) || !array_rec)
> return 0;
>
> - rec = kmemdup(&evt->gen_media, sizeof(*rec), GFP_KERNEL);
> + struct cxl_event_gen_media *rec __free(kfree) =
> + kmemdup(&evt->gen_media, sizeof(*rec), GFP_KERNEL);
> if (!rec)
> return -ENOMEM;
>
> @@ -1106,6 +1106,7 @@ int cxl_store_rec_gen_media(struct cxl_memdev *cxlmd, union cxl_event *evt)
>
> cxl_del_expired_gmedia_recs(&array_rec->rec_gen_media, rec);
> cxl_del_overflow_old_recs(&array_rec->rec_gen_media);
> + retain_and_null_ptr(rec);
>
> return 0;
> }
> @@ -1114,13 +1115,13 @@ EXPORT_SYMBOL_NS_GPL(cxl_store_rec_gen_media, "CXL");
> int cxl_store_rec_dram(struct cxl_memdev *cxlmd, union cxl_event *evt)
> {
> struct cxl_mem_err_rec *array_rec = cxlmd->err_rec_array;
> - struct cxl_event_dram *rec;
> void *old_rec;
>
> if (!IS_ENABLED(CONFIG_CXL_EDAC_MEM_REPAIR) || !array_rec)
> return 0;
>
> - rec = kmemdup(&evt->dram, sizeof(*rec), GFP_KERNEL);
> + struct cxl_event_dram *rec __free(kfree) =
> + kmemdup(&evt->dram, sizeof(*rec), GFP_KERNEL);
> if (!rec)
> return -ENOMEM;
>
> @@ -1134,6 +1135,7 @@ int cxl_store_rec_dram(struct cxl_memdev *cxlmd, union cxl_event *evt)
>
> cxl_del_expired_dram_recs(&array_rec->rec_dram, rec);
> cxl_del_overflow_old_recs(&array_rec->rec_dram);
> + retain_and_null_ptr(rec);
I'd move this up to immediately after we hand it over to the xa successfully.
Actually I'm not sure this is a good use of __free given we have a single
error path to handle it in and have to manually release it in a different
call to where it is passed to the xa_store() function. Maybe better
to just kfree in the error path.
>
> return 0;
> }
Powered by blists - more mailing lists