| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <755695.1758728366@warthog.procyon.org.uk>
Date: Wed, 24 Sep 2025 16:39:26 +0100
From: David Howells <dhowells@...hat.com>
To: Max Kellermann <max.kellermann@...os.com>
Cc: dhowells@...hat.com, Paulo Alcantara <pc@...guebit.org>,
Christian Brauner <brauner@...nel.org>, netfs@...ts.linux.dev,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-stable@...r.kernel.org
Subject: Re: [PATCH] fs/netfs: fix reference leak
David Howells <dhowells@...hat.com> wrote:
> > ... and frees the allocation (without the "call_rcu" indirection).
>
> Unfortunately, this isn't good. The request has already been added to the
> proc list and is removed in netfs_deinit_request() by netfs_proc_del_rreq() -
> but that means that someone reading /proc/fs/netfs/requests can be looking at
> it as you free it.
>
> You still need the call_rcu() - or you have to call synchronize_rcu().
>
> I can change netfs_put_failed_request() to do the call_rcu() rather than
> mempool_free()/netfs_stat_d().
How about:
/*
* Free a request (synchronously) that was just allocated but has failed before
* it could be submitted.
*/
void netfs_put_failed_request(struct netfs_io_request *rreq)
{
int r;
/* New requests have two references (see netfs_alloc_request(), and
* this function is only allowed on new request objects
*/
if (!__refcount_sub_and_test(2, &rreq->ref, &r))
WARN_ON_ONCE(1);
trace_netfs_rreq_ref(rreq->debug_id, r, netfs_rreq_trace_put_failed);
netfs_free_request(&rreq->cleanup_work);
}
David
Powered by blists - more mailing lists