lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4d7c06fe-9905-4872-8e78-08c7423dd1cb@wanadoo.fr>
Date: Tue, 16 Dec 2025 19:02:16 +0100
From: Christophe JAILLET <christophe.jaillet@...adoo.fr>
To: Thomas Fourier <fourier.thomas@...il.com>
Cc: "Md. Haris Iqbal" <haris.iqbal@...os.com>,
 Jack Wang <jinpu.wang@...os.com>, Jens Axboe <axboe@...nel.dk>,
 Lutz Pogrell <lutz.pogrell@...ud.ionos.com>,
 Md Haris Iqbal <haris.iqbal@...ud.ionos.com>, linux-block@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH] block: rnbd-clt: Fix leaked ID in init_dev()

Le 16/12/2025 à 18:22, Thomas Fourier a écrit :
> If kstrdup() fails in init_dev(), then the newly allocated ID is lost.
> 
> Fixes: 64e8a6ece1a5 ("block/rnbd-clt: Dynamically alloc buffer for pathname & blk_symlink_name")
> Signed-off-by: Thomas Fourier <fourier.thomas@...il.com>
> ---
>   drivers/block/rnbd/rnbd-clt.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/block/rnbd/rnbd-clt.c b/drivers/block/rnbd/rnbd-clt.c
> index f1409e54010a..d33698eb428d 100644
> --- a/drivers/block/rnbd/rnbd-clt.c
> +++ b/drivers/block/rnbd/rnbd-clt.c
> @@ -1434,7 +1434,7 @@ static struct rnbd_clt_dev *init_dev(struct rnbd_clt_session *sess,
>   	dev->pathname = kstrdup(pathname, GFP_KERNEL);
>   	if (!dev->pathname) {
>   		ret = -ENOMEM;

                  ^_______ here

> -		goto out_queues;
> +		goto out_ida;
>   	}
>   
>   	dev->clt_device_id	= ret;
> @@ -1453,6 +1453,8 @@ static struct rnbd_clt_dev *init_dev(struct rnbd_clt_session *sess,
>   
>   	return dev;
>   
> +out_ida:
> +	ida_free(&index_ida, ret);

This does not work.
'ret' is being re-assigned to -ENOMEM before going there.


But there is definitively a bug to be fixed.
Maybe by assigning clt_device_id earlier and using it in the error 
handling path?

CJ

>   out_queues:
>   	kfree(dev->hw_queues);
>   out_alloc:

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ