| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aWvnloUA2smmmi9v@tzungbi-laptop>
Date: Sun, 18 Jan 2026 03:48:38 +0800
From: Tzung-Bi Shih <tzungbi@...nel.org>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: "James E.J. Bottomley" <James.Bottomley@...senpartnership.com>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Subject: Re: [PATCH] scsi: core: Correct wrong kfree() usage for `kobj->name`
On Fri, Jan 16, 2026 at 11:50:15AM +0100, Greg KH wrote:
> On Fri, Jan 16, 2026 at 09:37:07AM +0000, Tzung-Bi Shih wrote:
> > On Fri, Jan 16, 2026 at 10:00:11AM +0100, Greg KH wrote:
> > > On Fri, Jan 16, 2026 at 08:13:59AM +0000, Tzung-Bi Shih wrote:
> > > > `kobj->name` should be freed by kfree_const()[1][2]. Correct it.
> > > >
> > > > [1] https://elixir.bootlin.com/linux/v6.18/source/lib/kasprintf.c#L41
> > > > [2] https://elixir.bootlin.com/linux/v6.18/source/lib/kobject.c#L695
> > > >
> > > > Cc: stable@...r.kernel.org
> > > > Fixes: b49493f99690 ("Fix a memory leak in scsi_host_dev_release()")
> > > > Signed-off-by: Tzung-Bi Shih <tzungbi@...nel.org>
> > > > ---
> > > > drivers/scsi/hosts.c | 2 +-
> > > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
> > > > index e047747d4ecf..50ec782cf9f4 100644
> > > > --- a/drivers/scsi/hosts.c
> > > > +++ b/drivers/scsi/hosts.c
> > > > @@ -373,7 +373,7 @@ static void scsi_host_dev_release(struct device *dev)
> > > > * name as well as the proc dir structure are leaked.
> > > > */
> > > > scsi_proc_hostdir_rm(shost->hostt);
> > > > - kfree(dev_name(&shost->shost_dev));
> > > > + kfree_const(dev_name(&shost->shost_dev));
> > >
> > > Shouldn't the struct device name be freed by the driver core for this
> > > device when it goes out of scope? Why is it being manually freed here
> > > at all?
> >
> > Ah, correct. I think the following patch is what it really needs:
> >
> > diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
> > index 1b3fbd328277..e3362f445f93 100644
> > --- a/drivers/scsi/hosts.c
> > +++ b/drivers/scsi/hosts.c
> > @@ -373,7 +373,6 @@ static void scsi_host_dev_release(struct device *dev)
> > * name as well as the proc dir structure are leaked.
> > */
> > scsi_proc_hostdir_rm(shost->hostt);
> > - kfree(dev_name(&shost->shost_dev));
> > }
> >
> > kfree(shost->shost_data);
> > @@ -548,11 +547,7 @@ struct Scsi_Host *scsi_host_alloc(const struct scsi_host_template *sht, int priv
> > goto fail;
> > return shost;
> > fail:
> > - /*
> > - * Host state is still SHOST_CREATED and that is enough to release
> > - * ->shost_gendev. scsi_host_dev_release() will free
> > - * dev_name(&shost->shost_dev).
> > - */
> > + put_device(&shost->shost_dev);
> > put_device(&shost->shost_gendev);
> >
> > return NULL;
The patch doesn't work well. It can cause an underflow on the reference
count of `&shost->shost_gendev`. [3] is a more appropriate fix.
> Can you test this to verify that the leak you were seeing is actually
> now handled?
To clarify, the patch wasn't motivated by the leak. But I can reproduce
the leak by reverting b49493f99690, manual fault injection, rebinding the
driver, and kmemleak. [3] is tested by the scenario.
[3] https://lore.kernel.org/all/20260117193221.152540-1-tzungbi@kernel.org/
Powered by blists - more mailing lists