From nobody Fri Nov 29 02:34:54 2024 Received: from szxga04-in.huawei.com (szxga04-in.huawei.com [45.249.212.190]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 12B2D1B5829; Wed, 25 Sep 2024 12:07:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.190 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727266079; cv=none; b=oiE3FcAqfXn1L7SSU6lzk8BmWCipY0jcJ6W1quqRVz9LLvRb/UAT9QG9sWrNZGo0meoB9IQUHXf9Zld1L52Xtv42AdOnehzxMsoftP8cLyrwDh1BzqtuasUIORjYbkhkDTlD//iZ85dHuxqW7DBSmR+nRFdhHBO84cpr1zKxlec= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727266079; c=relaxed/simple; bh=cdhkjTe9uFvt2/UW/vfC2+D1KZldNIpOdMEaT30Az7I=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=qw6u6woYDbiXXDDcqVaEM517yOLnSnBarjJQOiLTG7avIJB4Ne/zs6U+g/hLqRFISq+OVH2j4iL4caT6AuD/LCI85VopTR+wFbfDM7q72j/MOaHuyXupL30ZQsZ96Xsgc+RHyScFPi+3RORGrbnQLSIzNtXBS85eSGZnTc2AlBI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=45.249.212.190 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.19.163.17]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4XDFpl1Jh6z20pKZ; Wed, 25 Sep 2024 20:07:27 +0800 (CST) Received: from kwepemd200011.china.huawei.com (unknown [7.221.188.251]) by mail.maildlp.com (Postfix) with ESMTPS id 843231A0188; Wed, 25 Sep 2024 20:07:48 +0800 (CST) Received: from cgs.huawei.com (10.244.148.83) by kwepemd200011.china.huawei.com (7.221.188.251) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Wed, 25 Sep 2024 20:07:47 +0800 From: Gaosheng Cui To: , , , , , CC: , Subject: [PATCH -next 1/2] kobject: fix memory leak in kset_register() due to uninitialized kset->kobj.ktype Date: Wed, 25 Sep 2024 20:07:46 +0800 Message-ID: <20240925120747.1930709-2-cuigaosheng1@huawei.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240925120747.1930709-1-cuigaosheng1@huawei.com> References: <20240925120747.1930709-1-cuigaosheng1@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To kwepemd200011.china.huawei.com (7.221.188.251) Content-Type: text/plain; charset="utf-8" If a kset with uninitialized kset->kobj.ktype be registered, kset_register() will return error, and the kset.kobj.name allocated by kobject_set_name() will be leaked. To mitigate this, we free the name in kset_register() when an error is encountered due to uninitialized kset->kobj.ktype. Fixes: 4d0fe8c52bb3 ("kobject: Add sanity check for kset->kobj.ktype in kse= t_register()") Signed-off-by: Gaosheng Cui --- lib/kobject.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/kobject.c b/lib/kobject.c index 72fa20f405f1..ecca72622933 100644 --- a/lib/kobject.c +++ b/lib/kobject.c @@ -862,6 +862,8 @@ int kset_register(struct kset *k) return -EINVAL; =20 if (!k->kobj.ktype) { + kfree_const(k->kobj.name); + k->kobj.name =3D NULL; pr_err("must have a ktype to be initialized properly!\n"); return -EINVAL; } --=20 2.25.1 From nobody Fri Nov 29 02:34:54 2024 Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9304B20696B; Wed, 25 Sep 2024 12:07:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.255 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727266075; cv=none; b=lf1jre837SX6eZLmIvW1M2snaSljTI4o3hTHxpUj/c11nOGeyNLHZLz9E1r21MVvStlFUxqqlMvB9eT8RceJA1IOAdbUAOq9esnH9MKbpJkMI1i/KnFTNXsf8dpTrVAgwA2jgEqnhjVu/m2CV5TzroeZed63LpMr0rUrrimdF20= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1727266075; c=relaxed/simple; bh=U2BaAsPAFoNW3AeU5zkWAXx7zAEy8mGFjk+qsS9Bnco=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Ped5rsvqp3T5jFz3l5sRe5dUbXCVPzgjtpc2ejINi/6GKUXntgyRSXg0dGQWrWfzcwrqt7LWOkHt66FqrCKeWQopGmhcQkG3CYGJnalhSow556a83zFK9aB3GVmMTU2vjh4JbErr/hUUCh9cIwZ6ZLT751pWBFh83DiS4z/c1Jo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=45.249.212.255 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.19.163.252]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4XDFnW6D1Dz1T7xP; Wed, 25 Sep 2024 20:06:23 +0800 (CST) Received: from kwepemd200011.china.huawei.com (unknown [7.221.188.251]) by mail.maildlp.com (Postfix) with ESMTPS id DEC1A180AE8; Wed, 25 Sep 2024 20:07:48 +0800 (CST) Received: from cgs.huawei.com (10.244.148.83) by kwepemd200011.china.huawei.com (7.221.188.251) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Wed, 25 Sep 2024 20:07:48 +0800 From: Gaosheng Cui To: , , , , , CC: , Subject: [PATCH -next 2/2] kobject: fix memory leak when kobject_add_varg() returns error Date: Wed, 25 Sep 2024 20:07:47 +0800 Message-ID: <20240925120747.1930709-3-cuigaosheng1@huawei.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20240925120747.1930709-1-cuigaosheng1@huawei.com> References: <20240925120747.1930709-1-cuigaosheng1@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To kwepemd200011.china.huawei.com (7.221.188.251) Content-Type: text/plain; charset="utf-8" Inject fault while loading module, kobject_add_varg() may fail. If it fails, the kset.kobj.name allocated by kobject_set_name_vargs() may be leaked, the call trace as follow: unreferenced object 0xffff8884ef4fccc0 (size 32): comm "modprobe", pid 56721, jiffies 4304802933 backtrace (crc 4b069391): [] kmemleak_alloc+0x4b/0x80 [] __kmalloc_node_track_caller_noprof+0x3d4/0x510 [] kstrdup+0x46/0x80 [] kstrdup_const+0x6f/0x90 [] kvasprintf_const+0x112/0x190 [] kobject_set_name_vargs+0x5b/0x160 [] kobject_init_and_add+0xc9/0x170 [] sysfs_slab_add+0x188/0x230 [] do_kmem_cache_create+0x4d4/0x5a0 [] __kmem_cache_create_args+0x18d/0x310 [] 0xffffffffc64a08b4 [] 0xffffffffc64a005f [] do_one_initcall+0xb8/0x590 [] do_init_module+0x256/0x7d0 [] load_module+0x5953/0x7010 [] init_module_from_file+0xea/0x140 To mitigate this, we need to check return value of kobject_add_internal, and free the name when an error is encountered. Fixes: 244f6cee9a92 ("kobject: add kobject_add_ng function") Signed-off-by: Gaosheng Cui --- lib/kobject.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/kobject.c b/lib/kobject.c index ecca72622933..365e2ad12cba 100644 --- a/lib/kobject.c +++ b/lib/kobject.c @@ -371,7 +371,13 @@ static __printf(3, 0) int kobject_add_varg(struct kobj= ect *kobj, return retval; } kobj->parent =3D parent; - return kobject_add_internal(kobj); + retval =3D kobject_add_internal(kobj); + if (retval) { + kfree_const(kobj->name); + kobj->name =3D NULL; + } + + return retval; } =20 /** --=20 2.25.1