[v1] block: rnbd-clt: Fix leaked ID in init_dev()

[PATCH] block: rnbd-clt: Fix leaked ID in init_dev()

Posted by Thomas Fourier 1 day, 20 hours ago

If kstrdup() fails in init_dev(), then the newly allocated ID is lost.

Fixes: 64e8a6ece1a5 ("block/rnbd-clt: Dynamically alloc buffer for pathname & blk_symlink_name")
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
---
 drivers/block/rnbd/rnbd-clt.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/block/rnbd/rnbd-clt.c b/drivers/block/rnbd/rnbd-clt.c
index f1409e54010a..d33698eb428d 100644
--- a/drivers/block/rnbd/rnbd-clt.c
+++ b/drivers/block/rnbd/rnbd-clt.c
@@ -1434,7 +1434,7 @@ static struct rnbd_clt_dev *init_dev(struct rnbd_clt_session *sess,
 	dev->pathname = kstrdup(pathname, GFP_KERNEL);
 	if (!dev->pathname) {
 		ret = -ENOMEM;
-		goto out_queues;
+		goto out_ida;
 	}
 
 	dev->clt_device_id	= ret;
@@ -1453,6 +1453,8 @@ static struct rnbd_clt_dev *init_dev(struct rnbd_clt_session *sess,
 
 	return dev;
 
+out_ida:
+	ida_free(&index_ida, ret);
 out_queues:
 	kfree(dev->hw_queues);
 out_alloc:
-- 
2.43.0

Re: [PATCH] block: rnbd-clt: Fix leaked ID in init_dev()

Posted by Christophe JAILLET 1 day, 19 hours ago

Le 16/12/2025 à 18:22, Thomas Fourier a écrit :
> If kstrdup() fails in init_dev(), then the newly allocated ID is lost.
> 
> Fixes: 64e8a6ece1a5 ("block/rnbd-clt: Dynamically alloc buffer for pathname & blk_symlink_name")
> Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
> ---
>   drivers/block/rnbd/rnbd-clt.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/block/rnbd/rnbd-clt.c b/drivers/block/rnbd/rnbd-clt.c
> index f1409e54010a..d33698eb428d 100644
> --- a/drivers/block/rnbd/rnbd-clt.c
> +++ b/drivers/block/rnbd/rnbd-clt.c
> @@ -1434,7 +1434,7 @@ static struct rnbd_clt_dev *init_dev(struct rnbd_clt_session *sess,
>   	dev->pathname = kstrdup(pathname, GFP_KERNEL);
>   	if (!dev->pathname) {
>   		ret = -ENOMEM;

                  ^_______ here

> -		goto out_queues;
> +		goto out_ida;
>   	}
>   
>   	dev->clt_device_id	= ret;
> @@ -1453,6 +1453,8 @@ static struct rnbd_clt_dev *init_dev(struct rnbd_clt_session *sess,
>   
>   	return dev;
>   
> +out_ida:
> +	ida_free(&index_ida, ret);

This does not work.
'ret' is being re-assigned to -ENOMEM before going there.


But there is definitively a bug to be fixed.
Maybe by assigning clt_device_id earlier and using it in the error 
handling path?

CJ

>   out_queues:
>   	kfree(dev->hw_queues);
>   out_alloc: