Patchwork [1/1] mtd: mtdoops: fix for a potential memory leak in mtdoops_notify_remove

login
register
mail settings
Submitter Nilanjan Roychowdhury
Date Aug. 11, 2013, 8:11 p.m.
Message ID <1376251908-7451-1-git-send-email-nilanjan.roychowdhury@gmail.com>
Download mbox | patch
Permalink /patch/266397/
State New
Headers show

Comments

Nilanjan Roychowdhury - Aug. 11, 2013, 8:11 p.m.
we are allocating cxt->oops_page_used using vmalloc in mtdoops_notify_add for
every mtd_info addition but not freeing it in mtdoops_notify_remove

Signed-off-by: Nilanjan Roychowdhury <nilanjan.roychowdhury@gmail.com>
---
 drivers/mtd/mtdoops.c |    1 +
 1 file changed, 1 insertion(+)
Ezequiel Garcia - Aug. 12, 2013, 5:26 p.m.
On Sun, Aug 11, 2013 at 01:11:48PM -0700, Nilanjan Roychowdhury wrote:
> we are allocating cxt->oops_page_used using vmalloc in mtdoops_notify_add for
> every mtd_info addition but not freeing it in mtdoops_notify_remove
> 
> Signed-off-by: Nilanjan Roychowdhury <nilanjan.roychowdhury@gmail.com>
> ---
>  drivers/mtd/mtdoops.c |    1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/mtd/mtdoops.c b/drivers/mtd/mtdoops.c
> index 97bb8f6..02f49aa 100644
> --- a/drivers/mtd/mtdoops.c
> +++ b/drivers/mtd/mtdoops.c
> @@ -386,6 +386,7 @@ static void mtdoops_notify_remove(struct mtd_info *mtd)
>  	cxt->mtd = NULL;
>  	flush_work(&cxt->work_erase);
>  	flush_work(&cxt->work_write);
> +	vfree(cxt->oops_page_used);
>  }
>  
> -- 
> 1.7.9.5
> 

Have you tested this patch doing an unregister/module remove cycle?

I'm not entirely sure, but I *think* you must also remove the
vfree(cxt->oops_page_used); at mtdoops_exit(). Otherwise,
you might call vfree() twice, the second time on a garbage pointer.

The reason for this is that the unregister_mtd_user(&mtdoops_notifier);
call in mtdoops_exit() will call the .remove callback (causing the first
vfree() with this patch) and then call vfree() for the second time, explicitly.
Nilanjan Roychowdhury - Aug. 13, 2013, 4:11 a.m.
On Mon, Aug 12, 2013 at 10:56 PM, Ezequiel Garcia
<ezequiel.garcia@free-electrons.com> wrote:
>
> On Sun, Aug 11, 2013 at 01:11:48PM -0700, Nilanjan Roychowdhury wrote:
> > we are allocating cxt->oops_page_used using vmalloc in mtdoops_notify_add for
> > every mtd_info addition but not freeing it in mtdoops_notify_remove
> >
> > Signed-off-by: Nilanjan Roychowdhury <nilanjan.roychowdhury@gmail.com>
> > ---
> >  drivers/mtd/mtdoops.c |    1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/drivers/mtd/mtdoops.c b/drivers/mtd/mtdoops.c
> > index 97bb8f6..02f49aa 100644
> > --- a/drivers/mtd/mtdoops.c
> > +++ b/drivers/mtd/mtdoops.c
> > @@ -386,6 +386,7 @@ static void mtdoops_notify_remove(struct mtd_info *mtd)
> >       cxt->mtd = NULL;
> >       flush_work(&cxt->work_erase);
> >       flush_work(&cxt->work_write);
> > +     vfree(cxt->oops_page_used);
> >  }
> >
> > --
> > 1.7.9.5
> >
>
> Have you tested this patch doing an unregister/module remove cycle?
>
> I'm not entirely sure, but I *think* you must also remove the
> vfree(cxt->oops_page_used); at mtdoops_exit(). Otherwise,
> you might call vfree() twice, the second time on a garbage pointer.
>
> The reason for this is that the unregister_mtd_user(&mtdoops_notifier);
> call in mtdoops_exit() will call the .remove callback (causing the first
> vfree() with this patch) and then call vfree() for the second time, explicitly.
> --
> Ezequiel GarcĂ­a, Free Electrons
> Embedded Linux, Kernel and Android Engineering
> http://free-electrons.com
i did not do a module remove. I agree with your observation. I will
resubmit the patch.

Patch

diff --git a/drivers/mtd/mtdoops.c b/drivers/mtd/mtdoops.c
index 97bb8f6..02f49aa 100644
--- a/drivers/mtd/mtdoops.c
+++ b/drivers/mtd/mtdoops.c
@@ -386,6 +386,7 @@  static void mtdoops_notify_remove(struct mtd_info *mtd)
 	cxt->mtd = NULL;
 	flush_work(&cxt->work_erase);
 	flush_work(&cxt->work_write);
+	vfree(cxt->oops_page_used);
 }