Message ID | 20180221124707.26308-2-embedded24@evers-fischer.de |
---|---|
State | Superseded |
Headers | show |
Series | pci: endpoint: Fix double free in pci_epf_create() | expand |
On Wed, Feb 21, 2018 at 2:47 PM, Rolf Evers-Fischer <embedded24@evers-fischer.de> wrote: > This commit decreases the number of jump labels and ensures > that the next commit doesn't increase the number of occurrences > of 'kfree(func_name)'. > Change-Id: I0d1b6fd652395b85f82b11c43bf9b7db512854d1 First of all, this shouldn't be here. > Signed-off-by: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com> > Signed-off-by: Rolf Evers-Fischer <embedded24@evers-fischer.de> Looks like bipolar disorder? To the topic. This is a slow path and your change makes code slightly less readable b/c of patterns used in the kernel.
On Wed, 21 Feb 2018, Andy Shevchenko wrote: > > Change-Id: I0d1b6fd652395b85f82b11c43bf9b7db512854d1 > > First of all, this shouldn't be here. > Please excuse me. I know that I have to remove this, but unfortunately I forgot to do so (here and also in the other patch). > > Signed-off-by: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com> > > Signed-off-by: Rolf Evers-Fischer <embedded24@evers-fischer.de> > > Looks like bipolar disorder? > You are right: One "Signed-off" should be enough. > To the topic. > This is a slow path and your change makes code slightly less readable > b/c of patterns used in the kernel. > I see. It is probably not a good idea to free the memory in the middle of the function. If you don't mind, I will remove this patch and change the other one accordingly. With best regards, Rolf Evers-Fischer
On Thu, Feb 22, 2018 at 6:21 PM, Rolf Evers-Fischer <embedded24@evers-fischer.de> wrote: > On Wed, 21 Feb 2018, Andy Shevchenko wrote: >> This is a slow path and your change makes code slightly less readable >> b/c of patterns used in the kernel. >> > I see. It is probably not a good idea to free the > memory in the middle of the function. > If you don't mind, I will remove this patch and change the other > one accordingly. Sounds good to me!
On Wed, Feb 21, 2018 at 01:47:06PM +0100, Rolf Evers-Fischer wrote: > From: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com> > > This commit decreases the number of jump labels and ensures > that the next commit doesn't increase the number of occurrences > of 'kfree(func_name)'. > > Change-Id: I0d1b6fd652395b85f82b11c43bf9b7db512854d1 > Signed-off-by: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com> > Signed-off-by: Rolf Evers-Fischer <embedded24@evers-fischer.de> > --- > drivers/pci/endpoint/pci-epf-core.c | 7 ++----- > 1 file changed, 2 insertions(+), 5 deletions(-) > > diff --git a/drivers/pci/endpoint/pci-epf-core.c b/drivers/pci/endpoint/pci-epf-core.c > index 766ce1dca2ec..23d0e128d1a5 100644 > --- a/drivers/pci/endpoint/pci-epf-core.c > +++ b/drivers/pci/endpoint/pci-epf-core.c > @@ -220,9 +220,10 @@ struct pci_epf *pci_epf_create(const char *name) > *buf = '\0'; > > epf->name = kstrdup(func_name, GFP_KERNEL); > + kfree(func_name); I am certainly missing something but what if we reworked the code and just: kstrdup(name, GFP_KERNEL); once instead of allocating another local copy (that we then have to free) ? Reworded: why epf->name = func_name; would not work ? Thanks, Lorenzo > if (!epf->name) { > ret = -ENOMEM; > - goto free_func_name; > + goto free_epf; > } > > dev = &epf->dev; > @@ -238,16 +239,12 @@ struct pci_epf *pci_epf_create(const char *name) > if (ret) > goto put_dev; > > - kfree(func_name); > return epf; > > put_dev: > put_device(dev); > kfree(epf->name); > > -free_func_name: > - kfree(func_name); > - > free_epf: > kfree(epf); > > -- > 2.16.2 >
Hi Lorenzo, On Thursday 22 February 2018 11:49 PM, Lorenzo Pieralisi wrote: > On Wed, Feb 21, 2018 at 01:47:06PM +0100, Rolf Evers-Fischer wrote: >> From: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com> >> >> This commit decreases the number of jump labels and ensures >> that the next commit doesn't increase the number of occurrences >> of 'kfree(func_name)'. >> >> Change-Id: I0d1b6fd652395b85f82b11c43bf9b7db512854d1 >> Signed-off-by: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com> >> Signed-off-by: Rolf Evers-Fischer <embedded24@evers-fischer.de> >> --- >> drivers/pci/endpoint/pci-epf-core.c | 7 ++----- >> 1 file changed, 2 insertions(+), 5 deletions(-) >> >> diff --git a/drivers/pci/endpoint/pci-epf-core.c b/drivers/pci/endpoint/pci-epf-core.c >> index 766ce1dca2ec..23d0e128d1a5 100644 >> --- a/drivers/pci/endpoint/pci-epf-core.c >> +++ b/drivers/pci/endpoint/pci-epf-core.c >> @@ -220,9 +220,10 @@ struct pci_epf *pci_epf_create(const char *name) >> *buf = '\0'; >> >> epf->name = kstrdup(func_name, GFP_KERNEL); >> + kfree(func_name); > > I am certainly missing something but what if we reworked the code > and just: > > kstrdup(name, GFP_KERNEL); > > once instead of allocating another local copy (that we then have to > free) ? name will be something like pci_epf_test.0 and in epf->name we want to just have pci_epf_test. > > Reworded: why > > epf->name = func_name; memory should be allocated for epf->name before it can be initialized. IMO without kstrdup, there will be a null pointer exception. Thanks Kishon
On Fri, Feb 23, 2018 at 11:40:49AM +0530, Kishon Vijay Abraham I wrote: > Hi Lorenzo, > > On Thursday 22 February 2018 11:49 PM, Lorenzo Pieralisi wrote: > > On Wed, Feb 21, 2018 at 01:47:06PM +0100, Rolf Evers-Fischer wrote: > >> From: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com> > >> > >> This commit decreases the number of jump labels and ensures > >> that the next commit doesn't increase the number of occurrences > >> of 'kfree(func_name)'. > >> > >> Change-Id: I0d1b6fd652395b85f82b11c43bf9b7db512854d1 > >> Signed-off-by: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com> > >> Signed-off-by: Rolf Evers-Fischer <embedded24@evers-fischer.de> > >> --- > >> drivers/pci/endpoint/pci-epf-core.c | 7 ++----- > >> 1 file changed, 2 insertions(+), 5 deletions(-) > >> > >> diff --git a/drivers/pci/endpoint/pci-epf-core.c b/drivers/pci/endpoint/pci-epf-core.c > >> index 766ce1dca2ec..23d0e128d1a5 100644 > >> --- a/drivers/pci/endpoint/pci-epf-core.c > >> +++ b/drivers/pci/endpoint/pci-epf-core.c > >> @@ -220,9 +220,10 @@ struct pci_epf *pci_epf_create(const char *name) > >> *buf = '\0'; > >> > >> epf->name = kstrdup(func_name, GFP_KERNEL); > >> + kfree(func_name); > > > > I am certainly missing something but what if we reworked the code > > and just: > > > > kstrdup(name, GFP_KERNEL); > > > > once instead of allocating another local copy (that we then have to > > free) ? > > name will be something like pci_epf_test.0 and in epf->name we want to just > have pci_epf_test. > > > > Reworded: why > > > > epf->name = func_name; > > memory should be allocated for epf->name before it can be initialized. IMO > without kstrdup, there will be a null pointer exception. I understand that but the point is that func_name *was* allocated with kstrdup() already I would like to understand why we need to do it twice (and kfree the first allocation). Lorenzo
On Friday 23 February 2018 03:06 PM, Lorenzo Pieralisi wrote: > On Fri, Feb 23, 2018 at 11:40:49AM +0530, Kishon Vijay Abraham I wrote: >> Hi Lorenzo, >> >> On Thursday 22 February 2018 11:49 PM, Lorenzo Pieralisi wrote: >>> On Wed, Feb 21, 2018 at 01:47:06PM +0100, Rolf Evers-Fischer wrote: >>>> From: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com> >>>> >>>> This commit decreases the number of jump labels and ensures >>>> that the next commit doesn't increase the number of occurrences >>>> of 'kfree(func_name)'. >>>> >>>> Change-Id: I0d1b6fd652395b85f82b11c43bf9b7db512854d1 >>>> Signed-off-by: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com> >>>> Signed-off-by: Rolf Evers-Fischer <embedded24@evers-fischer.de> >>>> --- >>>> drivers/pci/endpoint/pci-epf-core.c | 7 ++----- >>>> 1 file changed, 2 insertions(+), 5 deletions(-) >>>> >>>> diff --git a/drivers/pci/endpoint/pci-epf-core.c b/drivers/pci/endpoint/pci-epf-core.c >>>> index 766ce1dca2ec..23d0e128d1a5 100644 >>>> --- a/drivers/pci/endpoint/pci-epf-core.c >>>> +++ b/drivers/pci/endpoint/pci-epf-core.c >>>> @@ -220,9 +220,10 @@ struct pci_epf *pci_epf_create(const char *name) >>>> *buf = '\0'; >>>> >>>> epf->name = kstrdup(func_name, GFP_KERNEL); >>>> + kfree(func_name); >>> >>> I am certainly missing something but what if we reworked the code >>> and just: >>> >>> kstrdup(name, GFP_KERNEL); >>> >>> once instead of allocating another local copy (that we then have to >>> free) ? >> >> name will be something like pci_epf_test.0 and in epf->name we want to just >> have pci_epf_test. >>> >>> Reworded: why >>> >>> epf->name = func_name; >> >> memory should be allocated for epf->name before it can be initialized. IMO >> without kstrdup, there will be a null pointer exception. > > I understand that but the point is that func_name *was* allocated with > kstrdup() already I would like to understand why we need to do it twice > (and kfree the first allocation). func_name would be allocated for a size greater than what will be in epf->name. It won't be significant though. Thanks Kishon
Hi Kishon, On Fri, 23 Feb 2018, Kishon Vijay Abraham I wrote: > On Friday 23 February 2018 03:06 PM, Lorenzo Pieralisi wrote: > > On Fri, Feb 23, 2018 at 11:40:49AM +0530, Kishon Vijay Abraham I wrote: > >> Hi Lorenzo, > >> > >> On Thursday 22 February 2018 11:49 PM, Lorenzo Pieralisi wrote: > >>> On Wed, Feb 21, 2018 at 01:47:06PM +0100, Rolf Evers-Fischer wrote: > >>>> From: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com> > >>>> > >>>> This commit decreases the number of jump labels and ensures > >>>> that the next commit doesn't increase the number of occurrences > >>>> of 'kfree(func_name)'. > >>>> > >>>> Change-Id: I0d1b6fd652395b85f82b11c43bf9b7db512854d1 > >>>> Signed-off-by: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com> > >>>> Signed-off-by: Rolf Evers-Fischer <embedded24@evers-fischer.de> > >>>> --- > >>>> drivers/pci/endpoint/pci-epf-core.c | 7 ++----- > >>>> 1 file changed, 2 insertions(+), 5 deletions(-) > >>>> > >>>> diff --git a/drivers/pci/endpoint/pci-epf-core.c b/drivers/pci/endpoint/pci-epf-core.c > >>>> index 766ce1dca2ec..23d0e128d1a5 100644 > >>>> --- a/drivers/pci/endpoint/pci-epf-core.c > >>>> +++ b/drivers/pci/endpoint/pci-epf-core.c > >>>> @@ -220,9 +220,10 @@ struct pci_epf *pci_epf_create(const char *name) > >>>> *buf = '\0'; > >>>> > >>>> epf->name = kstrdup(func_name, GFP_KERNEL); > >>>> + kfree(func_name); > >>> > >>> I am certainly missing something but what if we reworked the code > >>> and just: > >>> > >>> kstrdup(name, GFP_KERNEL); > >>> > >>> once instead of allocating another local copy (that we then have to > >>> free) ? > >> > >> name will be something like pci_epf_test.0 and in epf->name we want to just > >> have pci_epf_test. > >>> > >>> Reworded: why > >>> > >>> epf->name = func_name; > >> > >> memory should be allocated for epf->name before it can be initialized. IMO > >> without kstrdup, there will be a null pointer exception. > > > > I understand that but the point is that func_name *was* allocated with > > kstrdup() already I would like to understand why we need to do it twice > > (and kfree the first allocation). > > func_name would be allocated for a size greater than what will be in epf->name. > It won't be significant though. > > Thanks > Kishon > I have just an idea, how to use only one copy, but with the shorter length. What about changing the code like this? int len = strchrnul(name, '.') - name; epf->name = kstrndup(name, len, GFP_KERNEL); In this case we are only allocating the smaller amount of memory and we don't need the 'buf' and 'func_name' pointers anymore. They will be replaced with 'len' and some pointer arithmetic. Kind regards, Rolf
On Fri, Feb 23, 2018 at 06:38:42PM +0100, Rolf Evers-Fischer wrote: > Hi Kishon, > > On Fri, 23 Feb 2018, Kishon Vijay Abraham I wrote: > > On Friday 23 February 2018 03:06 PM, Lorenzo Pieralisi wrote: > > > On Fri, Feb 23, 2018 at 11:40:49AM +0530, Kishon Vijay Abraham I wrote: > > >> Hi Lorenzo, > > >> > > >> On Thursday 22 February 2018 11:49 PM, Lorenzo Pieralisi wrote: > > >>> On Wed, Feb 21, 2018 at 01:47:06PM +0100, Rolf Evers-Fischer wrote: > > >>>> From: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com> > > >>>> > > >>>> This commit decreases the number of jump labels and ensures > > >>>> that the next commit doesn't increase the number of occurrences > > >>>> of 'kfree(func_name)'. > > >>>> > > >>>> Change-Id: I0d1b6fd652395b85f82b11c43bf9b7db512854d1 > > >>>> Signed-off-by: Rolf Evers-Fischer <rolf.evers.fischer@aptiv.com> > > >>>> Signed-off-by: Rolf Evers-Fischer <embedded24@evers-fischer.de> > > >>>> --- > > >>>> drivers/pci/endpoint/pci-epf-core.c | 7 ++----- > > >>>> 1 file changed, 2 insertions(+), 5 deletions(-) > > >>>> > > >>>> diff --git a/drivers/pci/endpoint/pci-epf-core.c b/drivers/pci/endpoint/pci-epf-core.c > > >>>> index 766ce1dca2ec..23d0e128d1a5 100644 > > >>>> --- a/drivers/pci/endpoint/pci-epf-core.c > > >>>> +++ b/drivers/pci/endpoint/pci-epf-core.c > > >>>> @@ -220,9 +220,10 @@ struct pci_epf *pci_epf_create(const char *name) > > >>>> *buf = '\0'; > > >>>> > > >>>> epf->name = kstrdup(func_name, GFP_KERNEL); > > >>>> + kfree(func_name); > > >>> > > >>> I am certainly missing something but what if we reworked the code > > >>> and just: > > >>> > > >>> kstrdup(name, GFP_KERNEL); > > >>> > > >>> once instead of allocating another local copy (that we then have to > > >>> free) ? > > >> > > >> name will be something like pci_epf_test.0 and in epf->name we want to just > > >> have pci_epf_test. > > >>> > > >>> Reworded: why > > >>> > > >>> epf->name = func_name; > > >> > > >> memory should be allocated for epf->name before it can be initialized. IMO > > >> without kstrdup, there will be a null pointer exception. > > > > > > I understand that but the point is that func_name *was* allocated with > > > kstrdup() already I would like to understand why we need to do it twice > > > (and kfree the first allocation). > > > > func_name would be allocated for a size greater than what will be in epf->name. > > It won't be significant though. > > > > Thanks > > Kishon > > > I have just an idea, how to use only one copy, but with the shorter > length. What about changing the code like this? > int len = strchrnul(name, '.') - name; > epf->name = kstrndup(name, len, GFP_KERNEL); > > In this case we are only allocating the smaller amount of memory and we > don't need the 'buf' and 'func_name' pointers anymore. They will be > replaced with 'len' and some pointer arithmetic. Yes, something along those lines, I do not see the point of having to allocate two buffers (and actually this simplifies the error path too). Thanks, Lorenzo
diff --git a/drivers/pci/endpoint/pci-epf-core.c b/drivers/pci/endpoint/pci-epf-core.c index 766ce1dca2ec..23d0e128d1a5 100644 --- a/drivers/pci/endpoint/pci-epf-core.c +++ b/drivers/pci/endpoint/pci-epf-core.c @@ -220,9 +220,10 @@ struct pci_epf *pci_epf_create(const char *name) *buf = '\0'; epf->name = kstrdup(func_name, GFP_KERNEL); + kfree(func_name); if (!epf->name) { ret = -ENOMEM; - goto free_func_name; + goto free_epf; } dev = &epf->dev; @@ -238,16 +239,12 @@ struct pci_epf *pci_epf_create(const char *name) if (ret) goto put_dev; - kfree(func_name); return epf; put_dev: put_device(dev); kfree(epf->name); -free_func_name: - kfree(func_name); - free_epf: kfree(epf);