diff mbox series

[v3,1/5] ext4: fix memory leak in parse_apply_sb_mount_options()

Message ID 20220513231605.175121-2-ebiggers@kernel.org
State Awaiting Upstream
Headers show
Series test_dummy_encryption fixes and cleanups | expand

Commit Message

Eric Biggers May 13, 2022, 11:16 p.m. UTC 
From: Eric Biggers <ebiggers@google.com>

If processing the on-disk mount options fails after any memory was
allocated in the ext4_fs_context, e.g. s_qf_names, then this memory is
leaked.  Fix this by calling ext4_fc_free() instead of kfree() directly.

Reproducer:

    mkfs.ext4 -F /dev/vdc
    tune2fs /dev/vdc -E mount_opts=usrjquota=file
    echo clear > /sys/kernel/debug/kmemleak
    mount /dev/vdc /vdc
    echo scan > /sys/kernel/debug/kmemleak
    sleep 5
    echo scan > /sys/kernel/debug/kmemleak
    cat /sys/kernel/debug/kmemleak

Fixes: 7edfd85b1ffd ("ext4: Completely separate options parsing and sb setup")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 fs/ext4/super.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

Comments

Ritesh Harjani (IBM) May 14, 2022, 12:09 p.m. UTC | #1 
On 22/05/13 04:16PM, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> If processing the on-disk mount options fails after any memory was
> allocated in the ext4_fs_context, e.g. s_qf_names, then this memory is
> leaked.  Fix this by calling ext4_fc_free() instead of kfree() directly.

Thanks for splitting the patch. It becomes an easy backport.

>
> Reproducer:
>
>     mkfs.ext4 -F /dev/vdc
>     tune2fs /dev/vdc -E mount_opts=usrjquota=file
>     echo clear > /sys/kernel/debug/kmemleak
>     mount /dev/vdc /vdc
>     echo scan > /sys/kernel/debug/kmemleak
>     sleep 5
>     echo scan > /sys/kernel/debug/kmemleak
>     cat /sys/kernel/debug/kmemleak

Tested this and as you mentioned this patch fixes the memory leak with
s_qf_names in note_qf_name().

tune2fs 1.46.5 (30-Dec-2021)
Setting extended default mount options to 'usrjquota=file'
unreferenced object 0xffff8881126b9a50 (size 8):
  comm "mount", pid 1475, jiffies 4294829180 (age 48.670s)
  hex dump (first 8 bytes):
    66 69 6c 65 00 6b 6b a5                          file.kk.
  backtrace:
    [<ffffffff8153b09d>] __kmalloc_track_caller+0x17d/0x2f0
    [<ffffffff8149b7e8>] kmemdup_nul+0x28/0x70
    [<ffffffff81753a75>] note_qf_name.isra.0+0x95/0x180
    [<ffffffff817548a8>] ext4_parse_param+0xd48/0x11c0
    [<ffffffff8175a131>] ext4_fill_super+0x1cc1/0x6260
    [<ffffffff8155edce>] get_tree_bdev+0x24e/0x3a0
    [<ffffffff81740355>] ext4_get_tree+0x15/0x20
    [<ffffffff8155d3a2>] vfs_get_tree+0x52/0x140
    [<ffffffff815a2048>] path_mount+0x3f8/0xf30
    [<ffffffff815a2c52>] do_mount+0xd2/0xf0
    [<ffffffff815a2e4a>] __x64_sys_mount+0xca/0x110
    [<ffffffff82e6674b>] do_syscall_64+0x3b/0x90
    [<ffffffff8300007c>] entry_SYSCALL_64_after_hwframe+0x44/0xae


Feel free to add by -

Tested-by: Ritesh Harjani <ritesh.list@gmail.com>

-ritesh

>
> Fixes: 7edfd85b1ffd ("ext4: Completely separate options parsing and sb setup")
> Cc: stable@vger.kernel.org
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  fs/ext4/super.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index 1466fbdbc8e34..60fa2f2623e07 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -2625,8 +2625,10 @@ static int parse_apply_sb_mount_options(struct super_block *sb,
>  	ret = ext4_apply_options(fc, sb);
>
>  out_free:
> -	kfree(s_ctx);
> -	kfree(fc);
> +	if (fc) {
> +		ext4_fc_free(fc);
> +		kfree(fc);
> +	}
>  	kfree(s_mount_opts);
>  	return ret;
>  }
> --
> 2.36.1
>
>
>
> _______________________________________________
> Linux-f2fs-devel mailing list
> Linux-f2fs-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
Theodore Ts'o May 19, 2022, 2:10 a.m. UTC | #2 
On Fri, May 13, 2022 at 04:16:01PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> If processing the on-disk mount options fails after any memory was
> allocated in the ext4_fs_context, e.g. s_qf_names, then this memory is
> leaked.  Fix this by calling ext4_fc_free() instead of kfree() directly.
> 
> Reproducer:
> 
>     mkfs.ext4 -F /dev/vdc
>     tune2fs /dev/vdc -E mount_opts=usrjquota=file
>     echo clear > /sys/kernel/debug/kmemleak
>     mount /dev/vdc /vdc
>     echo scan > /sys/kernel/debug/kmemleak
>     sleep 5
>     echo scan > /sys/kernel/debug/kmemleak
>     cat /sys/kernel/debug/kmemleak
> 
> Fixes: 7edfd85b1ffd ("ext4: Completely separate options parsing and sb setup")
> Cc: stable@vger.kernel.org
> Signed-off-by: Eric Biggers <ebiggers@google.com>

Thanks, applied.

					- Ted
diff mbox series

Patch

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 1466fbdbc8e34..60fa2f2623e07 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2625,8 +2625,10 @@  static int parse_apply_sb_mount_options(struct super_block *sb,
 	ret = ext4_apply_options(fc, sb);
 
 out_free:
-	kfree(s_ctx);
-	kfree(fc);
+	if (fc) {
+		ext4_fc_free(fc);
+		kfree(fc);
+	}
 	kfree(s_mount_opts);
 	return ret;
 }