diff options
author | Yang Yingliang <yangyingliang@huawei.com> | 2022-10-27 17:19:18 +0800 |
---|---|---|
committer | Jens Axboe <axboe@kernel.dk> | 2022-10-27 07:15:30 -0600 |
commit | 7f21735ffb2648a29e0fc79c4bdcb1b9ed8602cd (patch) | |
tree | 9cb9270862f9132ddd7eb88ddfe3f0a5963963c7 /drivers/block/rbd.c | |
parent | 02341a08c9dec5a88527981b0bdf0fb6f7499cbf (diff) | |
download | lwn-7f21735ffb2648a29e0fc79c4bdcb1b9ed8602cd.tar.gz lwn-7f21735ffb2648a29e0fc79c4bdcb1b9ed8602cd.zip |
rbd: fix possible memory leak in rbd_sysfs_init()
If device_register() returns error in rbd_sysfs_init(), name of kobject
which is allocated in dev_set_name() called in device_add() is leaked.
As comment of device_add() says, it should call put_device() to drop
the reference count that was set in device_initialize() when it fails,
so the name can be freed in kobject_cleanup().
Fault injection test can trigger this problem:
unreferenced object 0xffff88810173aa78 (size 8):
comm "modprobe", pid 247, jiffies 4294714278 (age 31.789s)
hex dump (first 8 bytes):
72 62 64 00 81 88 ff ff rbd.....
backtrace:
[<00000000f58fae56>] __kmalloc_node_track_caller+0x44/0x1b0
[<00000000bdd44fe7>] kstrdup+0x3a/0x70
[<00000000f7844d0b>] kstrdup_const+0x63/0x80
[<000000001b0a0eeb>] kvasprintf_const+0x10b/0x190
[<00000000a47bd894>] kobject_set_name_vargs+0x56/0x150
[<00000000d5edbf18>] dev_set_name+0xab/0xe0
[<00000000f5153e80>] device_add+0x106/0x1f20
Fixes: dfc5606dc513 ("rbd: replace the rbd sysfs interface")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Alex Elder <elder@linaro.org>
Link: https://lore.kernel.org/r/20221027091918.2294132-1-yangyingliang@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'drivers/block/rbd.c')
-rw-r--r-- | drivers/block/rbd.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c index f9e39301c4af..04453f4a319c 100644 --- a/drivers/block/rbd.c +++ b/drivers/block/rbd.c @@ -7222,8 +7222,10 @@ static int __init rbd_sysfs_init(void) int ret; ret = device_register(&rbd_root_dev); - if (ret < 0) + if (ret < 0) { + put_device(&rbd_root_dev); return ret; + } ret = bus_register(&rbd_bus_type); if (ret < 0) |