diff options
| author | Kees Cook <keescook@chromium.org> | 2018-09-29 01:17:50 +0300 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2018-12-17 01:09:31 +0300 |
| commit | 1ed20af2554ce6f3b38f24f20a1667e6e6ebd961 (patch) | |
| tree | 5d5c8dfe89fdd715ea115b5b4093002c1fa7bc1a /fs/pstore | |
| parent | 699f809e73317a968576d73e0a0d6661cdedc09e (diff) | |
| download | linux-1ed20af2554ce6f3b38f24f20a1667e6e6ebd961.tar.xz | |
pstore/ram: Fix failure-path memory leak in ramoops_init
commit bac6f6cda206ad7cbe0c73c35e494377ce9c4749 upstream.
As reported by nixiaoming, with some minor clarifications:
1) memory leak in ramoops_register_dummy():
dummy_data = kzalloc(sizeof(*dummy_data), GFP_KERNEL);
but no kfree() if platform_device_register_data() fails.
2) memory leak in ramoops_init():
Missing platform_device_unregister(dummy) and kfree(dummy_data)
if platform_driver_register(&ramoops_driver) fails.
I've clarified the purpose of ramoops_register_dummy(), and added a
common cleanup routine for all three failure paths to call.
Reported-by: nixiaoming <nixiaoming@huawei.com>
Cc: Anton Vorontsov <anton@enomsg.org>
Cc: Colin Cross <ccross@android.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Joel Fernandes <joelaf@google.com>
Cc: Geliang Tang <geliangtang@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'fs/pstore')
| -rw-r--r-- | fs/pstore/ram.c | 29 |
1 files changed, 25 insertions, 4 deletions
diff --git a/fs/pstore/ram.c b/fs/pstore/ram.c index 5fa34243b1ae..a467edd1a363 100644 --- a/fs/pstore/ram.c +++ b/fs/pstore/ram.c @@ -557,8 +557,22 @@ static struct platform_driver ramoops_driver = { }, }; -static void ramoops_register_dummy(void) +static inline void ramoops_unregister_dummy(void) { + platform_device_unregister(dummy); + dummy = NULL; + + kfree(dummy_data); + dummy_data = NULL; +} + +static void __init ramoops_register_dummy(void) +{ + /* + * Prepare a dummy platform data structure to carry the module + * parameters. If mem_size isn't set, then there are no module + * parameters, and we can skip this. + */ if (!mem_size) return; @@ -588,21 +602,28 @@ static void ramoops_register_dummy(void) if (IS_ERR(dummy)) { pr_info("could not create platform device: %ld\n", PTR_ERR(dummy)); + dummy = NULL; + ramoops_unregister_dummy(); } } static int __init ramoops_init(void) { + int ret; + ramoops_register_dummy(); - return platform_driver_register(&ramoops_driver); + ret = platform_driver_register(&ramoops_driver); + if (ret != 0) + ramoops_unregister_dummy(); + + return ret; } postcore_initcall(ramoops_init); static void __exit ramoops_exit(void) { platform_driver_unregister(&ramoops_driver); - platform_device_unregister(dummy); - kfree(dummy_data); + ramoops_unregister_dummy(); } module_exit(ramoops_exit); |