| Message ID | 20190513033912.3436-3-tobin@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Fix kobject error path memleaks | expand |
On 13.05.19 г. 6:39 ч., Tobin C. Harding wrote: > A failed call to kobject_init_and_add() must be followed by a call to > kobject_put(). Currently in the error path when adding fs_devices we > are missing this call. This could be fixed by calling > btrfs_sysfs_remove_fsid() if btrfs_sysfs_add_fsid() returns an error or > by adding a call to kobject_put() directly in btrfs_sysfs_add_fsid(). > Here we choose the second option because it prevents the slightly > unusual error path handling requirements of kobject from leaking out > into btrfs functions. > > Add a call to kobject_put() in the error path of kobject_add_and_init(). > This causes the release method to be called if kobject_init_and_add() > fails. open_tree() is the function that calls btrfs_sysfs_add_fsid() > and the error code in this function is already written with the > assumption that the release method is called during the error path of > open_tree() (as seen by the call to btrfs_sysfs_remove_fsid() under the > fail_fsdev_sysfs label). I'm not familiar with the internals of kobject but btrfs_sysfs_remove_fsid calls __btrfs_sysfs_remove_fsid which in turn does kobject_del followed by kobject_put so its sequence is not exactly identical with your change. Presumably kobject_del is only required if you want to dispose of successfully registered sysfs node. This implies that __btrfs_sysfs_remove_fsid is actually broken when it comes to handling failed sysfs_add_fsid? > > Signed-off-by: Tobin C. Harding <tobin@kernel.org> > --- > fs/btrfs/sysfs.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c > index 5a5930e3d32b..2f078b77fe14 100644 > --- a/fs/btrfs/sysfs.c > +++ b/fs/btrfs/sysfs.c > @@ -825,7 +825,12 @@ int btrfs_sysfs_add_fsid(struct btrfs_fs_devices *fs_devs, > fs_devs->fsid_kobj.kset = btrfs_kset; > error = kobject_init_and_add(&fs_devs->fsid_kobj, > &btrfs_ktype, parent, "%pU", fs_devs->fsid); > - return error; > + if (error) { > + kobject_put(&fs_devs->fsid_kobj); > + return error; > + } > + > + return 0; > } > > int btrfs_sysfs_add_mounted(struct btrfs_fs_info *fs_info) >
On Mon, May 13, 2019 at 01:39:12PM +1000, Tobin C. Harding wrote: > A failed call to kobject_init_and_add() must be followed by a call to > kobject_put(). Currently in the error path when adding fs_devices we > are missing this call. This could be fixed by calling > btrfs_sysfs_remove_fsid() if btrfs_sysfs_add_fsid() returns an error or > by adding a call to kobject_put() directly in btrfs_sysfs_add_fsid(). > Here we choose the second option because it prevents the slightly > unusual error path handling requirements of kobject from leaking out > into btrfs functions. > > Add a call to kobject_put() in the error path of kobject_add_and_init(). > This causes the release method to be called if kobject_init_and_add() > fails. open_tree() is the function that calls btrfs_sysfs_add_fsid() > and the error code in this function is already written with the > assumption that the release method is called during the error path of > open_tree() (as seen by the call to btrfs_sysfs_remove_fsid() under the > fail_fsdev_sysfs label). > > Signed-off-by: Tobin C. Harding <tobin@kernel.org> > --- > fs/btrfs/sysfs.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c > index 5a5930e3d32b..2f078b77fe14 100644 > --- a/fs/btrfs/sysfs.c > +++ b/fs/btrfs/sysfs.c > @@ -825,7 +825,12 @@ int btrfs_sysfs_add_fsid(struct btrfs_fs_devices *fs_devs, > fs_devs->fsid_kobj.kset = btrfs_kset; > error = kobject_init_and_add(&fs_devs->fsid_kobj, > &btrfs_ktype, parent, "%pU", fs_devs->fsid); > - return error; > + if (error) { > + kobject_put(&fs_devs->fsid_kobj); > + return error; > + } > + > + return 0; > } > > int btrfs_sysfs_add_mounted(struct btrfs_fs_info *fs_info) Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
On Mon, May 13, 2019 at 09:04:49AM +0300, Nikolay Borisov wrote: > > > On 13.05.19 г. 6:39 ч., Tobin C. Harding wrote: > > A failed call to kobject_init_and_add() must be followed by a call to > > kobject_put(). Currently in the error path when adding fs_devices we > > are missing this call. This could be fixed by calling > > btrfs_sysfs_remove_fsid() if btrfs_sysfs_add_fsid() returns an error or > > by adding a call to kobject_put() directly in btrfs_sysfs_add_fsid(). > > Here we choose the second option because it prevents the slightly > > unusual error path handling requirements of kobject from leaking out > > into btrfs functions. > > > > Add a call to kobject_put() in the error path of kobject_add_and_init(). > > This causes the release method to be called if kobject_init_and_add() > > fails. open_tree() is the function that calls btrfs_sysfs_add_fsid() > > and the error code in this function is already written with the > > assumption that the release method is called during the error path of > > open_tree() (as seen by the call to btrfs_sysfs_remove_fsid() under the > > fail_fsdev_sysfs label). > > I'm not familiar with the internals of kobject but > btrfs_sysfs_remove_fsid calls __btrfs_sysfs_remove_fsid which in turn > does kobject_del followed by kobject_put so its sequence is not exactly > identical with your change. Presumably kobject_del is only required if > you want to dispose of successfully registered sysfs node. This implies > that __btrfs_sysfs_remove_fsid is actually broken when it comes to > handling failed sysfs_add_fsid? kobject_del() is not technically required in __btrfs_sysfs_remove_fsid() since if kobject_put() drops the reference count to 0 and kobject_del() has not been called then the kobject infrastructure will call kobject_del() for us (and we get a pr_debug() message). The code sequence is correct although not _exactly_ written as the kobject authors intended (I am not one of those authors, I'm just learning). Thanks for looking at this. Tobin
diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c index 5a5930e3d32b..2f078b77fe14 100644 --- a/fs/btrfs/sysfs.c +++ b/fs/btrfs/sysfs.c @@ -825,7 +825,12 @@ int btrfs_sysfs_add_fsid(struct btrfs_fs_devices *fs_devs, fs_devs->fsid_kobj.kset = btrfs_kset; error = kobject_init_and_add(&fs_devs->fsid_kobj, &btrfs_ktype, parent, "%pU", fs_devs->fsid); - return error; + if (error) { + kobject_put(&fs_devs->fsid_kobj); + return error; + } + + return 0; } int btrfs_sysfs_add_mounted(struct btrfs_fs_info *fs_info)
A failed call to kobject_init_and_add() must be followed by a call to kobject_put(). Currently in the error path when adding fs_devices we are missing this call. This could be fixed by calling btrfs_sysfs_remove_fsid() if btrfs_sysfs_add_fsid() returns an error or by adding a call to kobject_put() directly in btrfs_sysfs_add_fsid(). Here we choose the second option because it prevents the slightly unusual error path handling requirements of kobject from leaking out into btrfs functions. Add a call to kobject_put() in the error path of kobject_add_and_init(). This causes the release method to be called if kobject_init_and_add() fails. open_tree() is the function that calls btrfs_sysfs_add_fsid() and the error code in this function is already written with the assumption that the release method is called during the error path of open_tree() (as seen by the call to btrfs_sysfs_remove_fsid() under the fail_fsdev_sysfs label). Signed-off-by: Tobin C. Harding <tobin@kernel.org> --- fs/btrfs/sysfs.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)