btrfs: prevent memory leak
diff mbox series

Message ID 20190923223437.11086-1-navid.emamdoost@gmail.com
State New
Headers show
Series
  • btrfs: prevent memory leak
Related show

Commit Message

Navid Emamdoost Sept. 23, 2019, 10:34 p.m. UTC
In btrfsic_mount if btrfsic_dev_state_alloc fails the allocated state
will be leaked. It needs to be released on error handling path.

Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
---
 fs/btrfs/check-integrity.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Nikolay Borisov Sept. 24, 2019, 7:06 a.m. UTC | #1
On 24.09.19 г. 1:34 ч., Navid Emamdoost wrote:
> In btrfsic_mount if btrfsic_dev_state_alloc fails the allocated state
> will be leaked. It needs to be released on error handling path.
> 
> Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>

NAK.

The allocated state could have been added to a btrfsic_dev_state which
in turn is linked by btrfsic_dev_state_hashtable_add. So when later
ds->state is dereferenced it will case a UAF and likely result in crash.

Looking at the integrity code I also don't like how it's structured e.g.
if a memory error occurs then only some devices will be added to the
btrfsic_dev_State_hashtable and the super block is not going to be
validated at all.

> ---
>  fs/btrfs/check-integrity.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/fs/btrfs/check-integrity.c b/fs/btrfs/check-integrity.c
> index 0b52ab4cb964..8a77b0cb2db3 100644
> --- a/fs/btrfs/check-integrity.c
> +++ b/fs/btrfs/check-integrity.c
> @@ -2941,6 +2941,7 @@ int btrfsic_mount(struct btrfs_fs_info *fs_info,
>  		if (NULL == ds) {
>  			pr_info("btrfs check-integrity: kmalloc() failed!\n");
>  			mutex_unlock(&btrfsic_mutex);
> +			kvfree(state);
>  			return -ENOMEM;
>  		}
>  		ds->bdev = device->bdev;
>

Patch
diff mbox series

diff --git a/fs/btrfs/check-integrity.c b/fs/btrfs/check-integrity.c
index 0b52ab4cb964..8a77b0cb2db3 100644
--- a/fs/btrfs/check-integrity.c
+++ b/fs/btrfs/check-integrity.c
@@ -2941,6 +2941,7 @@  int btrfsic_mount(struct btrfs_fs_info *fs_info,
 		if (NULL == ds) {
 			pr_info("btrfs check-integrity: kmalloc() failed!\n");
 			mutex_unlock(&btrfsic_mutex);
+			kvfree(state);
 			return -ENOMEM;
 		}
 		ds->bdev = device->bdev;