| Message ID | 20230831183459.6938-1-ddiss@suse.de (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | d14e3e553e05cb763964c991fe6acb0a6a1c6f9c |
| Headers | show |
| Series | scsi: target: fix target_cmd_counter leak | expand |
On Thu, 31 Aug 2023 20:34:59 +0200, David Disseldorp wrote: > The target_cmd_counter struct allocated via target_alloc_cmd_counter() > is never free'd, resulting in leaks across various transport types, > e.g.: > > unreferenced object 0xffff88801f920120 (size 96): > comm "sh", pid 102, jiffies 4294892535 (age 713.412s) > hex dump (first 32 bytes): > 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 38 01 92 1f 80 88 ff ff ........8....... > backtrace: > [<00000000e58a6252>] kmalloc_trace+0x11/0x20 > [<0000000043af4b2f>] target_alloc_cmd_counter+0x17/0x90 [target_core_mod] > [<000000007da2dfa7>] target_setup_session+0x2d/0x140 [target_core_mod] > [<0000000068feef86>] tcm_loop_tpg_nexus_store+0x19b/0x350 [tcm_loop] > [<000000006a80e021>] configfs_write_iter+0xb1/0x120 > [<00000000e9f4d860>] vfs_write+0x2e4/0x3c0 > [<000000008143433b>] ksys_write+0x80/0xb0 > [<00000000a7df29b2>] do_syscall_64+0x42/0x90 > [<0000000053f45fb8>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 > > Free the structure alongside the corresponding iscsit_conn / se_sess > parent. I forgot to add... Fixes: becd9be6069e ("scsi: target: Move sess cmd counter to new struct")
On 8/31/23 1:34 PM, David Disseldorp wrote: > The target_cmd_counter struct allocated via target_alloc_cmd_counter() > is never free'd, resulting in leaks across various transport types, > e.g.: > > unreferenced object 0xffff88801f920120 (size 96): > comm "sh", pid 102, jiffies 4294892535 (age 713.412s) > hex dump (first 32 bytes): > 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 38 01 92 1f 80 88 ff ff ........8....... > backtrace: > [<00000000e58a6252>] kmalloc_trace+0x11/0x20 > [<0000000043af4b2f>] target_alloc_cmd_counter+0x17/0x90 [target_core_mod] > [<000000007da2dfa7>] target_setup_session+0x2d/0x140 [target_core_mod] > [<0000000068feef86>] tcm_loop_tpg_nexus_store+0x19b/0x350 [tcm_loop] > [<000000006a80e021>] configfs_write_iter+0xb1/0x120 > [<00000000e9f4d860>] vfs_write+0x2e4/0x3c0 > [<000000008143433b>] ksys_write+0x80/0xb0 > [<00000000a7df29b2>] do_syscall_64+0x42/0x90 > [<0000000053f45fb8>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 > > Free the structure alongside the corresponding iscsit_conn / se_sess > parent. > > Signed-off-by: David Disseldorp <ddiss@suse.de> > --- Reviewed-by: Mike Christie <michael.christie@oracle.com>
On Thu, 31 Aug 2023 20:34:59 +0200, David Disseldorp wrote: > The target_cmd_counter struct allocated via target_alloc_cmd_counter() > is never free'd, resulting in leaks across various transport types, > e.g.: > > unreferenced object 0xffff88801f920120 (size 96): > comm "sh", pid 102, jiffies 4294892535 (age 713.412s) > hex dump (first 32 bytes): > 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 38 01 92 1f 80 88 ff ff ........8....... > backtrace: > [<00000000e58a6252>] kmalloc_trace+0x11/0x20 > [<0000000043af4b2f>] target_alloc_cmd_counter+0x17/0x90 [target_core_mod] > [<000000007da2dfa7>] target_setup_session+0x2d/0x140 [target_core_mod] > [<0000000068feef86>] tcm_loop_tpg_nexus_store+0x19b/0x350 [tcm_loop] > [<000000006a80e021>] configfs_write_iter+0xb1/0x120 > [<00000000e9f4d860>] vfs_write+0x2e4/0x3c0 > [<000000008143433b>] ksys_write+0x80/0xb0 > [<00000000a7df29b2>] do_syscall_64+0x42/0x90 > [<0000000053f45fb8>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 > > [...] Applied to 6.6/scsi-fixes, thanks! [1/1] scsi: target: fix target_cmd_counter leak https://git.kernel.org/mkp/scsi/c/d14e3e553e05
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c index 687adc9e086c..0686882bcbda 100644 --- a/drivers/target/target_core_transport.c +++ b/drivers/target/target_core_transport.c @@ -264,6 +264,7 @@ void target_free_cmd_counter(struct target_cmd_counter *cmd_cnt) percpu_ref_put(&cmd_cnt->refcnt); percpu_ref_exit(&cmd_cnt->refcnt); + kfree(cmd_cnt); } EXPORT_SYMBOL_GPL(target_free_cmd_counter);
The target_cmd_counter struct allocated via target_alloc_cmd_counter() is never free'd, resulting in leaks across various transport types, e.g.: unreferenced object 0xffff88801f920120 (size 96): comm "sh", pid 102, jiffies 4294892535 (age 713.412s) hex dump (first 32 bytes): 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 38 01 92 1f 80 88 ff ff ........8....... backtrace: [<00000000e58a6252>] kmalloc_trace+0x11/0x20 [<0000000043af4b2f>] target_alloc_cmd_counter+0x17/0x90 [target_core_mod] [<000000007da2dfa7>] target_setup_session+0x2d/0x140 [target_core_mod] [<0000000068feef86>] tcm_loop_tpg_nexus_store+0x19b/0x350 [tcm_loop] [<000000006a80e021>] configfs_write_iter+0xb1/0x120 [<00000000e9f4d860>] vfs_write+0x2e4/0x3c0 [<000000008143433b>] ksys_write+0x80/0xb0 [<00000000a7df29b2>] do_syscall_64+0x42/0x90 [<0000000053f45fb8>] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Free the structure alongside the corresponding iscsit_conn / se_sess parent. Signed-off-by: David Disseldorp <ddiss@suse.de> --- drivers/target/target_core_transport.c | 1 + 1 file changed, 1 insertion(+)