[PATCH] UBIFS: add missing znode freeing in tcn

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] UBIFS: add missing znode freeing in tcn_insert()
@ 2014-03-08  0:11 Florian Fainelli
  2014-03-08 10:46 ` Richard Weinberger
  0 siblings, 1 reply; 4+ messages in thread
From: Florian Fainelli @ 2014-03-08  0:11 UTC (permalink / raw)
  To: dedekind1; +Cc: Florian Fainelli, computersforpeace, linux-mtd

In case the zi allocation fails in the do_split label, we will fail
freeing zn that we allocated before, add a missing kfree.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
---
 fs/ubifs/tnc.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c
index 9083bc7ed4ae..9b84d91ea530 100644
--- a/fs/ubifs/tnc.c
+++ b/fs/ubifs/tnc.c
@@ -2105,8 +2105,10 @@ do_split:
 	dbg_tnc("creating new zroot at level %d", znode->level + 1);
 
 	zi = kzalloc(c->max_znode_sz, GFP_NOFS);
-	if (!zi)
+	if (!zi) {
+		kfree(zn);
 		return -ENOMEM;
+	}
 
 	zi->child_cnt = 2;
 	zi->level = znode->level + 1;
-- 
1.8.3.2

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] UBIFS: add missing znode freeing in tcn_insert()
  2014-03-08  0:11 [PATCH] UBIFS: add missing znode freeing in tcn_insert() Florian Fainelli
@ 2014-03-08 10:46 ` Richard Weinberger
  2014-03-10 18:44   ` Florian Fainelli
  0 siblings, 1 reply; 4+ messages in thread
From: Richard Weinberger @ 2014-03-08 10:46 UTC (permalink / raw)
  To: Florian Fainelli
  Cc: Brian Norris, linux-mtd@lists.infradead.org, Artem Bityutskiy

On Sat, Mar 8, 2014 at 1:11 AM, Florian Fainelli <f.fainelli@gmail.com> wrote:
> In case the zi allocation fails in the do_split label, we will fail
> freeing zn that we allocated before, add a missing kfree.
>
> Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
> ---
>  fs/ubifs/tnc.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c
> index 9083bc7ed4ae..9b84d91ea530 100644
> --- a/fs/ubifs/tnc.c
> +++ b/fs/ubifs/tnc.c
> @@ -2105,8 +2105,10 @@ do_split:
>         dbg_tnc("creating new zroot at level %d", znode->level + 1);
>
>         zi = kzalloc(c->max_znode_sz, GFP_NOFS);
> -       if (!zi)
> +       if (!zi) {
> +               kfree(zn);
>                 return -ENOMEM;
> +       }
>

I'm not sure whether this is correct.

Around line 2050 we have:
... else {
                /* Insert into new znode */
                zi = zn; <---------
                n -= keep;
                /* Re-parent */
                if (zn->level != 0)
                        zbr->znode->parent = zn;
        }

And later:
insert_zbranch(zi, zbr, n);

By freeing zn you may introduce a use after free bug.

-- 
Thanks,
//richard

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] UBIFS: add missing znode freeing in tcn_insert()
  2014-03-08 10:46 ` Richard Weinberger
@ 2014-03-10 18:44   ` Florian Fainelli
  2014-03-11  7:55     ` Artem Bityutskiy
  0 siblings, 1 reply; 4+ messages in thread
From: Florian Fainelli @ 2014-03-10 18:44 UTC (permalink / raw)
  To: Richard Weinberger
  Cc: Brian Norris, linux-mtd@lists.infradead.org, Artem Bityutskiy

2014-03-08 2:46 GMT-08:00 Richard Weinberger <richard.weinberger@gmail.com>:
> On Sat, Mar 8, 2014 at 1:11 AM, Florian Fainelli <f.fainelli@gmail.com> wrote:
>> In case the zi allocation fails in the do_split label, we will fail
>> freeing zn that we allocated before, add a missing kfree.
>>
>> Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
>> ---
>>  fs/ubifs/tnc.c | 4 +++-
>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c
>> index 9083bc7ed4ae..9b84d91ea530 100644
>> --- a/fs/ubifs/tnc.c
>> +++ b/fs/ubifs/tnc.c
>> @@ -2105,8 +2105,10 @@ do_split:
>>         dbg_tnc("creating new zroot at level %d", znode->level + 1);
>>
>>         zi = kzalloc(c->max_znode_sz, GFP_NOFS);
>> -       if (!zi)
>> +       if (!zi) {
>> +               kfree(zn);
>>                 return -ENOMEM;
>> +       }
>>
>
> I'm not sure whether this is correct.
>
> Around line 2050 we have:
> ... else {
>                 /* Insert into new znode */
>                 zi = zn; <---------
>                 n -= keep;
>                 /* Re-parent */
>                 if (zn->level != 0)
>                         zbr->znode->parent = zn;
>         }
>
> And later:
> insert_zbranch(zi, zbr, n);
>
> By freeing zn you may introduce a use after free bug.

Yes, you are right, I cannot find a good way to make sure this is not
the case, variables re-use in this function makes it particularly hard
to read BTW.
-- 
Florian

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] UBIFS: add missing znode freeing in tcn_insert()
  2014-03-10 18:44   ` Florian Fainelli
@ 2014-03-11  7:55     ` Artem Bityutskiy
  0 siblings, 0 replies; 4+ messages in thread
From: Artem Bityutskiy @ 2014-03-11  7:55 UTC (permalink / raw)
  To: Florian Fainelli
  Cc: Richard Weinberger, Brian Norris, linux-mtd@lists.infradead.org

On Mon, 2014-03-10 at 11:44 -0700, Florian Fainelli wrote:
> 2014-03-08 2:46 GMT-08:00 Richard Weinberger <richard.weinberger@gmail.com>:
> > On Sat, Mar 8, 2014 at 1:11 AM, Florian Fainelli <f.fainelli@gmail.com> wrote:
> >> In case the zi allocation fails in the do_split label, we will fail
> >> freeing zn that we allocated before, add a missing kfree.
> >>
> >> Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
> >> ---
> >>  fs/ubifs/tnc.c | 4 +++-
> >>  1 file changed, 3 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/fs/ubifs/tnc.c b/fs/ubifs/tnc.c
> >> index 9083bc7ed4ae..9b84d91ea530 100644
> >> --- a/fs/ubifs/tnc.c
> >> +++ b/fs/ubifs/tnc.c
> >> @@ -2105,8 +2105,10 @@ do_split:
> >>         dbg_tnc("creating new zroot at level %d", znode->level + 1);
> >>
> >>         zi = kzalloc(c->max_znode_sz, GFP_NOFS);
> >> -       if (!zi)
> >> +       if (!zi) {
> >> +               kfree(zn);
> >>                 return -ENOMEM;
> >> +       }
> >>
> >
> > I'm not sure whether this is correct.
> >
> > Around line 2050 we have:
> > ... else {
> >                 /* Insert into new znode */
> >                 zi = zn; <---------
> >                 n -= keep;
> >                 /* Re-parent */
> >                 if (zn->level != 0)
> >                         zbr->znode->parent = zn;
> >         }
> >
> > And later:
> > insert_zbranch(zi, zbr, n);
> >
> > By freeing zn you may introduce a use after free bug.
> 
> Yes, you are right, I cannot find a good way to make sure this is not
> the case,

I think you do not need to free it. It was allocated and inserted to
TNC. TNC is a global data structure. It gets destroyed (all elements get
freed) when the FS is unmounted. Or if mount fails, it gets freed on the
error path.

So no need to worry about that element.

>  variables re-use in this function makes it particularly hard
> to read BTW.

Yes, it could be better, I guess. But this kind of "algorithmic" code is
rarely very readable, it is just not very easy. More comments could help
too.

-- 
Best Regards,
Artem Bityutskiy

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2014-03-11  7:56 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-03-08  0:11 [PATCH] UBIFS: add missing znode freeing in tcn_insert() Florian Fainelli
2014-03-08 10:46 ` Richard Weinberger
2014-03-10 18:44   ` Florian Fainelli
2014-03-11  7:55     ` Artem Bityutskiy

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.