From: Dan Carpenter <dan.carpenter@oracle.com>
To: Dongliang Mu <mudongliangabcd@gmail.com>
Cc: syzbot+08a7d8b51ea048a74ffb@syzkaller.appspotmail.com,
linux-kernel <linux-kernel@vger.kernel.org>,
alsa-devel@alsa-project.org, tiwai@suse.com
Subject: Re: [PATCH] ALSA: control led: fix memory leak in snd_ctl_led_register
Date: Tue, 1 Jun 2021 16:46:07 +0300 [thread overview]
Message-ID: <20210601134606.GD24442@kadam> (raw)
In-Reply-To: <CAD-N9QW17fVZhaLY=CLPj9EbTLpG9qFNcGYZ0MhGxg_E0df1Uw@mail.gmail.com>
On Tue, Jun 01, 2021 at 09:17:04PM +0800, Dongliang Mu wrote:
> On Mon, May 31, 2021 at 7:02 PM Dan Carpenter <dan.carpenter@oracle.com> wrote:
> > > @@ -701,6 +706,7 @@ static void snd_ctl_led_sysfs_remove(struct snd_card *card)
> > > sysfs_remove_link(&card->ctl_dev.kobj, link_name);
> > > sysfs_remove_link(&led_card->dev.kobj, "card");
> > > device_del(&led_card->dev);
> > > + put_device(&led_card->dev);
> > > kfree(led_card);
> > > led->cards[card->number] = NULL;
> > > }
> >
> > Btw, I have created a Smatch warning for this type of code where we
> > have:
> >
> > put_device(&foo->dev);
> > kfree(foo);
>
> I don't think this should be a bug pattern. put_device will drop the
> final reference of one object with struct device and invoke
> device_release to release some resources.
>
> The release function should only clean up the internal resources in
> the device object. It should not touch the led_card which contains the
> device object.
>
It's only a use after free if you turn CONFIG_DEBUG_KOBJECT_RELEASE
debugging on, which you would never do in a production environment. The
put_device() function calls kobject_release():
lib/kobject.c
725 static void kobject_release(struct kref *kref)
726 {
727 struct kobject *kobj = container_of(kref, struct kobject, kref);
728 #ifdef CONFIG_DEBUG_KOBJECT_RELEASE
729 unsigned long delay = HZ + HZ * (get_random_int() & 0x3);
730 pr_info("kobject: '%s' (%p): %s, parent %p (delayed %ld)\n",
731 kobject_name(kobj), kobj, __func__, kobj->parent, delay);
732 INIT_DELAYED_WORK(&kobj->release, kobject_delayed_cleanup);
^^^^^^^^^^^^^^^^^^^^^^^
733
734 schedule_delayed_work(&kobj->release, delay);
735 #else
736 kobject_cleanup(kobj);
737 #endif
738 }
This release will be done later and it references led_card->dev which is
now freed.
The Smatch check did work pretty decently. These are all use after free
bugs if you have CONFIG_DEBUG_KOBJECT_RELEASE enabled. (Line numbers
from Friday's linux-next). I'm not going to bother fixing them because
they're only an issue for CONFIG_DEBUG_KOBJECT_RELEASE and not for
production but I will email people when more of these bugs are
introduced.
sound/core/control_led.c:688 snd_ctl_led_sysfs_add() warn: freeing device managed memory (UAF): 'led_card'
drivers/usb/gadget/function/f_mass_storage.c:2649 fsg_common_remove_lun() warn: freeing device managed memory (UAF): 'lun'
drivers/usb/gadget/function/f_mass_storage.c:2818 fsg_common_create_lun() warn: freeing device managed memory (UAF): 'lun'
drivers/usb/gadget/function/f_mass_storage.c:2881 fsg_common_release() warn: freeing device managed memory (UAF): 'lun'
drivers/w1/w1.c:810 w1_unref_slave() warn: freeing device managed memory (UAF): 'sl'
drivers/pci/endpoint/pci-epc-core.c:671 pci_epc_destroy() warn: freeing device managed memory (UAF): 'epc'
drivers/pci/endpoint/pci-epc-core.c:742 __pci_epc_create() warn: freeing device managed memory (UAF): 'epc'
drivers/infiniband/ulp/srp/ib_srp.c:3930 srp_add_port() warn: freeing device managed memory (UAF): 'host'
drivers/infiniband/ulp/srp/ib_srp.c:4058 srp_remove_one() warn: freeing device managed memory (UAF): 'host'
drivers/infiniband/ulp/rtrs/rtrs-clt.c:2695 alloc_clt() warn: freeing device managed memory (UAF): 'clt'
drivers/media/pci/solo6x10/solo6x10-core.c:156 free_solo_dev() warn: freeing device managed memory (UAF): 'solo_dev'
drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:203 nfp_cpp_free() warn: freeing device managed memory (UAF): 'cpp'
drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:1258 nfp_cpp_from_operations() warn: freeing device managed memory (UAF): 'cpp'
drivers/net/netdevsim/bus.c:354 nsim_bus_dev_del() warn: freeing device managed memory (UAF): 'nsim_bus_dev'
drivers/thermal/thermal_core.c:1002 __thermal_cooling_device_register() warn: freeing device managed memory (UAF): 'cdev'
regards,
dan carpenter
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Dongliang Mu <mudongliangabcd@gmail.com>
Cc: perex@perex.cz, tiwai@suse.com, alsa-devel@alsa-project.org,
linux-kernel <linux-kernel@vger.kernel.org>,
syzbot+08a7d8b51ea048a74ffb@syzkaller.appspotmail.com
Subject: Re: [PATCH] ALSA: control led: fix memory leak in snd_ctl_led_register
Date: Tue, 1 Jun 2021 16:46:07 +0300 [thread overview]
Message-ID: <20210601134606.GD24442@kadam> (raw)
In-Reply-To: <CAD-N9QW17fVZhaLY=CLPj9EbTLpG9qFNcGYZ0MhGxg_E0df1Uw@mail.gmail.com>
On Tue, Jun 01, 2021 at 09:17:04PM +0800, Dongliang Mu wrote:
> On Mon, May 31, 2021 at 7:02 PM Dan Carpenter <dan.carpenter@oracle.com> wrote:
> > > @@ -701,6 +706,7 @@ static void snd_ctl_led_sysfs_remove(struct snd_card *card)
> > > sysfs_remove_link(&card->ctl_dev.kobj, link_name);
> > > sysfs_remove_link(&led_card->dev.kobj, "card");
> > > device_del(&led_card->dev);
> > > + put_device(&led_card->dev);
> > > kfree(led_card);
> > > led->cards[card->number] = NULL;
> > > }
> >
> > Btw, I have created a Smatch warning for this type of code where we
> > have:
> >
> > put_device(&foo->dev);
> > kfree(foo);
>
> I don't think this should be a bug pattern. put_device will drop the
> final reference of one object with struct device and invoke
> device_release to release some resources.
>
> The release function should only clean up the internal resources in
> the device object. It should not touch the led_card which contains the
> device object.
>
It's only a use after free if you turn CONFIG_DEBUG_KOBJECT_RELEASE
debugging on, which you would never do in a production environment. The
put_device() function calls kobject_release():
lib/kobject.c
725 static void kobject_release(struct kref *kref)
726 {
727 struct kobject *kobj = container_of(kref, struct kobject, kref);
728 #ifdef CONFIG_DEBUG_KOBJECT_RELEASE
729 unsigned long delay = HZ + HZ * (get_random_int() & 0x3);
730 pr_info("kobject: '%s' (%p): %s, parent %p (delayed %ld)\n",
731 kobject_name(kobj), kobj, __func__, kobj->parent, delay);
732 INIT_DELAYED_WORK(&kobj->release, kobject_delayed_cleanup);
^^^^^^^^^^^^^^^^^^^^^^^
733
734 schedule_delayed_work(&kobj->release, delay);
735 #else
736 kobject_cleanup(kobj);
737 #endif
738 }
This release will be done later and it references led_card->dev which is
now freed.
The Smatch check did work pretty decently. These are all use after free
bugs if you have CONFIG_DEBUG_KOBJECT_RELEASE enabled. (Line numbers
from Friday's linux-next). I'm not going to bother fixing them because
they're only an issue for CONFIG_DEBUG_KOBJECT_RELEASE and not for
production but I will email people when more of these bugs are
introduced.
sound/core/control_led.c:688 snd_ctl_led_sysfs_add() warn: freeing device managed memory (UAF): 'led_card'
drivers/usb/gadget/function/f_mass_storage.c:2649 fsg_common_remove_lun() warn: freeing device managed memory (UAF): 'lun'
drivers/usb/gadget/function/f_mass_storage.c:2818 fsg_common_create_lun() warn: freeing device managed memory (UAF): 'lun'
drivers/usb/gadget/function/f_mass_storage.c:2881 fsg_common_release() warn: freeing device managed memory (UAF): 'lun'
drivers/w1/w1.c:810 w1_unref_slave() warn: freeing device managed memory (UAF): 'sl'
drivers/pci/endpoint/pci-epc-core.c:671 pci_epc_destroy() warn: freeing device managed memory (UAF): 'epc'
drivers/pci/endpoint/pci-epc-core.c:742 __pci_epc_create() warn: freeing device managed memory (UAF): 'epc'
drivers/infiniband/ulp/srp/ib_srp.c:3930 srp_add_port() warn: freeing device managed memory (UAF): 'host'
drivers/infiniband/ulp/srp/ib_srp.c:4058 srp_remove_one() warn: freeing device managed memory (UAF): 'host'
drivers/infiniband/ulp/rtrs/rtrs-clt.c:2695 alloc_clt() warn: freeing device managed memory (UAF): 'clt'
drivers/media/pci/solo6x10/solo6x10-core.c:156 free_solo_dev() warn: freeing device managed memory (UAF): 'solo_dev'
drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:203 nfp_cpp_free() warn: freeing device managed memory (UAF): 'cpp'
drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:1258 nfp_cpp_from_operations() warn: freeing device managed memory (UAF): 'cpp'
drivers/net/netdevsim/bus.c:354 nsim_bus_dev_del() warn: freeing device managed memory (UAF): 'nsim_bus_dev'
drivers/thermal/thermal_core.c:1002 __thermal_cooling_device_register() warn: freeing device managed memory (UAF): 'cdev'
regards,
dan carpenter
next prev parent reply other threads:[~2021-06-01 13:47 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-28 13:17 [PATCH] ALSA: control led: fix memory leak in snd_ctl_led_register Dongliang Mu
2021-05-28 13:33 ` Dan Carpenter
2021-05-28 13:33 ` Dan Carpenter
2021-05-28 13:50 ` Dongliang Mu
2021-05-28 13:50 ` Dongliang Mu
2021-05-28 14:05 ` Dan Carpenter
2021-05-28 14:05 ` Dan Carpenter
2021-05-28 21:35 ` 慕冬亮
2021-05-28 21:35 ` 慕冬亮
2021-05-31 3:03 ` Dongliang Mu
2021-05-31 3:03 ` Dongliang Mu
2021-05-31 4:40 ` Dan Carpenter
2021-05-31 4:40 ` Dan Carpenter
2021-05-31 6:20 ` Dongliang Mu
2021-05-31 6:20 ` Dongliang Mu
2021-05-31 7:03 ` Dan Carpenter
2021-05-31 7:03 ` Dan Carpenter
2021-05-31 7:34 ` Dongliang Mu
2021-05-31 7:34 ` Dongliang Mu
2021-05-31 8:08 ` Dongliang Mu
2021-05-31 8:08 ` Dongliang Mu
2021-05-31 8:46 ` Dan Carpenter
2021-05-31 8:46 ` Dan Carpenter
2021-05-31 9:10 ` Dongliang Mu
2021-05-31 9:10 ` Dongliang Mu
2021-05-31 9:38 ` Dan Carpenter
2021-05-31 9:38 ` Dan Carpenter
2021-05-31 10:35 ` Dongliang Mu
2021-05-31 10:35 ` Dongliang Mu
2021-05-31 10:43 ` Dan Carpenter
2021-05-31 10:43 ` Dan Carpenter
2021-05-31 10:59 ` Dongliang Mu
2021-05-31 10:59 ` Dongliang Mu
2021-05-31 8:12 ` Dan Carpenter
2021-05-31 8:12 ` Dan Carpenter
2021-05-31 4:36 ` Dan Carpenter
2021-05-31 4:36 ` Dan Carpenter
2021-05-31 11:01 ` Dan Carpenter
2021-05-31 11:01 ` Dan Carpenter
2021-05-31 11:07 ` Dan Carpenter
2021-05-31 11:07 ` Dan Carpenter
2021-05-31 11:11 ` Dongliang Mu
2021-05-31 11:11 ` Dongliang Mu
2021-06-01 13:17 ` Dongliang Mu
2021-06-01 13:17 ` Dongliang Mu
2021-06-01 13:46 ` Dan Carpenter [this message]
2021-06-01 13:46 ` Dan Carpenter
2021-06-01 14:19 ` Dongliang Mu
2021-06-01 14:19 ` Dongliang Mu
2021-06-01 14:43 ` Dan Carpenter
2021-06-01 14:43 ` Dan Carpenter
2021-06-01 15:52 ` Dongliang Mu
2021-06-01 15:52 ` Dongliang Mu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210601134606.GD24442@kadam \
--to=dan.carpenter@oracle.com \
--cc=alsa-devel@alsa-project.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mudongliangabcd@gmail.com \
--cc=syzbot+08a7d8b51ea048a74ffb@syzkaller.appspotmail.com \
--cc=tiwai@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.