Re: [PATCH] drivers: binderfs: fix memory leak in binderfs_fill_super

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Al Viro <viro@zeniv.linux.org.uk>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "Christian Brauner" <brauner@kernel.org>,
	"Dongliang Mu" <mudongliangabcd@gmail.com>,
	"Dongliang Mu" <dzm91@hust.edu.cn>,
	"Arve Hjønnevåg" <arve@android.com>,
	"Todd Kjos" <tkjos@android.com>,
	"Martijn Coenen" <maco@android.com>,
	"Joel Fernandes" <joel@joelfernandes.org>,
	"Carlos Llamas" <cmllamas@google.com>,
	"Suren Baghdasaryan" <surenb@google.com>,
	"Kees Cook" <keescook@chromium.org>,
	syzkaller <syzkaller@googlegroups.com>,
	linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] drivers: binderfs: fix memory leak in binderfs_fill_super
Date: Mon, 15 Aug 2022 02:46:36 +0100	[thread overview]
Message-ID: <YvmlfBJTiOQVfVtX@ZenIV> (raw)
In-Reply-To: <YvZkfPak2UMSc1tS@kroah.com>

On Fri, Aug 12, 2022 at 04:32:28PM +0200, Greg Kroah-Hartman wrote:

> > It's a bit tricky to follow but d_make_root() always consumes the inode.
> > On success via d_instantiate() and on failure via iput(). So when
> > d_make_root() has been called the inode is off limits. And as soon as
> > d_make_root() has returned successfully we're guaranteed that
> > sb->s_fs_info is cleaned up if a ->put_super() method has been defined.
> > Just fyi.
> 
> Ah, thanks, that wasn't obvious at all.
> 
> greg k-h

FWIW, I would rather provide a proper ->kill_sb() and gotten rid of
all that stuff.  The thing is, unlike ->put_super(), ->kill_sb() is
called for *anything* that has gotten to foo_fill_super().  Usually
allows to get rid of those "call all of or parts of foo_put_super()
on failure exits" and associated bitrot...

Like this (completely untested):

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
diff --git a/drivers/android/binderfs.c b/drivers/android/binderfs.c
index 588d753a7a19..c760f3129768 100644
--- a/drivers/android/binderfs.c
+++ b/drivers/android/binderfs.c
@@ -340,22 +340,21 @@ static int binderfs_show_options(struct seq_file *seq, struct dentry *root)
 	return 0;
 }
 
-static void binderfs_put_super(struct super_block *sb)
+static void binderfs_kill_super(struct super_block *sb)
 {
 	struct binderfs_info *info = sb->s_fs_info;
 
+	kill_litter_super(sb);
 	if (info && info->ipc_ns)
 		put_ipc_ns(info->ipc_ns);
 
 	kfree(info);
-	sb->s_fs_info = NULL;
 }
 
 static const struct super_operations binderfs_super_ops = {
 	.evict_inode    = binderfs_evict_inode,
 	.show_options	= binderfs_show_options,
 	.statfs         = simple_statfs,
-	.put_super	= binderfs_put_super,
 };
 
 static inline bool is_binderfs_control_device(const struct dentry *dentry)
@@ -789,7 +788,7 @@ static struct file_system_type binder_fs_type = {
 	.name			= "binder",
 	.init_fs_context	= binderfs_init_fs_context,
 	.parameters		= binderfs_fs_parameters,
-	.kill_sb		= kill_litter_super,
+	.kill_sb		= binderfs_kill_super,
 	.fs_flags		= FS_USERNS_MOUNT,
 };

next prev parent reply	other threads:[~2022-08-15  1:47 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-12 13:21 [PATCH] drivers: binderfs: fix memory leak in binderfs_fill_super Dongliang Mu
2022-08-12 13:41 ` Christian Brauner
2022-08-12 13:48   ` Dongliang Mu
2022-08-12 14:18     ` Christian Brauner
2022-08-15  0:59       ` Dongliang Mu
2022-08-12 13:41 ` Greg Kroah-Hartman
2022-08-12 13:56   ` Dongliang Mu
2022-08-12 14:02     ` Dongliang Mu
2022-08-12 14:09     ` Greg Kroah-Hartman
2022-08-12 14:24       ` Christian Brauner
2022-08-12 14:32         ` Greg Kroah-Hartman
2022-08-15  1:46           ` Al Viro [this message]
2022-08-15  1:48             ` Al Viro
2022-08-15  8:47             ` Christian Brauner
2022-08-17 11:43               ` Greg Kroah-Hartman
2022-08-17 13:03                 ` [PATCH] binderfs: rework superblock destruction Christian Brauner
2022-08-17 13:59                   ` Al Viro
2022-08-17 14:01                     ` Christian Brauner
2022-08-17 14:19                       ` Al Viro
2022-08-17 14:32                         ` Al Viro
2022-08-17 15:05                           ` Christian Brauner
2022-08-17 14:51                         ` Christian Brauner
2022-08-17 15:21                           ` Al Viro
2022-08-17 15:24                             ` Christian Brauner

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:588d753a7a1 dfblob:c760f312976 )
 OR (
bs:"Re: [PATCH] drivers: binderfs: fix memory leak in binderfs_fill_super" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YvmlfBJTiOQVfVtX@ZenIV \
    --to=viro@zeniv.linux.org.uk \
    --cc=arve@android.com \
    --cc=brauner@kernel.org \
    --cc=cmllamas@google.com \
    --cc=dzm91@hust.edu.cn \
    --cc=gregkh@linuxfoundation.org \
    --cc=joel@joelfernandes.org \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=maco@android.com \
    --cc=mudongliangabcd@gmail.com \
    --cc=surenb@google.com \
    --cc=syzkaller@googlegroups.com \
    --cc=tkjos@android.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.