From: Satoru Takeuchi <satoru.takeuchi@gmail.com>
To: Rusty Russell <rusty@rustcorp.com.au>
Cc: Ben Hutchings <ben@decadent.org.uk>,
Satoru Takeuchi <satoru.takeuchi@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Aurelien Jarno <aurelien@aurel32.net>,
Matt Mackall <mpm@selenic.com>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: [PATCH] hw_random: free rng_buffer at module exit
Date: Wed, 20 Mar 2013 09:29:57 +0900 [thread overview]
Message-ID: <87li9i9am2.wl%satoru.takeuchi@gmail.com> (raw)
In-Reply-To: <87ppyxsa5e.fsf@rustcorp.com.au>
At Mon, 18 Mar 2013 13:10:29 +1030,
Rusty Russell wrote:
>
> Ben Hutchings <ben@decadent.org.uk> writes:
> > On Fri, 2013-03-15 at 15:35 +1030, Rusty Russell wrote:
> >> Satoru Takeuchi <satoru.takeuchi@gmail.com> writes:
> >> > At Thu, 14 Mar 2013 17:11:21 +1030,
> >> > Rusty Russell wrote:
> >> >>
> >> >> Satoru Takeuchi <satoru.takeuchi@gmail.com> writes:
> >> >> > Hi Rusty,
> >> >> >
> >> >> > At Tue, 12 Mar 2013 15:43:33 -0700,
> >> >> > Greg Kroah-Hartman wrote:
> >> >> >> @@ -307,6 +312,14 @@ int hwrng_register(struct hwrng *rng)
> >> >> >>
> >> >> >> mutex_lock(&rng_mutex);
> >> >> >>
> >> >> >> + /* kmalloc makes this safe for virt_to_page() in virtio_rng.c */
> >> >> >> + err = -ENOMEM;
> >> >> >> + if (!rng_buffer) {
> >> >> >> + rng_buffer = kmalloc(rng_buffer_size(), GFP_KERNEL);
> >> >> >
> >> >> > rng_buffer is now kmalloc-ed, but not kfree-ed. Shoudn't it be kfree-ed
> >> >> > at hwrng_unregister()? If my suspect is correct, the same problem is
> >> >> > in 3.8.3-rc1 and 3.0.69-rc1. I'm OK to make a patch, but it'll be after
> >> >> > some hours.
> >> >> >
> >> >> > Corecct me if I'm wrong.
> >> >>
> >> >> Yes, it would be nice to free it, but it really makes sense to free it
> >> >> in module_cleanup() (which would have to be written, as the module
> >> >> currently doesn't have one).
> >> >>
> >> >> Cheers,
> >> >> Rusty.
> >> >
> >> > From: Satoru Takeuchi <satoru.takeuchi@gmail.com>
> >> >
> >> > rng-core module allocates rng_buffer by kmalloc() since commit
> >> > f7f154f1246ccc5a0a7e9ce50932627d60a0c878. But this buffer won't be
> >> > freed and there is a memory leak possibility at module exit.
> >> >
> >> > Signed-off-by: Satoru Takeuchi <satoru.takeuchi@gmail.com>
> >> > Cc: Rusty Russell <rusty@rustcorp.com.au>
> >> > Cc: Matt Mackall <mpm@selenic.com>
> >> > Cc: Herbert Xu <herbert@gondor.apana.org.au>
> >> > Cc: Aurelien Jarno <aurelien@aurel32.net>
> >> > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> >> > Cc: stable@vger.kernel.org
> >>
> >> Cc: stable might be overkill, but I've tested it and put it in my patch
> >> queue, and will push it to Linus once it's survived linux-next.
> >
> > If the module cannot be removed currently, it does not leak. Making it
> > removable is a feature addition and I think you're right that it's not
> > suitable for stable.
>
> No, the module has always been removable, but the tiny leak is more a
> theoretical problem I'd say. AFAICT udev never removes modules, so even
> if you have a randomness device which bounces in and out every second,
> it still won't leak 5MB a day.
I changed my mind. This patch is not suitable for stable because of the
following reasons.
- Admins (or udev) don't nomally unload hw_random drivers.
- It's hard for attackers to abuse this bug. Triggering rng-core module
unload is difficult for non-root users.
- It leaks few memory (in my system 64byte per load/unload) as Rusty said.
Documentation/stable_kernel_rules.txt
===============================================================================
...
- It must fix a real bug that bothers people (not a, "This could be a
problem..." type thing).
- It must fix a problem that causes a build error (but not for things
marked CONFIG_BROKEN), an oops, a hang, data corruption, a real
security issue, or some "oh, that's not good" issue. In short, something
critical.
...
===============================================================================
It doesn't match the above-mentioned description. It's not critical.
Thanks,
Satoru
next prev parent reply other threads:[~2013-03-20 0:29 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-12 22:43 [ 00/40] 3.4.36-stable review Greg Kroah-Hartman
2013-03-12 22:43 ` [ 01/40] ARM: VFP: fix emulation of second VFP instruction Greg Kroah-Hartman
2013-03-12 22:43 ` [ 02/40] ARM: fix scheduling while atomic warning in alignment handling code Greg Kroah-Hartman
2013-03-12 22:43 ` [ 03/40] xen/pci: We dont do multiple MSIs Greg Kroah-Hartman
2013-03-12 22:43 ` [ 04/40] SCSI: dc395x: uninitialized variable in device_alloc() Greg Kroah-Hartman
2013-03-12 22:43 ` [ 05/40] SCSI: storvsc: Initialize the sglist Greg Kroah-Hartman
2013-03-12 22:43 ` [ 06/40] target/pscsi: Fix page increment Greg Kroah-Hartman
2013-03-12 22:43 ` [ 07/40] btrfs: Init io_lock after cloning btrfs device struct Greg Kroah-Hartman
2013-03-12 22:43 ` [ 08/40] cifs: ensure that cifs_get_root() only traverses directories Greg Kroah-Hartman
2013-03-12 22:43 ` [ 09/40] NFS: Dont allow NFS silly-renamed files to be deleted, no signal Greg Kroah-Hartman
2013-03-12 22:43 ` [ 10/40] SUNRPC: Dont start the retransmission timer when out of socket space Greg Kroah-Hartman
2013-03-12 22:43 ` [ 11/40] ata_piix: reenable MS Virtual PC guests Greg Kroah-Hartman
2013-03-12 22:43 ` [ 12/40] hw_random: make buffer usable in scatterlist Greg Kroah-Hartman
2013-03-13 22:54 ` Satoru Takeuchi
2013-03-14 6:41 ` Rusty Russell
2013-03-14 13:24 ` [PATCH] hw_random: free rng_buffer at module exit Satoru Takeuchi
2013-03-15 5:05 ` Rusty Russell
2013-03-17 2:14 ` Ben Hutchings
2013-03-18 2:40 ` Rusty Russell
2013-03-20 0:29 ` Satoru Takeuchi [this message]
2013-03-12 22:43 ` [ 13/40] mwifiex: correct sleep delay counter Greg Kroah-Hartman
2013-03-12 22:43 ` [ 14/40] ath9k: fix RSSI dummy marker value Greg Kroah-Hartman
2013-03-12 22:43 ` [ 15/40] ath9k_hw: improve reset reliability after errors Greg Kroah-Hartman
2013-03-12 22:43 ` [ 16/40] md: protect against crash upon fsync on ro array Greg Kroah-Hartman
2013-03-12 22:43 ` [ 17/40] md: fix two bugs when attempting to resize RAID0 array Greg Kroah-Hartman
2013-03-12 22:43 ` [ 18/40] md: raid0: fix error return from create_stripe_zones Greg Kroah-Hartman
2013-03-12 22:43 ` [ 19/40] hwmon: (sht15) Check return value of regulator_enable() Greg Kroah-Hartman
2013-03-12 22:43 ` [ 20/40] hwmon: (pmbus/ltc2978) Fix peak attribute handling Greg Kroah-Hartman
2013-03-12 22:43 ` [ 21/40] hwmon: (pmbus/ltc2978) Use detected chip ID to select supported functionality Greg Kroah-Hartman
2013-03-12 22:43 ` [ 22/40] drm/radeon: add primary dac adj quirk for R200 board Greg Kroah-Hartman
2013-03-12 22:43 ` [ 23/40] ARM: 7663/1: perf: fix ARMv7 EVTYPE_MASK to include NSH bit Greg Kroah-Hartman
2013-03-12 22:43 ` [ 24/40] ALSA: ice1712: Initialize card->private_data properly Greg Kroah-Hartman
2013-03-12 22:43 ` [ 25/40] ALSA: vmaster: Fix slave change notification Greg Kroah-Hartman
2013-03-12 22:43 ` [ 26/40] e1000e: fix pci-device enable-counter balance Greg Kroah-Hartman
2013-03-12 22:43 ` [ 27/40] HID: logitech-dj: do not directly call hid_output_raw_report() during probe Greg Kroah-Hartman
2013-03-12 22:43 ` [ 28/40] xen/pat: Disable PAT using pat_enabled value Greg Kroah-Hartman
2013-03-12 22:43 ` [ 29/40] crypto: user - fix info leaks in report API Greg Kroah-Hartman
2013-03-12 22:43 ` [ 30/40] keys: fix race with concurrent install_user_keyrings() Greg Kroah-Hartman
2013-03-12 22:43 ` [ 31/40] Fix: compat_rw_copy_check_uvector() misuse in aio, readv, writev, and security keys Greg Kroah-Hartman
2013-03-12 22:43 ` [ 32/40] vfs: fix pipe counter breakage Greg Kroah-Hartman
2013-03-12 22:43 ` [ 33/40] rtc: rtc-mv: Add support for clk to avoid lockups Greg Kroah-Hartman
2013-03-12 23:08 ` Jason Cooper
2013-03-12 23:15 ` Greg Kroah-Hartman
2013-03-12 22:43 ` [ 34/40] Fix memory leak in cpufreq stats Greg Kroah-Hartman
2013-03-12 22:43 ` [ 35/40] ftrace: Update the kconfig for DYNAMIC_FTRACE Greg Kroah-Hartman
2013-03-12 22:43 ` [ 36/40] dmi_scan: fix missing check for _DMI_ signature in smbios_present() Greg Kroah-Hartman
2013-03-12 22:43 ` [ 37/40] USB: Dont use EHCI port sempahore for USB 3.0 hubs Greg Kroah-Hartman
2013-03-12 22:43 ` [ 38/40] USB: Prepare for refactoring by adding extra udev checks Greg Kroah-Hartman
2013-03-12 22:44 ` [ 39/40] USB: Rip out recursive call on warm port reset Greg Kroah-Hartman
2013-03-12 22:44 ` [ 40/40] Revert "ALSA: hda - hdmi: Make jacks phantom, if theyre not detectable" Greg Kroah-Hartman
2013-03-13 3:57 ` [ 00/40] 3.4.36-stable review Shuah Khan
2013-03-14 13:39 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87li9i9am2.wl%satoru.takeuchi@gmail.com \
--to=satoru.takeuchi@gmail.com \
--cc=aurelien@aurel32.net \
--cc=ben@decadent.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=mpm@selenic.com \
--cc=rusty@rustcorp.com.au \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).