On Wed, 2025-01-15 at 08:32 +0100, Antoine Viallon wrote: > On 15/01/2025 00:27, Viacheslav Dubeyko wrote: > > I have some worry here. Maybe, I am wrong. Initially, we receive > > tpath > > pointer as function argument: > > > > https://elixir.bootlin.com/linux/v6.13-rc3/source/fs/ceph/mds_client.c#L5605 > > > > Then, we assign tpath to _tpath: > > > > https://elixir.bootlin.com/linux/v6.13-rc3/source/fs/ceph/mds_client.c#L5651 > > > > We allocate memory by condition: > > > > if (spath && (m = strlen(spath)) != 1) { > > /* mount path + '/' + tpath + an > > extra > > space */ > > n = m + 1 + tlen + 1; > > _tpath = kmalloc(n, GFP_NOFS); > > if (!_tpath) > > return -ENOMEM; > > /* remove the leading '/' */ > > snprintf(_tpath, n, "%s/%s", spath > > + > > 1, tpath); > > free_tpath = true; > > tlen = strlen(_tpath); > > } > > > > https://elixir.bootlin.com/linux/v6.13-rc3/source/fs/ceph/mds_client.c#L5660 > > > > What if condition is not true and we don't allocate memory? We > > still > > have _tpath keeping the pointer on tpath and kfree() will be > > called. It > > sounds for me that we can free tpath and caller of > > ceph_mds_auth_match() will have use-after-free issue. Am I right > > here? > > Do I miss something here? > > Hello Slava, > actually, we check that free_tpath is set to true before trying to > free > _tpath, and the only time free_tpath is set to true is after a > successful kmalloc assigned to _tpath. Yeah, I see now. Thanks. But likewise logic looks slightly confusing and it could be a real source of bugs. Thanks, Slava.
