Re: [PATCH 1/2] uio_hv_generic: Fix a memory leak in error handling paths

Wei Liu <wei.liu@xxxxxxxxxx> · Tue, 18 May 2021 11:01:22 +0000

Cc Long Li.

Long, Stephen suggested I check with you. Do you have any opinion?

Wei.

On Tue, May 11, 2021 at 09:52:27AM +0000, Wei Liu wrote:
> On Sun, May 09, 2021 at 09:13:03AM +0200, Christophe JAILLET wrote:
> > If 'vmbus_establish_gpadl()' fails, the (recv|send)_gpadl will not be
> > updated and 'hv_uio_cleanup()' in the error handling path will not be
> > able to free the corresponding buffer.
> > 
> > In such a case, we need to free the buffer explicitly.
> > 
> > Fixes: cdfa835c6e5e ("uio_hv_generic: defer opening vmbus until first use")
> > Signed-off-by: Christophe JAILLET <christophe.jaillet@xxxxxxxxxx>
> > ---
> > Before commit cdfa835c6e5e, the 'vfree' were done unconditionally
> > in 'hv_uio_cleanup()'.
> > So, another way for fixing the potential leak is to modify
> > 'hv_uio_cleanup()' and revert to the previous behavior.
> > 
> 
> I think this is cleaner.
> 
> Stephen, you authored cdfa835c6e5e. What do you think?
> 
> Christophe, OOI how did you discover these issues?
> 
> > I don't know the underlying reason for this change so I don't know which is
> > the best way to fix this error handling path. Unless there is a specific
> > reason, changing 'hv_uio_cleanup()' could be better because it would keep
> > the error handling path of the probe cleaner, IMHO.
> > ---
> >  drivers/uio/uio_hv_generic.c | 8 ++++++--
> >  1 file changed, 6 insertions(+), 2 deletions(-)
> > 
> > diff --git a/drivers/uio/uio_hv_generic.c b/drivers/uio/uio_hv_generic.c
> > index 0330ba99730e..eebc399f2cc7 100644
> > --- a/drivers/uio/uio_hv_generic.c
> > +++ b/drivers/uio/uio_hv_generic.c
> > @@ -296,8 +296,10 @@ hv_uio_probe(struct hv_device *dev,
> >  
> >  	ret = vmbus_establish_gpadl(channel, pdata->recv_buf,
> >  				    RECV_BUFFER_SIZE, &pdata->recv_gpadl);
> > -	if (ret)
> > +	if (ret) {
> > +		vfree(pdata->recv_buf);
> >  		goto fail_close;
> > +	}
> >  
> >  	/* put Global Physical Address Label in name */
> >  	snprintf(pdata->recv_name, sizeof(pdata->recv_name),
> > @@ -316,8 +318,10 @@ hv_uio_probe(struct hv_device *dev,
> >  
> >  	ret = vmbus_establish_gpadl(channel, pdata->send_buf,
> >  				    SEND_BUFFER_SIZE, &pdata->send_gpadl);
> > -	if (ret)
> > +	if (ret) {
> > +		vfree(pdata->send_buf);
> >  		goto fail_close;
> > +	}
> >  
> >  	snprintf(pdata->send_name, sizeof(pdata->send_name),
> >  		 "send:%u", pdata->send_gpadl);
> > -- 
> > 2.30.2
> > 