Re: [PATCH] NFS: Fix memleak in nfs_sysfs_move_sb_to_server

Ido Schimmel <idosch@xxxxxxxxxx> · Wed, 12 Jul 2023 17:01:07 +0300

On Wed, Jul 12, 2023 at 09:48:53PM +0800, Wenchao Hao wrote:
> call kfree() to free memory allocated in kasprintf() to fix
> memleak. It's easy to recurrent this memleak, just mount and
> remount nfs at NFS client.
> 
> The bug is detected by kmemleak with following stack:
> unreferenced object 0xffffa31a91fdf2c0 (size 16):
>   comm "mount.nfs", pid 960, jiffies 4294724478 (age 111892.067s)
>   hex dump (first 16 bytes):
>     73 65 72 76 65 72 2d 30 00 f2 fd 91 1a a3 ff ff  server-0........
>   backtrace:
>     [<00000000de9b21a9>] create_object+0x11/0x17
>     [<00000000ed17aa96>] kmemleak_alloc+0x6c/0x7a
>     [<000000009f4acc69>] slab_post_alloc_hook.constprop.0+0x81/0x99
>     [<00000000d2446455>] __kmem_cache_alloc_node+0x10c/0x13a
>     [<00000000eca4a704>] __kmalloc_node_track_caller+0x83/0xb7
>     [<0000000076cdb22f>] kvasprintf+0x65/0xc3
>     [<00000000f6f2e879>] kasprintf+0x4e/0x69
>     [<00000000e49d03be>] nfs_sysfs_move_sb_to_server+0x24/0x5f
>     [<0000000039127597>] nfs_kill_super+0x25/0x49
>     [<00000000e6ecf809>] deactivate_locked_super+0x35/0x74
>     [<000000003b9c3350>] deactivate_super+0x3c/0x44
>     [<00000000777c86be>] cleanup_mnt+0x6c/0xe7
>     [<000000009f181749>] __cleanup_mnt+0x12/0x18
>     [<00000000a709602e>] task_work_run+0x75/0x8c
>     [<0000000075da06ba>] exit_to_user_mode_prepare+0x79/0x102
>     [<0000000093a53d48>] syscall_exit_to_user_mode+0x1c/0x30
> 
> Signed-off-by: Wenchao Hao <haowenchao2@xxxxxxxxxx>
> ---
>  fs/nfs/sysfs.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/nfs/sysfs.c b/fs/nfs/sysfs.c
> index acda8f033d30..bf378ecd5d9f 100644
> --- a/fs/nfs/sysfs.c
> +++ b/fs/nfs/sysfs.c
> @@ -345,8 +345,10 @@ void nfs_sysfs_move_sb_to_server(struct nfs_server *server)
>  	int ret = -ENOMEM;
>  
>  	s = kasprintf(GFP_KERNEL, "server-%d", server->s_sysfs_id);
> -	if (s)
> +	if (s) {
>  		ret = kobject_rename(&server->kobj, s);
> +		kfree(s);
> +	}
>  	if (ret < 0)
>  		pr_warn("NFS: rename sysfs %s failed (%d)\n",
>  					server->kobj.name, ret);

A fix was already posted:

https://lore.kernel.org/linux-nfs/6702796fee0365bf399800326bbe6c88e5f73f68.1689014440.git.bcodding@xxxxxxxxxx/