| Message ID | 20231201145048.2179969-1-wozizhi@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [-next] ksmbd: fix memory leak in smb2_lock() | expand |
2023-12-01 23:50 GMT+09:00, Zizhi Wo <wozizhi@huawei.com>: > In smb2_lock(), if setup_async_work() executes successfully, > work->cancel_argv will bind the argv that generated by kmalloc(). And > release_async_work() is called in ksmbd_conn_try_dequeue_request() or > smb2_lock() to release argv. > However, when setup_async_work function fails, work->cancel_argv has not > been bound to the argv, resulting in the previously allocated argv not > being released. Call kfree() to fix it. > > when setup_async_work fails, the code will go to the > "out" branch, resulting in the previously allocated "argv" not being > released. Call kfree() to fix it. > > Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") > Signed-off-by: Zizhi Wo <wozizhi@huawei.com> Acked-by: Namjae Jeon <linkinjeon@kernel.org> Applied it to #ksmbd-for-next-next . Thanks.
在 2023/12/2 11:54, Namjae Jeon 写道: > 2023-12-01 23:50 GMT+09:00, Zizhi Wo <wozizhi@huawei.com>: >> In smb2_lock(), if setup_async_work() executes successfully, >> work->cancel_argv will bind the argv that generated by kmalloc(). And >> release_async_work() is called in ksmbd_conn_try_dequeue_request() or >> smb2_lock() to release argv. >> However, when setup_async_work function fails, work->cancel_argv has not >> been bound to the argv, resulting in the previously allocated argv not >> being released. Call kfree() to fix it. >> >> when setup_async_work fails, the code will go to the >> "out" branch, resulting in the previously allocated "argv" not being >> released. Call kfree() to fix it. >> >> Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") >> Signed-off-by: Zizhi Wo <wozizhi@huawei.com> > Acked-by: Namjae Jeon <linkinjeon@kernel.org> > > Applied it to #ksmbd-for-next-next . > Thanks. Thanks, but I found a redundant paragraph in my commit message, and I will send version V2 to fix it.
diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 658209839729..67cbeb713f70 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -7078,6 +7078,7 @@ int smb2_lock(struct ksmbd_work *work) smb2_remove_blocked_lock, argv); if (rc) { + kfree(argv); err = -ENOMEM; goto out; }
In smb2_lock(), if setup_async_work() executes successfully, work->cancel_argv will bind the argv that generated by kmalloc(). And release_async_work() is called in ksmbd_conn_try_dequeue_request() or smb2_lock() to release argv. However, when setup_async_work function fails, work->cancel_argv has not been bound to the argv, resulting in the previously allocated argv not being released. Call kfree() to fix it. when setup_async_work fails, the code will go to the "out" branch, resulting in the previously allocated "argv" not being released. Call kfree() to fix it. Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Signed-off-by: Zizhi Wo <wozizhi@huawei.com> --- fs/smb/server/smb2pdu.c | 1 + 1 file changed, 1 insertion(+)