From patchwork Mon Jun 18 17:18:25 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 10472375 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id D2507601D7 for ; Mon, 18 Jun 2018 17:18:49 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B11AC286F3 for ; Mon, 18 Jun 2018 17:18:49 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A48842871B; Mon, 18 Jun 2018 17:18:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID, T_TVD_MIME_EPI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 26034286F3 for ; Mon, 18 Jun 2018 17:18:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934891AbeFRRSs (ORCPT ); Mon, 18 Jun 2018 13:18:48 -0400 Received: from mail-pf0-f194.google.com ([209.85.192.194]:36870 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934215AbeFRRSr (ORCPT ); Mon, 18 Jun 2018 13:18:47 -0400 Received: by mail-pf0-f194.google.com with SMTP id y5-v6so8500569pfn.4; Mon, 18 Jun 2018 10:18:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=g3NftWdppLc0VF7uXUr73ZFrthOaoLpdwqpt3lZVZZs=; b=b+pKuR9gsYVBXadDWzvXP/Th6PyDISNB+5+601HROx0nGut+cIS2EL5wxeOifTqxkl RA2QxXtx1rzcfS0imBfqHn2gFlw3RjPj4CbBdiJ03Uya/LGYuQnKj+ymKPZhMRg3pC49 XeL24qWpJ0qHrbjgETnkHeZM/DGtIibfPt2m9gx//R55zi0iGEG2HTBF6rJ/Q2Q84SGL YnOhGw9jIU+mHXkgpxicPDum/NG4530dbg/lzrTirH2ZueEeAHWbpKtDomiVt+NgR1Z1 0eaMHq1I75hCQpXUZhXFvD82DURhyaBkbS5O9JNKzv/rzjtslfZOxKzr9Xf1NZjb17gP AeAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=g3NftWdppLc0VF7uXUr73ZFrthOaoLpdwqpt3lZVZZs=; b=ooTSoDwLQXyJkRT/Uco5yJX50l+OeYP+jRp27QBL3xKOXT3k3ROit73n5Aee139t5N VTZ5Ku9h03tHmfno9cYLzt1HfgP2iXBlQAFyOGQBT+DidTrjWjhIdPYcvSz8dxd+F7KC o2+xOPJHEbBNA6tX7KAWbuk68b8K1/OtV1AYNO2E7Lviwr1m2jAvgRKZOZmMx8avX2az aoQAtTo1kkAV7UUqRuwWcdbGPT6uMafbVYWrBS9ZYFOred82Ynfwxh+4JlDhNvZfTqX6 KxrRy8+fjeQzv6ntxJf5FABWT63dy+YmAduIVnC16dQU5pWT1nmF3z8XQCS5OyqBARr3 J74w== X-Gm-Message-State: APt69E3zyW0KZeNgHU5+RDMRlm+KOJMBQjP0h4Jzzv+GUH3hdZlTYbfQ MmE5Kxx48qf06XpoS7cXSdZs04UCEFJPssI/06s= X-Google-Smtp-Source: ADUXVKI4RqpWmsGXGbYcAUBi+ONsnOLjbwtJJt2M6PtR1zMEnNeg6BFT/2nhwiXD+QXOirIQqtvG+XJPzm1xNn1+hhI= X-Received: by 2002:a63:b812:: with SMTP id p18-v6mr12141601pge.11.1529342326631; Mon, 18 Jun 2018 10:18:46 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a17:90a:80cc:0:0:0:0 with HTTP; Mon, 18 Jun 2018 10:18:25 -0700 (PDT) In-Reply-To: References: <20180618130737.GA13880@embeddedor.com> From: Steve French Date: Mon, 18 Jun 2018 12:18:25 -0500 Message-ID: Subject: Re: [smb3] unreachable code and memory leaks To: "Gustavo A. R. Silva" Cc: Steve French , CIFS , samba-technical , LKML Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Gustavo, Thx for pointing this out. Let me know if this patch addresses what you found. Code is experimental mount option but extremely important to get right due to move away from SMB1/CIFS which had posix extensions. On Mon, Jun 18, 2018 at 11:55 AM, Steve French wrote: > On Mon, Jun 18, 2018 at 8:07 AM, Gustavo A. R. Silva > wrote: >> Hi Steve, >> >> While doing some static analysis I came across the following piece of code at fs/cifs/smb2pdu.c:2017: >> >> 2017 if (n_iov > 2) { >> 2018 struct create_context *ccontext = >> 2019 (struct create_context *)iov[n_iov-1].iov_base; >> 2020 ccontext->Next = >> 2021 cpu_to_le32(iov[n_iov-1].iov_len); >> 2022 } > > Good catch - this is harmless (and experimental mount option) - cut > and paste - unneeded clause. > Fixing now > > >> Also, it seems there are multiple places in which memory allocated for *path* is leaking: >> >> 1946 else >> 1947 return -EIO; >> >> 1951 if (rc) >> 1952 return rc; >> >> 1987 if (rc) { >> 1988 cifs_small_buf_release(req); >> 1989 return rc; >> 1990 } > > Cleaning that up now. Will post a patch - thx. > > > -- > Thanks, > > Steve Reviewed-by: Gustavo A. R. Silva From 0f4e3dec1c362119851aa2049ff23d1971b4e4a8 Mon Sep 17 00:00:00 2001 From: Steve French Date: Mon, 18 Jun 2018 12:02:47 -0500 Subject: [PATCH] smb3: fix memory leak in smb311_posix_mkdir Signed-off-by: Steve French Reported-by: Gustavo A. R. Silva Reviewed-by: Aurelien Aptel --- fs/cifs/smb2pdu.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c index 810b85787c91..b0498cadb952 100644 --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -1943,13 +1943,17 @@ int smb311_posix_mkdir(const unsigned int xid, struct inode *inode, if (ses && (ses->server)) server = ses->server; - else + else { + kfree(path); return -EIO; + } rc = smb2_plain_req_init(SMB2_CREATE, tcon, (void **) &req, &total_len); - if (rc) + if (rc) { + kfree(path); return rc; + } if (smb3_encryption_required(tcon)) flags |= CIFS_TRANSFORM_REQ; @@ -1986,6 +1990,7 @@ int smb311_posix_mkdir(const unsigned int xid, struct inode *inode, tcon->treeName, path); if (rc) { cifs_small_buf_release(req); + kfree(path); return rc; } req->NameLength = cpu_to_le16(name_len * 2); @@ -2000,6 +2005,7 @@ int smb311_posix_mkdir(const unsigned int xid, struct inode *inode, copy_path = kzalloc(copy_size, GFP_KERNEL); if (!copy_path) { cifs_small_buf_release(req); + kfree(path); return -ENOMEM; } memcpy((char *)copy_path, (const char *)path, @@ -2014,17 +2020,11 @@ int smb311_posix_mkdir(const unsigned int xid, struct inode *inode, req->RequestedOplockLevel = SMB2_OPLOCK_LEVEL_NONE; if (tcon->posix_extensions) { - if (n_iov > 2) { - struct create_context *ccontext = - (struct create_context *)iov[n_iov-1].iov_base; - ccontext->Next = - cpu_to_le32(iov[n_iov-1].iov_len); - } - rc = add_posix_context(iov, &n_iov, mode); if (rc) { cifs_small_buf_release(req); kfree(copy_path); + kfree(path); return rc; } pc_buf = iov[n_iov-1].iov_base; @@ -2057,6 +2057,7 @@ int smb311_posix_mkdir(const unsigned int xid, struct inode *inode, smb311_mkdir_exit: kfree(copy_path); + kfree(path); kfree(pc_buf); free_rsp_buf(resp_buftype, rsp); return rc; -- 2.17.1