From 086354a5119f2c9b7f2bb48a497b4d89f79bc97b Mon Sep 17 00:00:00 2001 From: Xiyu Yang Date: Sat, 25 Apr 2020 20:52:26 +0800 Subject: [PATCH 1/2] configfs: fix config_item refcnt leak in configfs_rmdir() stable inclusion from stable-v4.19.125~60 commit 96fc3559de8d439a2f5032993442b55869f0c05c category: task bugzilla: https://gitee.com/openeuler/kernel/issues/I5YY81 CVE: NA -------------------------------- [ Upstream commit 8aebfffacfa379ba400da573a5bf9e49634e38cb ] configfs_rmdir() invokes configfs_get_config_item(), which returns a reference of the specified config_item object to "parent_item" with increased refcnt. When configfs_rmdir() returns, local variable "parent_item" becomes invalid, so the refcount should be decreased to keep refcount balanced. The reference counting issue happens in one exception handling path of configfs_rmdir(). When down_write_killable() fails, the function forgets to decrease the refcnt increased by configfs_get_config_item(), causing a refcnt leak. Fix this issue by calling config_item_put() when down_write_killable() fails. Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin Signed-off-by: Xibo.Wang --- fs/configfs/dir.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c index 687735be3cd4..64d009e29a13 100644 --- a/fs/configfs/dir.c +++ b/fs/configfs/dir.c @@ -1517,6 +1517,7 @@ static int configfs_rmdir(struct inode *dir, struct dentry *dentry) spin_lock(&configfs_dirent_lock); configfs_detach_rollback(dentry); spin_unlock(&configfs_dirent_lock); + config_item_put(parent_item); return -EINTR; } frag->frag_dead = true; -- Gitee From 6fdd5482ab9bf80f34d36e4fef174a07cb2b9e37 Mon Sep 17 00:00:00 2001 From: Chung-Chiang Cheng Date: Fri, 18 Jun 2021 15:59:25 +0800 Subject: [PATCH 2/2] configfs: fix memleak in configfs_release_bin_file stable inclusion from stable-v4.19.198~206 commit 01b00e46253151d58a7db8ca3e1502ec1945a8d0 category: task bugzilla: https://gitee.com/openeuler/kernel/issues/I5YY81 CVE: NA -------------------------------- [ Upstream commit 3c252b087de08d3cb32468b54a158bd7ad0ae2f7 ] When reading binary attributes in progress, buffer->bin_buffer is setup in configfs_read_bin_file() but never freed. Fixes: 03607ace807b4 ("configfs: implement binary attributes") Signed-off-by: Chung-Chiang Cheng [hch: move the vfree rather than duplicating it] Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin Signed-off-by: Xibo.Wang --- fs/configfs/file.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/fs/configfs/file.c b/fs/configfs/file.c index 50b7c4c4310e..38eb80e29715 100644 --- a/fs/configfs/file.c +++ b/fs/configfs/file.c @@ -496,13 +496,13 @@ static int configfs_release_bin_file(struct inode *inode, struct file *file) buffer->bin_buffer_size); } up_read(&frag->frag_sem); - /* vfree on NULL is safe */ - vfree(buffer->bin_buffer); - buffer->bin_buffer = NULL; - buffer->bin_buffer_size = 0; - buffer->needs_read_fill = 1; } + vfree(buffer->bin_buffer); + buffer->bin_buffer = NULL; + buffer->bin_buffer_size = 0; + buffer->needs_read_fill = 1; + configfs_release(inode, file); return 0; } -- Gitee