projects / linux-2.6-microblaze.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a552e2e)
bpf: Preserve param->string when parsing mount options
authorHou Tao <houtao1@huawei.com>
Tue, 22 Oct 2024 13:01:33 +0000 (21:01 +0800)
committerAndrii Nakryiko <andrii@kernel.org>
Tue, 22 Oct 2024 19:56:38 +0000 (12:56 -0700)
In bpf_parse_param(), keep the value of param->string intact so it can
be freed later. Otherwise, the kmalloc area pointed to by param->string
will be leaked as shown below:

unreferenced object 0xffff888118c46d20 (size 8):
  comm "new_name", pid 12109, jiffies 4295580214
  hex dump (first 8 bytes):
    61 6e 79 00 38 c9 5c 7e                          any.8.\~
  backtrace (crc e1b7f876):
    [<00000000c6848ac7>] kmemleak_alloc+0x4b/0x80
    [<00000000de9f7d00>] __kmalloc_node_track_caller_noprof+0x36e/0x4a0
    [<000000003e29b886>] memdup_user+0x32/0xa0
    [<0000000007248326>] strndup_user+0x46/0x60
    [<0000000035b3dd29>] __x64_sys_fsconfig+0x368/0x3d0
    [<0000000018657927>] x64_sys_call+0xff/0x9f0
    [<00000000c0cabc95>] do_syscall_64+0x3b/0xc0
    [<000000002f331597>] entry_SYSCALL_64_after_hwframe+0x4b/0x53

Fixes: 6c1752e0b6ca ("bpf: Support symbolic BPF FS delegation mount options")
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Link: https://lore.kernel.org/bpf/20241022130133.3798232-1-houtao@huaweicloud.com
kernel/bpf/inode.c patch | blob | history

diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
index d8fc5eb..9aaf512 100644 (file)
--- a/kernel/bpf/inode.c
+++ b/kernel/bpf/inode.c
@@ -880,7 +880,7 @@ static int bpf_parse_param(struct fs_context *fc, struct fs_parameter *param)
                const struct btf_type *enum_t;
                const char *enum_pfx;
                u64 *delegate_msk, msk = 0;
-               char *p;
+               char *p, *str;
                int val;
 
                /* ignore errors, fallback to hex */
@@ -911,7 +911,8 @@ static int bpf_parse_param(struct fs_context *fc, struct fs_parameter *param)
                        return -EINVAL;
                }
 
-               while ((p = strsep(&param->string, ":"))) {
+               str = param->string;
+               while ((p = strsep(&str, ":"))) {
                        if (strcmp(p, "any") == 0) {
                                msk |= ~0ULL;
                        } else if (find_btf_enum_const(info.btf, enum_t, enum_pfx, p, &val)) {
MicroBlaze GIT Repository