Re: [PATCH] afs: Fix memory leak in afs_put_sysnames()

From: David Howells
Date: Mon Jun 01 2020 - 08:31:37 EST


Zhihao Cheng <chengzhihao1@xxxxxxxxxx> wrote:

> sysnames should be freed after refcnt being decreased to zero in
> afs_put_sysnames().

Good catch.

> Besides, it would be better set net->sysnames to 'NULL' after net->sysnames
> being released if afs_put_sysnames() aims on an afs_sysnames object.

Why? We don't normally clear pointers when cleaning up a struct - and of the
two places this is relevant, in one we fail to set up a namespace and in the
other we're tearing down a namespace. In neither case should the pointer be
accessed again.

> @@ -894,7 +894,7 @@ static struct dentry *afs_lookup_atsys(struct inode *dir, struct dentry *dentry,
> */
> ret = NULL;
> out_s:
> - afs_put_sysnames(subs);
> + afs_put_sysnames_and_null(net);

This is definitely wrong. We obtained a ref 23 lines above and dropped the
lock:

read_lock(&net->sysnames_lock);
subs = net->sysnames;
refcount_inc(&subs->usage);
read_unlock(&net->sysnames_lock);

We are dropping *that* ref, not the one in the struct.

Just adding the missing kfree() call into afs_put_sysnames() should suffice,
thanks.

David