aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRusty Russell <rusty@rustcorp.com.au>2009-10-29 10:56:16 -0400
committerRusty Russell <rusty@rustcorp.com.au>2009-10-28 18:26:17 -0400
commit65afac7d80ab3bc9f81e75eafb71eeb92a3ebdef (patch)
tree544c1e9192d8e47f1d1b1d54e36365f393ec7be0
parent964fe080d94db82a3268443e9b9ece4c60246414 (diff)
param: fix lots of bugs with writing charp params from sysfs, by leaking mem.
e180a6b7759a "param: fix charp parameters set via sysfs" fixed the case where charp parameters written via sysfs were freed, leaving drivers accessing random memory. Unfortunately, storing a flag in the kparam struct was a bad idea: it's rodata so setting it causes an oops on some archs. But that's not all: 1) module_param_array() on charp doesn't work reliably, since we use an uninitialized temporary struct kernel_param. 2) there's a fundamental race if a module uses this parameter and then it's changed: they will still access the old, freed, memory. The simplest fix (ie. for 2.6.32) is to never free the memory. This prevents all these problems, at cost of a memory leak. In practice, there are only 18 places where a charp is writable via sysfs, and all are root-only writable. Reported-by: Takashi Iwai <tiwai@suse.de> Cc: Sitsofe Wheeler <sitsofe@yahoo.com> Cc: Frederic Weisbecker <fweisbec@gmail.com> Cc: Christof Schmitt <christof.schmitt@de.ibm.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Cc: stable@kernel.org
-rw-r--r--include/linux/moduleparam.h1
-rw-r--r--kernel/params.c10
2 files changed, 1 insertions, 10 deletions
diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h
index 6547c3cdbc4c..82a9124f7d75 100644
--- a/include/linux/moduleparam.h
+++ b/include/linux/moduleparam.h
@@ -37,7 +37,6 @@ typedef int (*param_set_fn)(const char *val, struct kernel_param *kp);
37typedef int (*param_get_fn)(char *buffer, struct kernel_param *kp); 37typedef int (*param_get_fn)(char *buffer, struct kernel_param *kp);
38 38
39/* Flag bits for kernel_param.flags */ 39/* Flag bits for kernel_param.flags */
40#define KPARAM_KMALLOCED 1
41#define KPARAM_ISBOOL 2 40#define KPARAM_ISBOOL 2
42 41
43struct kernel_param { 42struct kernel_param {
diff --git a/kernel/params.c b/kernel/params.c
index 9da58eabdcb2..95ef27cf8e82 100644
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -218,13 +218,9 @@ int param_set_charp(const char *val, struct kernel_param *kp)
218 return -ENOSPC; 218 return -ENOSPC;
219 } 219 }
220 220
221 if (kp->flags & KPARAM_KMALLOCED)
222 kfree(*(char **)kp->arg);
223
224 /* This is a hack. We can't need to strdup in early boot, and we 221 /* This is a hack. We can't need to strdup in early boot, and we
225 * don't need to; this mangled commandline is preserved. */ 222 * don't need to; this mangled commandline is preserved. */
226 if (slab_is_available()) { 223 if (slab_is_available()) {
227 kp->flags |= KPARAM_KMALLOCED;
228 *(char **)kp->arg = kstrdup(val, GFP_KERNEL); 224 *(char **)kp->arg = kstrdup(val, GFP_KERNEL);
229 if (!kp->arg) 225 if (!kp->arg)
230 return -ENOMEM; 226 return -ENOMEM;
@@ -605,11 +601,7 @@ void module_param_sysfs_remove(struct module *mod)
605 601
606void destroy_params(const struct kernel_param *params, unsigned num) 602void destroy_params(const struct kernel_param *params, unsigned num)
607{ 603{
608 unsigned int i; 604 /* FIXME: This should free kmalloced charp parameters. It doesn't. */
609
610 for (i = 0; i < num; i++)
611 if (params[i].flags & KPARAM_KMALLOCED)
612 kfree(*(char **)params[i].arg);
613} 605}
614 606
615static void __init kernel_add_sysfs_param(const char *name, 607static void __init kernel_add_sysfs_param(const char *name,