diff options
author | Rusty Russell <rusty@rustcorp.com.au> | 2009-10-29 10:56:16 -0400 |
---|---|---|
committer | Rusty Russell <rusty@rustcorp.com.au> | 2009-10-28 18:26:17 -0400 |
commit | 65afac7d80ab3bc9f81e75eafb71eeb92a3ebdef (patch) | |
tree | 544c1e9192d8e47f1d1b1d54e36365f393ec7be0 /kernel | |
parent | 964fe080d94db82a3268443e9b9ece4c60246414 (diff) |
param: fix lots of bugs with writing charp params from sysfs, by leaking mem.
e180a6b7759a "param: fix charp parameters set via sysfs" fixed the case
where charp parameters written via sysfs were freed, leaving drivers
accessing random memory.
Unfortunately, storing a flag in the kparam struct was a bad idea: it's
rodata so setting it causes an oops on some archs. But that's not all:
1) module_param_array() on charp doesn't work reliably, since we use an
uninitialized temporary struct kernel_param.
2) there's a fundamental race if a module uses this parameter and then
it's changed: they will still access the old, freed, memory.
The simplest fix (ie. for 2.6.32) is to never free the memory. This
prevents all these problems, at cost of a memory leak. In practice, there
are only 18 places where a charp is writable via sysfs, and all are
root-only writable.
Reported-by: Takashi Iwai <tiwai@suse.de>
Cc: Sitsofe Wheeler <sitsofe@yahoo.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Christof Schmitt <christof.schmitt@de.ibm.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Cc: stable@kernel.org
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/params.c | 10 |
1 files changed, 1 insertions, 9 deletions
diff --git a/kernel/params.c b/kernel/params.c index 9da58eabdcb2..95ef27cf8e82 100644 --- a/kernel/params.c +++ b/kernel/params.c | |||
@@ -218,13 +218,9 @@ int param_set_charp(const char *val, struct kernel_param *kp) | |||
218 | return -ENOSPC; | 218 | return -ENOSPC; |
219 | } | 219 | } |
220 | 220 | ||
221 | if (kp->flags & KPARAM_KMALLOCED) | ||
222 | kfree(*(char **)kp->arg); | ||
223 | |||
224 | /* This is a hack. We can't need to strdup in early boot, and we | 221 | /* This is a hack. We can't need to strdup in early boot, and we |
225 | * don't need to; this mangled commandline is preserved. */ | 222 | * don't need to; this mangled commandline is preserved. */ |
226 | if (slab_is_available()) { | 223 | if (slab_is_available()) { |
227 | kp->flags |= KPARAM_KMALLOCED; | ||
228 | *(char **)kp->arg = kstrdup(val, GFP_KERNEL); | 224 | *(char **)kp->arg = kstrdup(val, GFP_KERNEL); |
229 | if (!kp->arg) | 225 | if (!kp->arg) |
230 | return -ENOMEM; | 226 | return -ENOMEM; |
@@ -605,11 +601,7 @@ void module_param_sysfs_remove(struct module *mod) | |||
605 | 601 | ||
606 | void destroy_params(const struct kernel_param *params, unsigned num) | 602 | void destroy_params(const struct kernel_param *params, unsigned num) |
607 | { | 603 | { |
608 | unsigned int i; | 604 | /* FIXME: This should free kmalloced charp parameters. It doesn't. */ |
609 | |||
610 | for (i = 0; i < num; i++) | ||
611 | if (params[i].flags & KPARAM_KMALLOCED) | ||
612 | kfree(*(char **)params[i].arg); | ||
613 | } | 605 | } |
614 | 606 | ||
615 | static void __init kernel_add_sysfs_param(const char *name, | 607 | static void __init kernel_add_sysfs_param(const char *name, |