tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

s390/mm: Fix memory leak in add_marker() when kvrealloc() fails

The function has a memory leak when kvrealloc() fails.
The function directly assigns NULL to the markers pointer, losing the
reference to the previously allocated memory. This causes kvfree() in
pt_dump_init() to free NULL instead of the leaked memory.

Fix by:
1. Using kvrealloc() uniformly for all allocations
2. Using a temporary variable to preserve the original pointer until
allocation succeeds
3. Removing the error path that sets markers_cnt=0 to keep
consistency between markers and markers_cnt

Found via static analysis and this is similar to commit 42378a9ca553
("bpf, verifier: Fix memory leak in array reallocation for stack state")

Fixes: d0e7915d2ad3 ("s390/mm/ptdump: Generate address marker array dynamically")
Cc: stable@vger.kernel.org
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>

authored by Miaoqian Lin and committed by Heiko Carstens 07ad45e0 b45873c3

+7 -12
unified split
+7 -12
arch/s390/mm/dump_pagetables.c
··· 291 291 292 292 static int add_marker(unsigned long start, unsigned long end, const char *name) 293 293 { 294 - size_t oldsize, newsize; 294 + struct addr_marker *new; 295 + size_t newsize; 295 296 296 - oldsize = markers_cnt * sizeof(*markers); 297 - newsize = oldsize + 2 * sizeof(*markers); 298 - if (!oldsize) 299 - markers = kvmalloc(newsize, GFP_KERNEL); 300 - else 301 - markers = kvrealloc(markers, newsize, GFP_KERNEL); 302 - if (!markers) 303 - goto error; 297 + newsize = (markers_cnt + 2) * sizeof(*markers); 298 + new = kvrealloc(markers, newsize, GFP_KERNEL); 299 + if (!new) 300 + return -ENOMEM; 301 + markers = new; 304 302 markers[markers_cnt].is_start = 1; 305 303 markers[markers_cnt].start_address = start; 306 304 markers[markers_cnt].size = end - start; ··· 310 312 markers[markers_cnt].name = name; 311 313 markers_cnt++; 312 314 return 0; 313 - error: 314 - markers_cnt = 0; 315 - return -ENOMEM; 316 315 } 317 316 318 317 static int pt_dump_init(void)