ubifs: Fix memory leak of bud->log_hash

Ensure that the allocated bud->log_hash (if any) is freed in all cases when the bud itself is freed, to fix this leak caught by kmemleak: # keyctl add logon foo:bar data @s # echo clear > /sys/kernel/debug/kmemleak # mount -t ubifs /dev/ubi0_0 mnt -o auth_hash_name=sha256,auth_key=foo:bar # echo a > mnt/x # umount mnt # mount -t ubifs /dev/ubi0_0 mnt -o auth_hash_name=sha256,auth_key=foo:bar # umount mnt # sleep 5 # echo scan > /sys/kernel/debug/kmemleak # echo scan > /sys/kernel/debug/kmemleak # cat /sys/kernel/debug/kmemleak unreferenced object 0xff... (size 128): comm "mount" backtrace: __kmalloc __ubifs_hash_get_desc+0x5d/0xe0 ubifs ubifs_replay_journal ubifs_mount ... Fixes: da8ef65 ("ubifs: Authenticate replayed journal") Signed-off-by: Vincent Whitchurch <[email protected]> Reviewed-by: Zhihao Cheng <[email protected]> Signed-off-by: Richard Weinberger <[email protected]>
wafgo · Oct 28, 2023 · f4a04c9 · f4a04c9
1 parent 48ec632
commit f4a04c9
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
@@ -923,8 +923,10 @@ static void free_buds(struct ubifs_info *c)
 {
 	struct ubifs_bud *bud, *n;
 
-	rbtree_postorder_for_each_entry_safe(bud, n, &c->buds, rb)
+	rbtree_postorder_for_each_entry_safe(bud, n, &c->buds, rb) {
+		kfree(bud->log_hash);
 		kfree(bud);
+	}
 }
 
 /**
@@ -1193,6 +1195,7 @@ static void destroy_journal(struct ubifs_info *c)
 
 		bud = list_entry(c->old_buds.next, struct ubifs_bud, list);
 		list_del(&bud->list);
+		kfree(bud->log_hash);
 		kfree(bud);
 	}
 	ubifs_destroy_idx_gc(c);