kmod: fix resource leak in call_usermodehelper_pipe()

Fix resource (write-pipe file) leak in call_usermodehelper_pipe(). When call_usermodehelper_exec() fails, write-pipe file is opened and call_usermodehelper_pipe() just returns an error. Since it is hard for caller to determine whether the error occured when opening the pipe or executing the helper, the caller cannot close the pipe by themselves. I've found this resoruce leak when testing coredump. You can check how the resource leaks as below; $ echo "|nocommand" > /proc/sys/kernel/core_pattern $ ulimit -c unlimited $ while [ 1 ]; do ./segv; done &> /dev/null & $ cat /proc/meminfo (<- repeat it) where segv.c is; //----- int main () { char *p = 0; *p = 1; } //----- This patch closes write-pipe file if call_usermodehelper_exec() failed. Signed-off-by: Masami Hiramatsu <mhiramat@redhat.com> Cc: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

kmod: fix resource leak in call_usermodehelper_pipe()
Fix resource (write-pipe file) leak in call_usermodehelper_pipe(). When call_usermodehelper_exec() fails, write-pipe file is opened and call_usermodehelper_pipe() just returns an error. Since it is hard for caller to determine whether the error occured when opening the pipe or executing the helper, the caller cannot close the pipe by themselves. I've found this resoruce leak when testing coredump. You can check how the resource leaks as below; $ echo "|nocommand" > /proc/sys/kernel/core_pattern $ ulimit -c unlimited $ while [ 1 ]; do ./segv; done &> /dev/null & $ cat /proc/meminfo (<- repeat it) where segv.c is; //----- int main () { char *p = 0; *p = 1; } //----- This patch closes write-pipe file if call_usermodehelper_exec() failed. Signed-off-by: Masami Hiramatsu <mhiramat@redhat.com> Cc: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Masami Hiramatsu · Linus Torvalds
1 parent 42d53b4ff7
Showing 1 changed file with 7 additions and 5 deletions Side-by-side Diff
kernel/kmod.c
@@ -520,13 +520,15 @@
 		return -ENOMEM;
  
 	ret = call_usermodehelper_stdinpipe(sub_info, filp);
-	if (ret < 0)
-		goto out;
+	if (ret < 0) {
+		call_usermodehelper_freeinfo(sub_info);
+		return ret;
+	}
  
-	return call_usermodehelper_exec(sub_info, UMH_WAIT_EXEC);
+	ret = call_usermodehelper_exec(sub_info, UMH_WAIT_EXEC);
+	if (ret < 0)	/* Failed to execute helper, close pipe */
+		filp_close(*filp, NULL);
  
-  out:
-	call_usermodehelper_freeinfo(sub_info);
 	return ret;
 }
 EXPORT_SYMBOL(call_usermodehelper_pipe);
...	...	@@ -520,13 +520,15 @@
520	520	return -ENOMEM;
521	521
522	522	ret = call_usermodehelper_stdinpipe(sub_info, filp);
523		- if (ret < 0)
524		- goto out;
	523	+ if (ret < 0) {
	524	+ call_usermodehelper_freeinfo(sub_info);
	525	+ return ret;
	526	+ }
525	527
526		- return call_usermodehelper_exec(sub_info, UMH_WAIT_EXEC);
	528	+ ret = call_usermodehelper_exec(sub_info, UMH_WAIT_EXEC);
	529	+ if (ret < 0) /* Failed to execute helper, close pipe */
	530	+ filp_close(*filp, NULL);
527	531
528		- out:
529		- call_usermodehelper_freeinfo(sub_info);
530	532	return ret;
531	533	}
532	534	EXPORT_SYMBOL(call_usermodehelper_pipe);