diff options
author | Chunwei Chen <[email protected]> | 2016-05-27 15:44:52 -0700 |
---|---|---|
committer | Brian Behlendorf <[email protected]> | 2016-05-31 16:04:26 -0700 |
commit | 06ee0031a6d658bbf4ab953070ff4cdf4af64496 (patch) | |
tree | 57b809c411dbba1817d9009201ed7fe2c1122390 | |
parent | 540c39279322cb278ad45840f260fe4b92c3c8b7 (diff) |
Fix memleak in zpl_parse_options
strsep() will advance tmp_mntopts, and will change it to NULL on last
iteration. This will cause strfree(tmp_mntopts) to not free anything.
unreferenced object 0xffff8800883976c0 (size 64):
comm "mount.zfs", pid 3361, jiffies 4294931877 (age 1482.408s)
hex dump (first 32 bytes):
72 77 00 73 74 72 69 63 74 61 74 69 6d 65 00 7a rw.strictatime.z
66 73 75 74 69 6c 00 6d 6e 74 70 6f 69 6e 74 3d fsutil.mntpoint=
backtrace:
[<ffffffff81810c4e>] kmemleak_alloc+0x4e/0xb0
[<ffffffff811f9cac>] __kmalloc+0x16c/0x250
[<ffffffffc065ce9b>] strdup+0x3b/0x60 [spl]
[<ffffffffc080fad6>] zpl_parse_options+0x56/0x300 [zfs]
[<ffffffffc080fe46>] zpl_mount+0x36/0x80 [zfs]
[<ffffffff81222dc8>] mount_fs+0x38/0x160
[<ffffffff81240097>] vfs_kern_mount+0x67/0x110
[<ffffffff812428e0>] do_mount+0x250/0xe20
[<ffffffff812437d5>] SyS_mount+0x95/0xe0
[<ffffffff8181aff6>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[<ffffffffffffffff>] 0xffffffffffffffff
Signed-off-by: Chunwei Chen <[email protected]>
Signed-off-by: Tony Hutter <[email protected]>
Signed-off-by: Brian Behlendorf <[email protected]>
Closes #4706
Issue #4708
-rw-r--r-- | module/zfs/zpl_super.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/module/zfs/zpl_super.c b/module/zfs/zpl_super.c index bcdbbd69e..91c36c9e3 100644 --- a/module/zfs/zpl_super.c +++ b/module/zfs/zpl_super.c @@ -336,12 +336,12 @@ zpl_parse_options(char *osname, char *mntopts, zfs_mntopts_t *zmo, if (mntopts) { substring_t args[MAX_OPT_ARGS]; - char *tmp_mntopts, *p; + char *tmp_mntopts, *p, *t; int token; - tmp_mntopts = strdup(mntopts); + t = tmp_mntopts = strdup(mntopts); - while ((p = strsep(&tmp_mntopts, ",")) != NULL) { + while ((p = strsep(&t, ",")) != NULL) { if (!*p) continue; |