Commit 42cb8653 authored Jan 03, 2025 by Masahiro Yamada Committed by Wentao Guan Mar 25, 2025

genksyms: fix memory leak when the same symbol is read from *.symref file

stable inclusion
from stable-v6.6.76
commit 4517f37bf54e2e790bcff4c4aec25c4f6c5dd8d2
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IBW08Q

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=4517f37bf54e2e790bcff4c4aec25c4f6c5dd8d2



--------------------------------

[ Upstream commit be2fa44b5180a1f021efb40c55fdf63c249c3209 ]

When a symbol that is already registered is read again from *.symref
file, __add_symbol() removes the previous one from the hash table without
freeing it.

[Test Case]

  $ cat foo.c
  #include <linux/export.h>
  void foo(void);
  void foo(void) {}
  EXPORT_SYMBOL(foo);

  $ cat foo.symref
  foo void foo ( void )
  foo void foo ( void )

When a symbol is removed from the hash table, it must be freed along
with its ->name and ->defn members. However, sym->name cannot be freed
because it is sometimes shared with node->string, but not always. If
sym->name and node->string share the same memory, free(sym->name) could
lead to a double-free bug.

To resolve this issue, always assign a strdup'ed string to sym->name.

Fixes: 64e6c1e1 ("genksyms: track symbol checksum changes")
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 4517f37bf54e2e790bcff4c4aec25c4f6c5dd8d2)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

parent a6999e37

scripts/genksyms/genksyms.c

+6 −2

Original line number	Diff line number	Diff line
		@@ -274,11 +274,15 @@ static struct symbol __add_symbol(const char name, enum symbol_type type,
		break;
		}
		}

		free_list(sym->defn, NULL);
		free(sym->name);
		free(sym);
		--nsyms;
		}

		sym = xmalloc(sizeof(*sym));
		sym->name = name;
		sym->name = xstrdup(name);
		sym->type = type;
		sym->defn = defn;
		sym->expansion_trail = NULL;
		@@ -485,7 +489,7 @@ static void read_reference(FILE *f)
		defn = def;
		def = read_node(f);
		}
		subsym = add_reference_symbol(xstrdup(sym->string), sym->tag,
		subsym = add_reference_symbol(sym->string, sym->tag,
		defn, is_extern);
		subsym->is_override = is_override;
		free_node(sym);

scripts/genksyms/genksyms.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -32,7 +32,7 @@ struct string_list {

		struct symbol {
		struct symbol *hash_next;
		const char *name;
		char *name;
		enum symbol_type type;
		struct string_list *defn;
		struct symbol *expansion_trail;

scripts/genksyms/parse.y

+2 −2

Original line number	Diff line number	Diff line
		@@ -482,12 +482,12 @@ enumerator_list:
		enumerator:
		IDENT
		{
		const char name = strdup(($1)->string);
		const char name = ($1)->string;
		add_symbol(name, SYM_ENUM_CONST, NULL, 0);
		}
		\| IDENT '=' EXPRESSION_PHRASE
		{
		const char name = strdup(($1)->string);
		const char name = ($1)->string;
		struct string_list expr = copy_list_range($3, *$2);
		add_symbol(name, SYM_ENUM_CONST, expr, 0);
		}