Fix memleak in zpl_parse_options

strsep() will advance tmp_mntopts, and will change it to NULL on last
iteration.  This will cause strfree(tmp_mntopts) to not free anything.

unreferenced object 0xffff8800883976c0 (size 64):
  comm "mount.zfs", pid 3361, jiffies 4294931877 (age 1482.408s)
  hex dump (first 32 bytes):
    72 77 00 73 74 72 69 63 74 61 74 69 6d 65 00 7a  rw.strictatime.z
    66 73 75 74 69 6c 00 6d 6e 74 70 6f 69 6e 74 3d  fsutil.mntpoint=
  backtrace:
    [<ffffffff81810c4e>] kmemleak_alloc+0x4e/0xb0
    [<ffffffff811f9cac>] __kmalloc+0x16c/0x250
    [<ffffffffc065ce9b>] strdup+0x3b/0x60 [spl]
    [<ffffffffc080fad6>] zpl_parse_options+0x56/0x300 [zfs]
    [<ffffffffc080fe46>] zpl_mount+0x36/0x80 [zfs]
    [<ffffffff81222dc8>] mount_fs+0x38/0x160
    [<ffffffff81240097>] vfs_kern_mount+0x67/0x110
    [<ffffffff812428e0>] do_mount+0x250/0xe20
    [<ffffffff812437d5>] SyS_mount+0x95/0xe0
    [<ffffffff8181aff6>] entry_SYSCALL_64_fastpath+0x1e/0xa8
    [<ffffffffffffffff>] 0xffffffffffffffff

Signed-off-by: Chunwei Chen <david.chen@osnexus.com>
Signed-off-by: Tony Hutter <hutter2@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #4706
Issue #4708

diff --git a/module/zfs/zpl_super.c b/module/zfs/zpl_super.c
index bcdbbd69e2808e56d8b6588f9ed77aab19b5b745..91c36c9e3675f796b4318a8556631ba8baa5cca5 100644 (file)
--- a/module/zfs/zpl_super.c
+++ b/module/zfs/zpl_super.c
@@ -336,12 +336,12 @@ zpl_parse_options(char *osname, char *mntopts, zfs_mntopts_t *zmo,
 
        if (mntopts) {
                substring_t args[MAX_OPT_ARGS];
-               char *tmp_mntopts, *p;
+               char *tmp_mntopts, *p, *t;
                int token;
 
-               tmp_mntopts = strdup(mntopts);
+               t = tmp_mntopts = strdup(mntopts);
 
-               while ((p = strsep(&tmp_mntopts, ",")) != NULL) {
+               while ((p = strsep(&t, ",")) != NULL) {
                        if (!*p)
                                continue;