strsep() will advance tmp_mntopts, and will change it to NULL on last
iteration. This will cause strfree(tmp_mntopts) to not free anything.
unreferenced object 0xffff8800883976c0 (size 64):
comm "mount.zfs", pid 3361, jiffies
4294931877 (age 1482.408s)
hex dump (first 32 bytes):
72 77 00 73 74 72 69 63 74 61 74 69 6d 65 00 7a rw.strictatime.z
66 73 75 74 69 6c 00 6d 6e 74 70 6f 69 6e 74 3d fsutil.mntpoint=
backtrace:
[<
ffffffff81810c4e>] kmemleak_alloc+0x4e/0xb0
[<
ffffffff811f9cac>] __kmalloc+0x16c/0x250
[<
ffffffffc065ce9b>] strdup+0x3b/0x60 [spl]
[<
ffffffffc080fad6>] zpl_parse_options+0x56/0x300 [zfs]
[<
ffffffffc080fe46>] zpl_mount+0x36/0x80 [zfs]
[<
ffffffff81222dc8>] mount_fs+0x38/0x160
[<
ffffffff81240097>] vfs_kern_mount+0x67/0x110
[<
ffffffff812428e0>] do_mount+0x250/0xe20
[<
ffffffff812437d5>] SyS_mount+0x95/0xe0
[<
ffffffff8181aff6>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[<
ffffffffffffffff>] 0xffffffffffffffff
Signed-off-by: Chunwei Chen <david.chen@osnexus.com>
Signed-off-by: Tony Hutter <hutter2@llnl.gov>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes #4706
Issue #4708
if (mntopts) {
substring_t args[MAX_OPT_ARGS];
- char *tmp_mntopts, *p;
+ char *tmp_mntopts, *p, *t;
int token;
- tmp_mntopts = strdup(mntopts);
+ t = tmp_mntopts = strdup(mntopts);
- while ((p = strsep(&tmp_mntopts, ",")) != NULL) {
+ while ((p = strsep(&t, ",")) != NULL) {
if (!*p)
continue;