[v2] pata_parport: fix possible memory leak

Message ID 20230311214447.7359-1-linux@zary.sk
State New
Headers
Series [v2] pata_parport: fix possible memory leak |

Commit Message

Ondrej Zary March 11, 2023, 9:44 p.m. UTC
  When ida_alloc() fails, "pi" is not freed although the misleading
comment says otherwise.
Move the ida_alloc() call up so we really don't have to free it.

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
Signed-off-by: Ondrej Zary <linux@zary.sk>
---
 drivers/ata/pata_parport/pata_parport.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)
  

Comments

Damien Le Moal March 12, 2023, 12:56 a.m. UTC | #1
On 3/12/23 06:44, Ondrej Zary wrote:
> When ida_alloc() fails, "pi" is not freed although the misleading
> comment says otherwise.
> Move the ida_alloc() call up so we really don't have to free it.

Certainly you meant: "so we really do free it in case of error.", no ?

> 
> Reported-by: kernel test robot <lkp@intel.com>
> Reported-by: Dan Carpenter <error27@gmail.com>
> Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
> Signed-off-by: Ondrej Zary <linux@zary.sk>
> ---
>  drivers/ata/pata_parport/pata_parport.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c
> index 6165ee9aa7da..a9eff6003098 100644
> --- a/drivers/ata/pata_parport/pata_parport.c
> +++ b/drivers/ata/pata_parport/pata_parport.c
> @@ -503,18 +503,19 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
>  	if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
>  		return NULL;
>  
> +	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
> +	if (id < 0)
> +		return NULL;
> +
>  	pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
>  	if (!pi)
> -		return NULL;
> +		goto out_ida_free;
>  
>  	/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
>  	pi->dev.parent = &pata_parport_bus;
>  	pi->dev.bus = &pata_parport_bus_type;
>  	pi->dev.driver = &pr->driver;
>  	pi->dev.release = pata_parport_dev_release;
> -	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
> -	if (id < 0)
> -		return NULL; /* pata_parport_dev_release will do kfree(pi) */
>  	pi->dev.id = id;
>  	dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
>  	if (device_register(&pi->dev)) {
> @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
>  out_unreg_dev:
>  	device_unregister(&pi->dev);

Same comment as Sergey: isn't this going to do the ida free ? So shouldn't you
return here ?

>  out_ida_free:
> -	ida_free(&pata_parport_bus_dev_ids, pi->dev.id);
> +	ida_free(&pata_parport_bus_dev_ids, id);
>  	return NULL;
>  }
>
  
Ondrej Zary March 12, 2023, 9:24 p.m. UTC | #2
On Sunday 12 March 2023 01:56:25 Damien Le Moal wrote:
> On 3/12/23 06:44, Ondrej Zary wrote:
> > When ida_alloc() fails, "pi" is not freed although the misleading
> > comment says otherwise.
> > Move the ida_alloc() call up so we really don't have to free it.
> 
> Certainly you meant: "so we really do free it in case of error.", no ?

I meant "so we don't have to free pi in case of ida_alloc failure".
 
> > 
> > Reported-by: kernel test robot <lkp@intel.com>
> > Reported-by: Dan Carpenter <error27@gmail.com>
> > Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
> > Signed-off-by: Ondrej Zary <linux@zary.sk>
> > ---
> >  drivers/ata/pata_parport/pata_parport.c | 11 ++++++-----
> >  1 file changed, 6 insertions(+), 5 deletions(-)
> > 
> > diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c
> > index 6165ee9aa7da..a9eff6003098 100644
> > --- a/drivers/ata/pata_parport/pata_parport.c
> > +++ b/drivers/ata/pata_parport/pata_parport.c
> > @@ -503,18 +503,19 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
> >  	if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
> >  		return NULL;
> >  
> > +	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
> > +	if (id < 0)
> > +		return NULL;
> > +
> >  	pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
> >  	if (!pi)
> > -		return NULL;
> > +		goto out_ida_free;
> >  
> >  	/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
> >  	pi->dev.parent = &pata_parport_bus;
> >  	pi->dev.bus = &pata_parport_bus_type;
> >  	pi->dev.driver = &pr->driver;
> >  	pi->dev.release = pata_parport_dev_release;
> > -	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
> > -	if (id < 0)
> > -		return NULL; /* pata_parport_dev_release will do kfree(pi) */
> >  	pi->dev.id = id;
> >  	dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
> >  	if (device_register(&pi->dev)) {
> > @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
> >  out_unreg_dev:
> >  	device_unregister(&pi->dev);
> 
> Same comment as Sergey: isn't this going to do the ida free ? So shouldn't you
> return here ?

No. device_unregister() calls pata_parport_dev_release() which does only kfree(pi), not ida_free(). But it probably should do ida_free() too.

> 
> >  out_ida_free:
> > -	ida_free(&pata_parport_bus_dev_ids, pi->dev.id);
> > +	ida_free(&pata_parport_bus_dev_ids, id);
> >  	return NULL;
> >  }
> >  
>
  
Damien Le Moal March 12, 2023, 11:17 p.m. UTC | #3
On 3/13/23 06:24, Ondrej Zary wrote:
> On Sunday 12 March 2023 01:56:25 Damien Le Moal wrote:
>> On 3/12/23 06:44, Ondrej Zary wrote:
>>> When ida_alloc() fails, "pi" is not freed although the misleading
>>> comment says otherwise.
>>> Move the ida_alloc() call up so we really don't have to free it.
>>
>> Certainly you meant: "so we really do free it in case of error.", no ?
> 
> I meant "so we don't have to free pi in case of ida_alloc failure".

That is better. Please rephrase the commit message to this.

>>>  	/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
>>>  	pi->dev.parent = &pata_parport_bus;
>>>  	pi->dev.bus = &pata_parport_bus_type;
>>>  	pi->dev.driver = &pr->driver;
>>>  	pi->dev.release = pata_parport_dev_release;
>>> -	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
>>> -	if (id < 0)
>>> -		return NULL; /* pata_parport_dev_release will do kfree(pi) */
>>>  	pi->dev.id = id;
>>>  	dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
>>>  	if (device_register(&pi->dev)) {
>>> @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
>>>  out_unreg_dev:
>>>  	device_unregister(&pi->dev);
>>
>> Same comment as Sergey: isn't this going to do the ida free ? So shouldn't you
>> return here ?
> 
> No. device_unregister() calls pata_parport_dev_release() which does only kfree(pi), not ida_free(). But it probably should do ida_free() too.

Yes, it should, otherwise you are leaking the ida with the normal (no errors)
case. Care to send a fix for that too ?
  
Ondrej Zary March 13, 2023, 7:53 a.m. UTC | #4
On Monday 13 March 2023, Damien Le Moal wrote:
> On 3/13/23 06:24, Ondrej Zary wrote:
> > On Sunday 12 March 2023 01:56:25 Damien Le Moal wrote:
> >> On 3/12/23 06:44, Ondrej Zary wrote:
> >>> When ida_alloc() fails, "pi" is not freed although the misleading
> >>> comment says otherwise.
> >>> Move the ida_alloc() call up so we really don't have to free it.
> >>
> >> Certainly you meant: "so we really do free it in case of error.", no ?
> > 
> > I meant "so we don't have to free pi in case of ida_alloc failure".
> 
> That is better. Please rephrase the commit message to this.
> 
> >>>  	/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
> >>>  	pi->dev.parent = &pata_parport_bus;
> >>>  	pi->dev.bus = &pata_parport_bus_type;
> >>>  	pi->dev.driver = &pr->driver;
> >>>  	pi->dev.release = pata_parport_dev_release;
> >>> -	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
> >>> -	if (id < 0)
> >>> -		return NULL; /* pata_parport_dev_release will do kfree(pi) */
> >>>  	pi->dev.id = id;
> >>>  	dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
> >>>  	if (device_register(&pi->dev)) {
> >>> @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
> >>>  out_unreg_dev:
> >>>  	device_unregister(&pi->dev);
> >>
> >> Same comment as Sergey: isn't this going to do the ida free ? So shouldn't you
> >> return here ?
> > 
> > No. device_unregister() calls pata_parport_dev_release() which does only kfree(pi), not ida_free(). But it probably should do ida_free() too.
> 
> Yes, it should, otherwise you are leaking the ida with the normal (no errors)
> case. Care to send a fix for that too ?

Yes, I'll send it as soon as I fix a problem that I noticed during testing. The ida is never freed with this fix. And neither "pi" because pata_parport_dev_release is never called (confirmed by adding printk).
  

Patch

diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c
index 6165ee9aa7da..a9eff6003098 100644
--- a/drivers/ata/pata_parport/pata_parport.c
+++ b/drivers/ata/pata_parport/pata_parport.c
@@ -503,18 +503,19 @@  static struct pi_adapter *pi_init_one(struct parport *parport,
 	if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
 		return NULL;
 
+	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
+	if (id < 0)
+		return NULL;
+
 	pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
 	if (!pi)
-		return NULL;
+		goto out_ida_free;
 
 	/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
 	pi->dev.parent = &pata_parport_bus;
 	pi->dev.bus = &pata_parport_bus_type;
 	pi->dev.driver = &pr->driver;
 	pi->dev.release = pata_parport_dev_release;
-	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
-	if (id < 0)
-		return NULL; /* pata_parport_dev_release will do kfree(pi) */
 	pi->dev.id = id;
 	dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
 	if (device_register(&pi->dev)) {
@@ -571,7 +572,7 @@  static struct pi_adapter *pi_init_one(struct parport *parport,
 out_unreg_dev:
 	device_unregister(&pi->dev);
 out_ida_free:
-	ida_free(&pata_parport_bus_dev_ids, pi->dev.id);
+	ida_free(&pata_parport_bus_dev_ids, id);
 	return NULL;
 }