pata_parport: fix possible memory leak

Message ID 20230311185149.22957-1-linux@zary.sk
State New
Headers
Series pata_parport: fix possible memory leak |

Commit Message

Ondrej Zary March 11, 2023, 6:51 p.m. UTC
  When ida_alloc() fails, "pi" is not freed although the misleading
comment says otherwise.
Move the ida_alloc() call up so we really don't have to free it.

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
Signed-off-by: Ondrej Zary <linux@zary.sk>
---
 drivers/ata/pata_parport/pata_parport.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)
  

Comments

Sergei Shtylyov March 11, 2023, 8:19 p.m. UTC | #1
On 3/11/23 9:51 PM, Ondrej Zary wrote:

> When ida_alloc() fails, "pi" is not freed although the misleading
> comment says otherwise.
> Move the ida_alloc() call up so we really don't have to free it.
> 
> Reported-by: kernel test robot <lkp@intel.com>
> Reported-by: Dan Carpenter <error27@gmail.com>
> Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
> Signed-off-by: Ondrej Zary <linux@zary.sk>

Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>

[...]

MBR, Sergey
  
Sergey Shtylyov March 11, 2023, 8:23 p.m. UTC | #2
On 3/11/23 11:19 PM, Sergei Shtylyov wrote:

>> When ida_alloc() fails, "pi" is not freed although the misleading
>> comment says otherwise.
>> Move the ida_alloc() call up so we really don't have to free it.

   Wait, but don't we still need to call kfree() in pi_init_one()?

>> Reported-by: kernel test robot <lkp@intel.com>
>> Reported-by: Dan Carpenter <error27@gmail.com>
>> Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
>> Signed-off-by: Ondrej Zary <linux@zary.sk>
> 
> Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
> 
> [...]

MBR, Sergey
  
Ondrej Zary March 11, 2023, 9:11 p.m. UTC | #3
On Saturday 11 March 2023 21:23:25 Sergey Shtylyov wrote:
> On 3/11/23 11:19 PM, Sergei Shtylyov wrote:
> 
> >> When ida_alloc() fails, "pi" is not freed although the misleading
> >> comment says otherwise.
> >> Move the ida_alloc() call up so we really don't have to free it.
> 
>    Wait, but don't we still need to call kfree() in pi_init_one()?

If it fails at device_register, the dev.release is already set to pata_parport_dev_release which does the kfree(). put_device() should call it. If it fails later, device_unregister() should do it.
 
> >> Reported-by: kernel test robot <lkp@intel.com>
> >> Reported-by: Dan Carpenter <error27@gmail.com>
> >> Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
> >> Signed-off-by: Ondrej Zary <linux@zary.sk>
> > 
> > Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
> > 
> > [...]
> 
> MBR, Sergey
>
  
Ondrej Zary March 11, 2023, 9:39 p.m. UTC | #4
On Saturday 11 March 2023 22:11:57 Ondrej Zary wrote:
> On Saturday 11 March 2023 21:23:25 Sergey Shtylyov wrote:
> > On 3/11/23 11:19 PM, Sergei Shtylyov wrote:
> > 
> > >> When ida_alloc() fails, "pi" is not freed although the misleading
> > >> comment says otherwise.
> > >> Move the ida_alloc() call up so we really don't have to free it.
> > 
> >    Wait, but don't we still need to call kfree() in pi_init_one()?
> 
> If it fails at device_register, the dev.release is already set to
> pata_parport_dev_release which does the kfree(). put_device() should call
> it. If it fails later, device_unregister() should do it.  

But I see that the ida_free() at the end of pi_init_one() is wrong. It uses pi->dev.id but pi is either uninitialized or already freed.
  

Patch

diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c
index 6165ee9aa7da..fb1f10afa722 100644
--- a/drivers/ata/pata_parport/pata_parport.c
+++ b/drivers/ata/pata_parport/pata_parport.c
@@ -503,18 +503,19 @@  static struct pi_adapter *pi_init_one(struct parport *parport,
 	if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
 		return NULL;
 
+	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
+	if (id < 0)
+		return NULL;
+
 	pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
 	if (!pi)
-		return NULL;
+		goto out_ida_free;
 
 	/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
 	pi->dev.parent = &pata_parport_bus;
 	pi->dev.bus = &pata_parport_bus_type;
 	pi->dev.driver = &pr->driver;
 	pi->dev.release = pata_parport_dev_release;
-	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
-	if (id < 0)
-		return NULL; /* pata_parport_dev_release will do kfree(pi) */
 	pi->dev.id = id;
 	dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
 	if (device_register(&pi->dev)) {