| Message ID | 20230311214447.7359-1-linux@zary.sk |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp466069wrd;
Sat, 11 Mar 2023 13:52:16 -0800 (PST)
X-Google-Smtp-Source:
AK7set+wy2LkYd2buuML3jOojS+IXtjEXPNZy9LmysOPGpAxywnshFSWeGLwXFP50oeo+/V3dkcU
X-Received: by 2002:a17:902:a986:b0:19f:2332:d2ca with SMTP id
bh6-20020a170902a98600b0019f2332d2camr2619873plb.52.1678571536639;
Sat, 11 Mar 2023 13:52:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1678571536; cv=none;
d=google.com; s=arc-20160816;
b=Grkoewfv+/A8xmJr/IyMspvBeECj41Rej4r4N3orRukOGV+SaLv3a8yW09uC2KMbi5
ROkjSd2ynyk7lRVrsl8Jv8F6ebvkfCeJddTVPS8NgxhDaDQio4jpw0ni4YGKsou5Hbwr
XtSmZN1TT0isv2lTdJBWLU9RImdQSC6eUDw931DF+FZN+FJwI6unlae3sPBm4dCQQ2pG
XN5sNuCIs3x+WJUYb3PHWLPRom5avf4xU77XKMemCW+MO5i5gyAkwPXLF6v+If0OKBV2
jYM5yitRj8agdIHIbrjrVcK6s1YnhdbQRqEDq3ENB1Gme1x/Pfh/t1NRIkKSTy2HU4GE
nYxQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from;
bh=p71wJv47rC+9yOazlgpis0rd1CB+JLx1UsiXjmug2IM=;
b=f8A8HxLNJJt9VsgzFeSSjFUtvtJX1xJU5fHSgWQPSOjscsLW3TiUlVeVMq/Flr1VjF
YJI6GFPP5HKdQOMBUmDKg1gJ9tsGWrxkSMqAS3PrifGXKcp81WACEnZPuRI/Y7U7b8Xr
caKyHqZMeTAxCAGqOQtAkxgqRaQvCEZLgNu9+EGVcfEQx+o49AzmqW+3A5gyoaJ/BOOd
ZT/zEKsRPxO4ASlCJPwbqneeEdZ5UcRX5hG7wMlZp+egpg1CAIW77lAZnJzwjfFL0JXl
wDgxJKHsCaxoumN41JSI4X3GzB9H7hhkO31cppoU1yuZWQkkNHUMQViW9aA2tvQoCigE
eNeQ==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
q12-20020a17090311cc00b0019f3c06fdfasi308222plh.339.2023.03.11.13.52.04;
Sat, 11 Mar 2023 13:52:16 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229768AbjCKVo5 (ORCPT <rfc822;toshivichauhan@gmail.com>
+ 99 others); Sat, 11 Mar 2023 16:44:57 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51880 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229543AbjCKVoz (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sat, 11 Mar 2023 16:44:55 -0500
Received: from hosting.gsystem.sk (hosting.gsystem.sk [212.5.213.30])
by lindbergh.monkeyblade.net (Postfix) with ESMTP id F325B67813;
Sat, 11 Mar 2023 13:44:54 -0800 (PST)
Received: from gsql.ggedos.sk (off-20.infotel.telecom.sk [212.5.213.20])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by hosting.gsystem.sk (Postfix) with ESMTPSA id 3C9497A0158;
Sat, 11 Mar 2023 22:44:54 +0100 (CET)
From: Ondrej Zary <linux@zary.sk>
To: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Cc: Christoph Hellwig <hch@lst.de>,
Sergey Shtylyov <s.shtylyov@omp.ru>, linux-ide@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH v2] pata_parport: fix possible memory leak
Date: Sat, 11 Mar 2023 22:44:47 +0100
Message-Id: <20230311214447.7359-1-linux@zary.sk>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <202303112239.21234.linux@zary.sk>
References: <202303112239.21234.linux@zary.sk>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1760100787952827298?=
X-GMAIL-MSGID: =?utf-8?q?1760109827829456514?=
|
| Series |
[v2] pata_parport: fix possible memory leak
|
|
Commit Message
Ondrej Zary
March 11, 2023, 9:44 p.m. UTC
When ida_alloc() fails, "pi" is not freed although the misleading
comment says otherwise.
Move the ida_alloc() call up so we really don't have to free it.
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
Signed-off-by: Ondrej Zary <linux@zary.sk>
---
drivers/ata/pata_parport/pata_parport.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
Comments
On 3/12/23 06:44, Ondrej Zary wrote: > When ida_alloc() fails, "pi" is not freed although the misleading > comment says otherwise. > Move the ida_alloc() call up so we really don't have to free it. Certainly you meant: "so we really do free it in case of error.", no ? > > Reported-by: kernel test robot <lkp@intel.com> > Reported-by: Dan Carpenter <error27@gmail.com> > Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/ > Signed-off-by: Ondrej Zary <linux@zary.sk> > --- > drivers/ata/pata_parport/pata_parport.c | 11 ++++++----- > 1 file changed, 6 insertions(+), 5 deletions(-) > > diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c > index 6165ee9aa7da..a9eff6003098 100644 > --- a/drivers/ata/pata_parport/pata_parport.c > +++ b/drivers/ata/pata_parport/pata_parport.c > @@ -503,18 +503,19 @@ static struct pi_adapter *pi_init_one(struct parport *parport, > if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev)) > return NULL; > > + id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL); > + if (id < 0) > + return NULL; > + > pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL); > if (!pi) > - return NULL; > + goto out_ida_free; > > /* set up pi->dev before pi_probe_unit() so it can use dev_printk() */ > pi->dev.parent = &pata_parport_bus; > pi->dev.bus = &pata_parport_bus_type; > pi->dev.driver = &pr->driver; > pi->dev.release = pata_parport_dev_release; > - id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL); > - if (id < 0) > - return NULL; /* pata_parport_dev_release will do kfree(pi) */ > pi->dev.id = id; > dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id); > if (device_register(&pi->dev)) { > @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport, > out_unreg_dev: > device_unregister(&pi->dev); Same comment as Sergey: isn't this going to do the ida free ? So shouldn't you return here ? > out_ida_free: > - ida_free(&pata_parport_bus_dev_ids, pi->dev.id); > + ida_free(&pata_parport_bus_dev_ids, id); > return NULL; > } >
On Sunday 12 March 2023 01:56:25 Damien Le Moal wrote: > On 3/12/23 06:44, Ondrej Zary wrote: > > When ida_alloc() fails, "pi" is not freed although the misleading > > comment says otherwise. > > Move the ida_alloc() call up so we really don't have to free it. > > Certainly you meant: "so we really do free it in case of error.", no ? I meant "so we don't have to free pi in case of ida_alloc failure". > > > > Reported-by: kernel test robot <lkp@intel.com> > > Reported-by: Dan Carpenter <error27@gmail.com> > > Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/ > > Signed-off-by: Ondrej Zary <linux@zary.sk> > > --- > > drivers/ata/pata_parport/pata_parport.c | 11 ++++++----- > > 1 file changed, 6 insertions(+), 5 deletions(-) > > > > diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c > > index 6165ee9aa7da..a9eff6003098 100644 > > --- a/drivers/ata/pata_parport/pata_parport.c > > +++ b/drivers/ata/pata_parport/pata_parport.c > > @@ -503,18 +503,19 @@ static struct pi_adapter *pi_init_one(struct parport *parport, > > if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev)) > > return NULL; > > > > + id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL); > > + if (id < 0) > > + return NULL; > > + > > pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL); > > if (!pi) > > - return NULL; > > + goto out_ida_free; > > > > /* set up pi->dev before pi_probe_unit() so it can use dev_printk() */ > > pi->dev.parent = &pata_parport_bus; > > pi->dev.bus = &pata_parport_bus_type; > > pi->dev.driver = &pr->driver; > > pi->dev.release = pata_parport_dev_release; > > - id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL); > > - if (id < 0) > > - return NULL; /* pata_parport_dev_release will do kfree(pi) */ > > pi->dev.id = id; > > dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id); > > if (device_register(&pi->dev)) { > > @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport, > > out_unreg_dev: > > device_unregister(&pi->dev); > > Same comment as Sergey: isn't this going to do the ida free ? So shouldn't you > return here ? No. device_unregister() calls pata_parport_dev_release() which does only kfree(pi), not ida_free(). But it probably should do ida_free() too. > > > out_ida_free: > > - ida_free(&pata_parport_bus_dev_ids, pi->dev.id); > > + ida_free(&pata_parport_bus_dev_ids, id); > > return NULL; > > } > > >
On 3/13/23 06:24, Ondrej Zary wrote: > On Sunday 12 March 2023 01:56:25 Damien Le Moal wrote: >> On 3/12/23 06:44, Ondrej Zary wrote: >>> When ida_alloc() fails, "pi" is not freed although the misleading >>> comment says otherwise. >>> Move the ida_alloc() call up so we really don't have to free it. >> >> Certainly you meant: "so we really do free it in case of error.", no ? > > I meant "so we don't have to free pi in case of ida_alloc failure". That is better. Please rephrase the commit message to this. >>> /* set up pi->dev before pi_probe_unit() so it can use dev_printk() */ >>> pi->dev.parent = &pata_parport_bus; >>> pi->dev.bus = &pata_parport_bus_type; >>> pi->dev.driver = &pr->driver; >>> pi->dev.release = pata_parport_dev_release; >>> - id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL); >>> - if (id < 0) >>> - return NULL; /* pata_parport_dev_release will do kfree(pi) */ >>> pi->dev.id = id; >>> dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id); >>> if (device_register(&pi->dev)) { >>> @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport, >>> out_unreg_dev: >>> device_unregister(&pi->dev); >> >> Same comment as Sergey: isn't this going to do the ida free ? So shouldn't you >> return here ? > > No. device_unregister() calls pata_parport_dev_release() which does only kfree(pi), not ida_free(). But it probably should do ida_free() too. Yes, it should, otherwise you are leaking the ida with the normal (no errors) case. Care to send a fix for that too ?
On Monday 13 March 2023, Damien Le Moal wrote: > On 3/13/23 06:24, Ondrej Zary wrote: > > On Sunday 12 March 2023 01:56:25 Damien Le Moal wrote: > >> On 3/12/23 06:44, Ondrej Zary wrote: > >>> When ida_alloc() fails, "pi" is not freed although the misleading > >>> comment says otherwise. > >>> Move the ida_alloc() call up so we really don't have to free it. > >> > >> Certainly you meant: "so we really do free it in case of error.", no ? > > > > I meant "so we don't have to free pi in case of ida_alloc failure". > > That is better. Please rephrase the commit message to this. > > >>> /* set up pi->dev before pi_probe_unit() so it can use dev_printk() */ > >>> pi->dev.parent = &pata_parport_bus; > >>> pi->dev.bus = &pata_parport_bus_type; > >>> pi->dev.driver = &pr->driver; > >>> pi->dev.release = pata_parport_dev_release; > >>> - id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL); > >>> - if (id < 0) > >>> - return NULL; /* pata_parport_dev_release will do kfree(pi) */ > >>> pi->dev.id = id; > >>> dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id); > >>> if (device_register(&pi->dev)) { > >>> @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport, > >>> out_unreg_dev: > >>> device_unregister(&pi->dev); > >> > >> Same comment as Sergey: isn't this going to do the ida free ? So shouldn't you > >> return here ? > > > > No. device_unregister() calls pata_parport_dev_release() which does only kfree(pi), not ida_free(). But it probably should do ida_free() too. > > Yes, it should, otherwise you are leaking the ida with the normal (no errors) > case. Care to send a fix for that too ? Yes, I'll send it as soon as I fix a problem that I noticed during testing. The ida is never freed with this fix. And neither "pi" because pata_parport_dev_release is never called (confirmed by adding printk).
diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c index 6165ee9aa7da..a9eff6003098 100644 --- a/drivers/ata/pata_parport/pata_parport.c +++ b/drivers/ata/pata_parport/pata_parport.c @@ -503,18 +503,19 @@ static struct pi_adapter *pi_init_one(struct parport *parport, if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev)) return NULL; + id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL); + if (id < 0) + return NULL; + pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL); if (!pi) - return NULL; + goto out_ida_free; /* set up pi->dev before pi_probe_unit() so it can use dev_printk() */ pi->dev.parent = &pata_parport_bus; pi->dev.bus = &pata_parport_bus_type; pi->dev.driver = &pr->driver; pi->dev.release = pata_parport_dev_release; - id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL); - if (id < 0) - return NULL; /* pata_parport_dev_release will do kfree(pi) */ pi->dev.id = id; dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id); if (device_register(&pi->dev)) { @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport, out_unreg_dev: device_unregister(&pi->dev); out_ida_free: - ida_free(&pata_parport_bus_dev_ids, pi->dev.id); + ida_free(&pata_parport_bus_dev_ids, id); return NULL; }