[v3] pata_parport: fix memory leaks

Message ID 20230314225805.9124-1-linux@zary.sk
State New
Headers
Series [v3] pata_parport: fix memory leaks |

Commit Message

Ondrej Zary March 14, 2023, 10:58 p.m. UTC
  When ida_alloc() fails, "pi" is not freed although the misleading
comment says otherwise.
Move the ida_alloc() call up so we really don't have to free "pi" in
case of ida_alloc() failure.

Also move ida_free() call from pi_remove_one() to
pata_parport_dev_release(). It was dereferencing already freed dev
pointer.

Testing revealed leak even in non-failure case which was tracked down
to missing put_device() call after bus_find_device_by_name(). As a
result, pata_parport_dev_release() was never called.

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
Signed-off-by: Ondrej Zary <linux@zary.sk>
---
 drivers/ata/pata_parport/pata_parport.c | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)
  

Comments

Damien Le Moal March 16, 2023, 7:53 a.m. UTC | #1
On 3/15/23 07:58, Ondrej Zary wrote:
> When ida_alloc() fails, "pi" is not freed although the misleading
> comment says otherwise.
> Move the ida_alloc() call up so we really don't have to free "pi" in
> case of ida_alloc() failure.
> 
> Also move ida_free() call from pi_remove_one() to
> pata_parport_dev_release(). It was dereferencing already freed dev
> pointer.
> 
> Testing revealed leak even in non-failure case which was tracked down
> to missing put_device() call after bus_find_device_by_name(). As a
> result, pata_parport_dev_release() was never called.
> 
> Reported-by: kernel test robot <lkp@intel.com>
> Reported-by: Dan Carpenter <error27@gmail.com>
> Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
> Signed-off-by: Ondrej Zary <linux@zary.sk>

Applied to for-6.3-fixes. Thanks !
  

Patch

diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c
index 6165ee9aa7da..dc77b4c6fcef 100644
--- a/drivers/ata/pata_parport/pata_parport.c
+++ b/drivers/ata/pata_parport/pata_parport.c
@@ -452,6 +452,7 @@  static void pata_parport_dev_release(struct device *dev)
 {
 	struct pi_adapter *pi = container_of(dev, struct pi_adapter, dev);
 
+	ida_free(&pata_parport_bus_dev_ids, dev->id);
 	kfree(pi);
 }
 
@@ -503,23 +504,27 @@  static struct pi_adapter *pi_init_one(struct parport *parport,
 	if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
 		return NULL;
 
+	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
+	if (id < 0)
+		return NULL;
+
 	pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
-	if (!pi)
+	if (!pi) {
+		ida_free(&pata_parport_bus_dev_ids, id);
 		return NULL;
+	}
 
 	/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
 	pi->dev.parent = &pata_parport_bus;
 	pi->dev.bus = &pata_parport_bus_type;
 	pi->dev.driver = &pr->driver;
 	pi->dev.release = pata_parport_dev_release;
-	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
-	if (id < 0)
-		return NULL; /* pata_parport_dev_release will do kfree(pi) */
 	pi->dev.id = id;
 	dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
 	if (device_register(&pi->dev)) {
 		put_device(&pi->dev);
-		goto out_ida_free;
+		/* pata_parport_dev_release will do ida_free(dev->id) and kfree(pi) */
+		return NULL;
 	}
 
 	pi->proto = pr;
@@ -534,8 +539,7 @@  static struct pi_adapter *pi_init_one(struct parport *parport,
 	pi->port = parport->base;
 
 	par_cb.private = pi;
-	pi->pardev = parport_register_dev_model(parport, DRV_NAME, &par_cb,
-						pi->dev.id);
+	pi->pardev = parport_register_dev_model(parport, DRV_NAME, &par_cb, id);
 	if (!pi->pardev)
 		goto out_module_put;
 
@@ -570,8 +574,7 @@  static struct pi_adapter *pi_init_one(struct parport *parport,
 	module_put(pi->proto->owner);
 out_unreg_dev:
 	device_unregister(&pi->dev);
-out_ida_free:
-	ida_free(&pata_parport_bus_dev_ids, pi->dev.id);
+	/* pata_parport_dev_release will do ida_free(dev->id) and kfree(pi) */
 	return NULL;
 }
 
@@ -696,8 +699,7 @@  static void pi_remove_one(struct device *dev)
 	pi_disconnect(pi);
 	pi_release(pi);
 	device_unregister(dev);
-	ida_free(&pata_parport_bus_dev_ids, dev->id);
-	/* pata_parport_dev_release will do kfree(pi) */
+	/* pata_parport_dev_release will do ida_free(dev->id) and kfree(pi) */
 }
 
 static ssize_t delete_device_store(struct bus_type *bus, const char *buf,
@@ -713,6 +715,7 @@  static ssize_t delete_device_store(struct bus_type *bus, const char *buf,
 	}
 
 	pi_remove_one(dev);
+	put_device(dev);
 	mutex_unlock(&pi_mutex);
 
 	return count;