| Message ID | 20230311185149.22957-1-linux@zary.sk |
|---|---|
| State | New |
| Headers | show |
| Series | pata_parport: fix possible memory leak | expand |
On 3/11/23 9:51 PM, Ondrej Zary wrote: > When ida_alloc() fails, "pi" is not freed although the misleading > comment says otherwise. > Move the ida_alloc() call up so we really don't have to free it. > > Reported-by: kernel test robot <lkp@intel.com> > Reported-by: Dan Carpenter <error27@gmail.com> > Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/ > Signed-off-by: Ondrej Zary <linux@zary.sk> Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru> [...] MBR, Sergey
On 3/11/23 11:19 PM, Sergei Shtylyov wrote: >> When ida_alloc() fails, "pi" is not freed although the misleading >> comment says otherwise. >> Move the ida_alloc() call up so we really don't have to free it. Wait, but don't we still need to call kfree() in pi_init_one()? >> Reported-by: kernel test robot <lkp@intel.com> >> Reported-by: Dan Carpenter <error27@gmail.com> >> Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/ >> Signed-off-by: Ondrej Zary <linux@zary.sk> > > Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru> > > [...] MBR, Sergey
On Saturday 11 March 2023 21:23:25 Sergey Shtylyov wrote: > On 3/11/23 11:19 PM, Sergei Shtylyov wrote: > > >> When ida_alloc() fails, "pi" is not freed although the misleading > >> comment says otherwise. > >> Move the ida_alloc() call up so we really don't have to free it. > > Wait, but don't we still need to call kfree() in pi_init_one()? If it fails at device_register, the dev.release is already set to pata_parport_dev_release which does the kfree(). put_device() should call it. If it fails later, device_unregister() should do it. > >> Reported-by: kernel test robot <lkp@intel.com> > >> Reported-by: Dan Carpenter <error27@gmail.com> > >> Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/ > >> Signed-off-by: Ondrej Zary <linux@zary.sk> > > > > Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru> > > > > [...] > > MBR, Sergey >
On Saturday 11 March 2023 22:11:57 Ondrej Zary wrote: > On Saturday 11 March 2023 21:23:25 Sergey Shtylyov wrote: > > On 3/11/23 11:19 PM, Sergei Shtylyov wrote: > > > > >> When ida_alloc() fails, "pi" is not freed although the misleading > > >> comment says otherwise. > > >> Move the ida_alloc() call up so we really don't have to free it. > > > > Wait, but don't we still need to call kfree() in pi_init_one()? > > If it fails at device_register, the dev.release is already set to > pata_parport_dev_release which does the kfree(). put_device() should call > it. If it fails later, device_unregister() should do it. But I see that the ida_free() at the end of pi_init_one() is wrong. It uses pi->dev.id but pi is either uninitialized or already freed.
diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c index 6165ee9aa7da..fb1f10afa722 100644 --- a/drivers/ata/pata_parport/pata_parport.c +++ b/drivers/ata/pata_parport/pata_parport.c @@ -503,18 +503,19 @@ static struct pi_adapter *pi_init_one(struct parport *parport, if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev)) return NULL; + id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL); + if (id < 0) + return NULL; + pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL); if (!pi) - return NULL; + goto out_ida_free; /* set up pi->dev before pi_probe_unit() so it can use dev_printk() */ pi->dev.parent = &pata_parport_bus; pi->dev.bus = &pata_parport_bus_type; pi->dev.driver = &pr->driver; pi->dev.release = pata_parport_dev_release; - id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL); - if (id < 0) - return NULL; /* pata_parport_dev_release will do kfree(pi) */ pi->dev.id = id; dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id); if (device_register(&pi->dev)) {
When ida_alloc() fails, "pi" is not freed although the misleading comment says otherwise. Move the ida_alloc() call up so we really don't have to free it. Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <error27@gmail.com> Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/ Signed-off-by: Ondrej Zary <linux@zary.sk> --- drivers/ata/pata_parport/pata_parport.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)