[PATCH] staging: comedi: drivers: prevent memory leak
In das1800_attach, the buffer allocated via kmalloc_array needs to be
released if an error happens.
Signed-off-by: Navid Emamdoost
---
drivers/staging/comedi/drivers/das1800.c | 12 +---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/comedi/drivers/das1800.c
b/drivers/staging/comedi/drivers/das1800.c
index f16aa7e9f4f3..5f2d5f7a6229 100644
--- a/drivers/staging/comedi/drivers/das1800.c
+++ b/drivers/staging/comedi/drivers/das1800.c
@@ -1237,12 +1237,16 @@ static int das1800_attach(struct comedi_device *dev,
dev->pacer = comedi_8254_init(dev->iobase + DAS1800_COUNTER,
I8254_OSC_BASE_5MHZ, I8254_IO8, 0);
- if (!dev->pacer)
+ if (!dev->pacer) {
+ kfree(devpriv->fifo_buf);
return -ENOMEM;
+ }
ret = comedi_alloc_subdevices(dev, 4);
- if (ret)
+ if (ret) {
+ kfree(devpriv->fifo_buf);
return ret;
+ }
/*
* Analog Input subdevice
@@ -1290,8 +1294,10 @@ static int das1800_attach(struct comedi_device *dev,
s->insn_write = das1800_ao_insn_write;
ret = comedi_alloc_subdev_readback(s);
- if (ret)
+ if (ret) {
+ kfree(devpriv->fifo_buf);
return ret;
+ }
/* initialize all channels to 0V */
for (i = 0; i < s->n_chan; i++) {
--
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] media: staging: davinci: fix for memory leak
In ipipe_g_config the allocated memory for params needs to be released
if either module_if->get or copy_to_user fails.
Signed-off-by: Navid Emamdoost
---
drivers/staging/media/davinci_vpfe/dm365_ipipe.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/media/davinci_vpfe/dm365_ipipe.c
b/drivers/staging/media/davinci_vpfe/dm365_ipipe.c
index 52397ad0e3e2..3023691b53c0 100644
--- a/drivers/staging/media/davinci_vpfe/dm365_ipipe.c
+++ b/drivers/staging/media/davinci_vpfe/dm365_ipipe.c
@@ -1316,10 +1316,13 @@ static int ipipe_g_config(struct v4l2_subdev *sd,
struct vpfe_ipipe_config *cfg)
if (to && from && size) {
rval = module_if->get(ipipe, from);
- if (rval)
+ if (rval) {
+ kfree(params);
goto error;
+ }
if (copy_to_user((void __user *)to, from, size)) {
rval = -EFAULT;
+ kfree(params);
break;
}
}
--
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: rtl8192u: release memory on error path
In rtl819xU_tx_cmd if usb_submit_urb fails the allocated memories should
be released.
Signed-off-by: Navid Emamdoost
---
drivers/staging/rtl8192u/r8192U_core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/staging/rtl8192u/r8192U_core.c
b/drivers/staging/rtl8192u/r8192U_core.c
index fe1f279ca368..401561705d9d 100644
--- a/drivers/staging/rtl8192u/r8192U_core.c
+++ b/drivers/staging/rtl8192u/r8192U_core.c
@@ -1232,6 +1232,8 @@ short rtl819xU_tx_cmd(struct net_device *dev, struct
sk_buff *skb)
return 0;
DMESGE("Error TX CMD URB, error %d", status);
+ dev_kfree_skb(skb);
+ usb_free_urb(tx_urb);
return -1;
}
--
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: rtl8192u: fix multiple memory leaks on error path
In rtl8192_tx on error handling path allocated urbs and also skb should
be released.
Signed-off-by: Navid Emamdoost
---
drivers/staging/rtl8192u/r8192U_core.c | 17 -
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/rtl8192u/r8192U_core.c
b/drivers/staging/rtl8192u/r8192U_core.c
index fe1f279ca368..b62b03802b1b 100644
--- a/drivers/staging/rtl8192u/r8192U_core.c
+++ b/drivers/staging/rtl8192u/r8192U_core.c
@@ -1422,7 +1422,7 @@ short rtl8192_tx(struct net_device *dev, struct sk_buff
*skb)
(struct tx_fwinfo_819x_usb *)(skb->data +
USB_HWDESC_HEADER_LEN);
struct usb_device *udev = priv->udev;
int pend;
- int status;
+ int status, rt = -1;
struct urb *tx_urb = NULL, *tx_urb_zero = NULL;
unsigned int idx_pipe;
@@ -1566,8 +1566,10 @@ short rtl8192_tx(struct net_device *dev, struct sk_buff
*skb)
}
if (bSend0Byte) {
tx_urb_zero = usb_alloc_urb(0, GFP_ATOMIC);
- if (!tx_urb_zero)
- return -ENOMEM;
+ if (!tx_urb_zero) {
+ rt = -ENOMEM;
+ goto error;
+ }
usb_fill_bulk_urb(tx_urb_zero, udev,
usb_sndbulkpipe(udev, idx_pipe),
&zero, 0, tx_zero_isr, dev);
@@ -1577,7 +1579,7 @@ short rtl8192_tx(struct net_device *dev, struct sk_buff
*skb)
"Error TX URB for zero byte %d, error
%d",
atomic_read(&priv->tx_pending[tcb_desc->queue_index]),
status);
- return -1;
+ goto error;
}
}
netif_trans_update(dev);
@@ -1588,7 +1590,12 @@ short rtl8192_tx(struct net_device *dev, struct sk_buff
*skb)
RT_TRACE(COMP_ERR, "Error TX URB %d, error %d",
atomic_read(&priv->tx_pending[tcb_desc->queue_index]),
status);
- return -1;
+
+error:
+ dev_kfree_skb_any(skb);
+ usb_free_urb(tx_urb);
+ usb_free_urb(tx_urb_zero);
+ return rt;
}
static short rtl8192_usb_initendpoints(struct net_device *dev)
--
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] Staging: fbtft: fix memory leak in fbtft_framebuffer_alloc
In fbtft_framebuffer_alloc the error handling path should take care of
releasing frame buffer after it is allocated via framebuffer_alloc, too.
Therefore, in two failure cases the goto destination is changed to
address this issue.
Fixes: c296d5f9957c ("staging: fbtft: core support")
Signed-off-by: Navid Emamdoost
---
drivers/staging/fbtft/fbtft-core.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/fbtft/fbtft-core.c
b/drivers/staging/fbtft/fbtft-core.c
index cf5700a2ea66..a0a67aa517f0 100644
--- a/drivers/staging/fbtft/fbtft-core.c
+++ b/drivers/staging/fbtft/fbtft-core.c
@@ -714,7 +714,7 @@ struct fb_info *fbtft_framebuffer_alloc(struct
fbtft_display *display,
if (par->gamma.curves && gamma) {
if (fbtft_gamma_parse_str(par, par->gamma.curves, gamma,
strlen(gamma)))
- goto alloc_fail;
+ goto release_framebuf;
}
/* Transmit buffer */
@@ -731,7 +731,7 @@ struct fb_info *fbtft_framebuffer_alloc(struct
fbtft_display *display,
if (txbuflen > 0) {
txbuf = devm_kzalloc(par->info->device, txbuflen, GFP_KERNEL);
if (!txbuf)
- goto alloc_fail;
+ goto release_framebuf;
par->txbuf.buf = txbuf;
par->txbuf.len = txbuflen;
}
@@ -753,6 +753,9 @@ struct fb_info *fbtft_framebuffer_alloc(struct
fbtft_display *display,
return info;
+release_framebuf:
+ framebuffer_release(info);
+
alloc_fail:
vfree(vmem);
--
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
Re: [PATCH] staging: rtl8192u: fix multiple memory leaks on error path
Could you take a look at this patch and confirm it, please?
On Thu, Sep 19, 2019 at 9:51 PM Navid Emamdoost
wrote:
>
> In rtl8192_tx on error handling path allocated urbs and also skb should
> be released.
>
> Signed-off-by: Navid Emamdoost
> ---
> drivers/staging/rtl8192u/r8192U_core.c | 17 -
> 1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/staging/rtl8192u/r8192U_core.c
> b/drivers/staging/rtl8192u/r8192U_core.c
> index fe1f279ca368..b62b03802b1b 100644
> --- a/drivers/staging/rtl8192u/r8192U_core.c
> +++ b/drivers/staging/rtl8192u/r8192U_core.c
> @@ -1422,7 +1422,7 @@ short rtl8192_tx(struct net_device *dev, struct sk_buff
> *skb)
> (struct tx_fwinfo_819x_usb *)(skb->data +
> USB_HWDESC_HEADER_LEN);
> struct usb_device *udev = priv->udev;
> int pend;
> - int status;
> + int status, rt = -1;
> struct urb *tx_urb = NULL, *tx_urb_zero = NULL;
> unsigned int idx_pipe;
>
> @@ -1566,8 +1566,10 @@ short rtl8192_tx(struct net_device *dev, struct
> sk_buff *skb)
> }
> if (bSend0Byte) {
> tx_urb_zero = usb_alloc_urb(0, GFP_ATOMIC);
> - if (!tx_urb_zero)
> - return -ENOMEM;
> + if (!tx_urb_zero) {
> + rt = -ENOMEM;
> + goto error;
> + }
> usb_fill_bulk_urb(tx_urb_zero, udev,
> usb_sndbulkpipe(udev, idx_pipe),
> &zero, 0, tx_zero_isr, dev);
> @@ -1577,7 +1579,7 @@ short rtl8192_tx(struct net_device *dev, struct sk_buff
> *skb)
> "Error TX URB for zero byte %d,
> error %d",
>
> atomic_read(&priv->tx_pending[tcb_desc->queue_index]),
> status);
> - return -1;
> + goto error;
> }
> }
> netif_trans_update(dev);
> @@ -1588,7 +1590,12 @@ short rtl8192_tx(struct net_device *dev, struct
> sk_buff *skb)
> RT_TRACE(COMP_ERR, "Error TX URB %d, error %d",
> atomic_read(&priv->tx_pending[tcb_desc->queue_index]),
> status);
> - return -1;
> +
> +error:
> + dev_kfree_skb_any(skb);
> + usb_free_urb(tx_urb);
> + usb_free_urb(tx_urb_zero);
> + return rt;
> }
>
> static short rtl8192_usb_initendpoints(struct net_device *dev)
> --
> 2.17.1
>
--
Navid.
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: vt6655: Fix memory leak in vt6655_probe
In vt6655_probe, if vnt_init() fails the cleanup code needs to be called
like other error handling cases. The call to device_free_info() is
added.
Fixes: 67013f2c0e58 ("staging: vt6655: mac80211 conversion add main mac80211
functions")
Signed-off-by: Navid Emamdoost
---
drivers/staging/vt6655/device_main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/vt6655/device_main.c
b/drivers/staging/vt6655/device_main.c
index c6bb4aaf9bd0..082302944c37 100644
--- a/drivers/staging/vt6655/device_main.c
+++ b/drivers/staging/vt6655/device_main.c
@@ -1748,8 +1748,10 @@ vt6655_probe(struct pci_dev *pcid, const struct
pci_device_id *ent)
priv->hw->max_signal = 100;
- if (vnt_init(priv))
+ if (vnt_init(priv)) {
+ device_free_info(priv);
return -ENODEV;
+ }
device_print_info(priv);
pci_set_drvdata(pcid, priv);
--
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] rtl8192_init_priv_variable: null check is missing for kzalloc
Allocation for priv->pFirmware may fail, so a null check is necessary.
priv->pFirmware is accessed at line 2743. I added the check and made
appropriate changes to propagate the errno to the caller.
Signed-off-by: Navid Emamdoost
---
drivers/staging/rtl8192u/r8192U_core.c | 13 +++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/rtl8192u/r8192U_core.c
b/drivers/staging/rtl8192u/r8192U_core.c
index fe1f279ca368..5fb24b13ce5b 100644
--- a/drivers/staging/rtl8192u/r8192U_core.c
+++ b/drivers/staging/rtl8192u/r8192U_core.c
@@ -2096,7 +2096,7 @@ static void rtl8192_SetWirelessMode(struct net_device
*dev, u8 wireless_mode)
}
/* init priv variables here. only non_zero value should be initialized here. */
-static void rtl8192_init_priv_variable(struct net_device *dev)
+static int rtl8192_init_priv_variable(struct net_device *dev)
{
struct r8192_priv *priv = ieee80211_priv(dev);
u8 i;
@@ -2223,6 +2223,10 @@ static void rtl8192_init_priv_variable(struct net_device
*dev)
priv->AcmControl = 0;
priv->pFirmware = kzalloc(sizeof(rt_firmware), GFP_KERNEL);
+ if (!priv->pFirmware) {
+ return -ENOMEM;
+ }
+
/* rx related queue */
skb_queue_head_init(&priv->rx_queue);
@@ -2236,6 +2240,8 @@ static void rtl8192_init_priv_variable(struct net_device
*dev)
for (i = 0; i < MAX_QUEUE_SIZE; i++)
skb_queue_head_init(&priv->ieee80211->skb_drv_aggQ[i]);
priv->rf_set_chan = rtl8192_phy_SwChnl;
+
+ return 0;
}
/* init lock here */
@@ -2605,7 +2611,10 @@ static short rtl8192_init(struct net_device *dev)
memcpy(priv->txqueue_to_outpipemap, queuetopipe, 9);
}
#endif
- rtl8192_init_priv_variable(dev);
+ err = rtl8192_init_priv_variable(dev);
+ if (err) {
+ return err;
+ }
rtl8192_init_priv_lock(priv);
rtl8192_init_priv_task(dev);
rtl8192_get_eeprom_size(dev);
--
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v2] rtl8192_init_priv_variable: null check is missing for kzalloc
Allocation for priv->pFirmware may fail, so a null check is necessary.
priv->pFirmware is accessed later in rtl8192_adapter_start. I added the
check and made appropriate changes to propagate the errno to the caller.
Update: fixed style errors
Signed-off-by: Navid Emamdoost
---
drivers/staging/rtl8192u/r8192U_core.c | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/rtl8192u/r8192U_core.c
b/drivers/staging/rtl8192u/r8192U_core.c
index fe1f279ca368..569d02240bf5 100644
--- a/drivers/staging/rtl8192u/r8192U_core.c
+++ b/drivers/staging/rtl8192u/r8192U_core.c
@@ -2096,7 +2096,7 @@ static void rtl8192_SetWirelessMode(struct net_device
*dev, u8 wireless_mode)
}
/* init priv variables here. only non_zero value should be initialized here. */
-static void rtl8192_init_priv_variable(struct net_device *dev)
+static int rtl8192_init_priv_variable(struct net_device *dev)
{
struct r8192_priv *priv = ieee80211_priv(dev);
u8 i;
@@ -2223,6 +2223,8 @@ static void rtl8192_init_priv_variable(struct net_device
*dev)
priv->AcmControl = 0;
priv->pFirmware = kzalloc(sizeof(rt_firmware), GFP_KERNEL);
+ if (!priv->pFirmware)
+ return -ENOMEM;
/* rx related queue */
skb_queue_head_init(&priv->rx_queue);
@@ -2236,6 +2238,8 @@ static void rtl8192_init_priv_variable(struct net_device
*dev)
for (i = 0; i < MAX_QUEUE_SIZE; i++)
skb_queue_head_init(&priv->ieee80211->skb_drv_aggQ[i]);
priv->rf_set_chan = rtl8192_phy_SwChnl;
+
+ return 0;
}
/* init lock here */
@@ -2605,7 +2609,10 @@ static short rtl8192_init(struct net_device *dev)
memcpy(priv->txqueue_to_outpipemap, queuetopipe, 9);
}
#endif
- rtl8192_init_priv_variable(dev);
+ err = rtl8192_init_priv_variable(dev);
+ if (err)
+ return err;
+
rtl8192_init_priv_lock(priv);
rtl8192_init_priv_task(dev);
rtl8192_get_eeprom_size(dev);
--
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v3] staging: rtl8192u: null check the kzalloc
In rtl8192_init_priv_variable allocation for priv->pFirmware may fail,
so a null check is necessary.priv->pFirmware is accessed later in
rtl8192_adapter_start. I added the check and made appropriate changes
to propagate the errno to the caller.
---
Update v2: fixed style errors
Update V3: fixed prefix
Signed-off-by: Navid Emamdoost
---
drivers/staging/rtl8192u/r8192U_core.c | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/rtl8192u/r8192U_core.c
b/drivers/staging/rtl8192u/r8192U_core.c
index fe1f279ca368..569d02240bf5 100644
--- a/drivers/staging/rtl8192u/r8192U_core.c
+++ b/drivers/staging/rtl8192u/r8192U_core.c
@@ -2096,7 +2096,7 @@ static void rtl8192_SetWirelessMode(struct net_device
*dev, u8 wireless_mode)
}
/* init priv variables here. only non_zero value should be initialized here. */
-static void rtl8192_init_priv_variable(struct net_device *dev)
+static int rtl8192_init_priv_variable(struct net_device *dev)
{
struct r8192_priv *priv = ieee80211_priv(dev);
u8 i;
@@ -2223,6 +2223,8 @@ static void rtl8192_init_priv_variable(struct net_device
*dev)
priv->AcmControl = 0;
priv->pFirmware = kzalloc(sizeof(rt_firmware), GFP_KERNEL);
+ if (!priv->pFirmware)
+ return -ENOMEM;
/* rx related queue */
skb_queue_head_init(&priv->rx_queue);
@@ -2236,6 +2238,8 @@ static void rtl8192_init_priv_variable(struct net_device
*dev)
for (i = 0; i < MAX_QUEUE_SIZE; i++)
skb_queue_head_init(&priv->ieee80211->skb_drv_aggQ[i]);
priv->rf_set_chan = rtl8192_phy_SwChnl;
+
+ return 0;
}
/* init lock here */
@@ -2605,7 +2609,10 @@ static short rtl8192_init(struct net_device *dev)
memcpy(priv->txqueue_to_outpipemap, queuetopipe, 9);
}
#endif
- rtl8192_init_priv_variable(dev);
+ err = rtl8192_init_priv_variable(dev);
+ if (err)
+ return err;
+
rtl8192_init_priv_lock(priv);
rtl8192_init_priv_task(dev);
rtl8192_get_eeprom_size(dev);
--
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH v4] staging: rtl8192u: null check the kzalloc
In rtl8192_init_priv_variable allocation for priv->pFirmware may fail,
so a null check is necessary.priv->pFirmware is accessed later in
rtl8192_adapter_start. I added the check and made appropriate changes
to propagate the errno to the caller.
Signed-off-by: Navid Emamdoost
---
Update v2: fixed style errors
Update V3: fixed prefix
Update V4: fixed style
---
drivers/staging/rtl8192u/r8192U_core.c | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/rtl8192u/r8192U_core.c
b/drivers/staging/rtl8192u/r8192U_core.c
index fe1f279ca368..569d02240bf5 100644
--- a/drivers/staging/rtl8192u/r8192U_core.c
+++ b/drivers/staging/rtl8192u/r8192U_core.c
@@ -2096,7 +2096,7 @@ static void rtl8192_SetWirelessMode(struct net_device
*dev, u8 wireless_mode)
}
/* init priv variables here. only non_zero value should be initialized here. */
-static void rtl8192_init_priv_variable(struct net_device *dev)
+static int rtl8192_init_priv_variable(struct net_device *dev)
{
struct r8192_priv *priv = ieee80211_priv(dev);
u8 i;
@@ -2223,6 +2223,8 @@ static void rtl8192_init_priv_variable(struct net_device
*dev)
priv->AcmControl = 0;
priv->pFirmware = kzalloc(sizeof(rt_firmware), GFP_KERNEL);
+ if (!priv->pFirmware)
+ return -ENOMEM;
/* rx related queue */
skb_queue_head_init(&priv->rx_queue);
@@ -2236,6 +2238,8 @@ static void rtl8192_init_priv_variable(struct net_device
*dev)
for (i = 0; i < MAX_QUEUE_SIZE; i++)
skb_queue_head_init(&priv->ieee80211->skb_drv_aggQ[i]);
priv->rf_set_chan = rtl8192_phy_SwChnl;
+
+ return 0;
}
/* init lock here */
@@ -2605,7 +2609,10 @@ static short rtl8192_init(struct net_device *dev)
memcpy(priv->txqueue_to_outpipemap, queuetopipe, 9);
}
#endif
- rtl8192_init_priv_variable(dev);
+ err = rtl8192_init_priv_variable(dev);
+ if (err)
+ return err;
+
rtl8192_init_priv_lock(priv);
rtl8192_init_priv_task(dev);
rtl8192_get_eeprom_size(dev);
--
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: rtl8192e: rtllib_module: Fix memory leak in alloc_rtllib
In the implementation of alloc_rtllib() the allocated dev is leaked in
case of ieee->pHTInfo allocation failure. Release via free_netdev(dev).
Fixes: 6869a11bff1d ("Staging: rtl8192e: Use !x instead of x == NULL")
Signed-off-by: Navid Emamdoost
---
drivers/staging/rtl8192e/rtllib_module.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8192e/rtllib_module.c
b/drivers/staging/rtl8192e/rtllib_module.c
index 64d9feee1f39..18d898714c5c 100644
--- a/drivers/staging/rtl8192e/rtllib_module.c
+++ b/drivers/staging/rtl8192e/rtllib_module.c
@@ -125,7 +125,7 @@ struct net_device *alloc_rtllib(int sizeof_priv)
ieee->pHTInfo = kzalloc(sizeof(struct rt_hi_throughput), GFP_KERNEL);
if (!ieee->pHTInfo)
- return NULL;
+ goto failed;
HTUpdateDefaultSetting(ieee);
HTInitializeHTInfo(ieee);
--
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] staging: comedi: drivers: Fix memory leak in gsc_hpdi_auto_attach
In the implementation of gsc_hpdi_auto_attach(), the allocated dma
description is leaks in case of alignment error, or failure of
gsc_hpdi_setup_dma_descriptors() or comedi_alloc_subdevices(). Release
devpriv->dma_desc via dma_free_coherent().
Signed-off-by: Navid Emamdoost
---
drivers/staging/comedi/drivers/gsc_hpdi.c | 16 +---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/comedi/drivers/gsc_hpdi.c
b/drivers/staging/comedi/drivers/gsc_hpdi.c
index 4bdf44d82879..c0c7047a6d1b 100644
--- a/drivers/staging/comedi/drivers/gsc_hpdi.c
+++ b/drivers/staging/comedi/drivers/gsc_hpdi.c
@@ -633,16 +633,17 @@ static int gsc_hpdi_auto_attach(struct comedi_device *dev,
if (devpriv->dma_desc_phys_addr & 0xf) {
dev_warn(dev->class_dev,
" dma descriptors not quad-word aligned (bug)\n");
- return -EIO;
+ retval = -EIO;
+ goto release_dma_desc;
}
retval = gsc_hpdi_setup_dma_descriptors(dev, 0x1000);
if (retval < 0)
- return retval;
+ goto release_dma_desc;
retval = comedi_alloc_subdevices(dev, 1);
if (retval)
- return retval;
+ goto release_dma_desc;
/* Digital I/O subdevice */
s = &dev->subdevices[0];
@@ -660,6 +661,15 @@ static int gsc_hpdi_auto_attach(struct comedi_device *dev,
s->cancel = gsc_hpdi_cancel;
return gsc_hpdi_init(dev);
+
+release_dma_desc:
+ if (devpriv->dma_desc)
+ dma_free_coherent(&pcidev->dev,
+ sizeof(struct plx_dma_desc) *
+ NUM_DMA_DESCRIPTORS,
+ devpriv->dma_desc,
+ devpriv->dma_desc_phys_addr);
+ return retval;
}
static void gsc_hpdi_detach(struct comedi_device *dev)
--
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
Re: [PATCH] staging: rtl8192e: rtllib_module: Fix memory leak in alloc_rtllib
Hi Johan,
On Sun, Dec 15, 2019 at 7:23 AM Johan Hovold wrote:
>
> On Sat, Dec 14, 2019 at 05:05:58PM -0600, Navid Emamdoost wrote:
> > In the implementation of alloc_rtllib() the allocated dev is leaked in
> > case of ieee->pHTInfo allocation failure. Release via free_netdev(dev).
> >
> > Fixes: 6869a11bff1d ("Staging: rtl8192e: Use !x instead of x == NULL")
>
> This is not the commit that introduced this issue.
Oops! That should be 94a799425eee8
>
> > Signed-off-by: Navid Emamdoost
> > ---
> > drivers/staging/rtl8192e/rtllib_module.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/staging/rtl8192e/rtllib_module.c
> > b/drivers/staging/rtl8192e/rtllib_module.c
> > index 64d9feee1f39..18d898714c5c 100644
> > --- a/drivers/staging/rtl8192e/rtllib_module.c
> > +++ b/drivers/staging/rtl8192e/rtllib_module.c
> > @@ -125,7 +125,7 @@ struct net_device *alloc_rtllib(int sizeof_priv)
> >
> > ieee->pHTInfo = kzalloc(sizeof(struct rt_hi_throughput), GFP_KERNEL);
> > if (!ieee->pHTInfo)
> > - return NULL;
> > + goto failed;
>
> And you're still leaking ieee->networks and possibly a bunch of other
> allocations here. You need to call at least rtllib_networks_free() in
> the error path.
I'm not familiar with this code, but based on your hint I believe
there should be something like free_rtllib() here, right?
More specifically, rtllib_softmac_free() and
lib80211_crypt_info_free() are needed along with
rtllib_networks_free(). If you confirm that it works I can go ahead to
prepare patch v2 with these releases.
>
> >
> > HTUpdateDefaultSetting(ieee);
> > HTInitializeHTInfo(ieee);
>
> Johan
--
Navid.
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
Re: [PATCH] staging: comedi: drivers: Fix memory leak in gsc_hpdi_auto_attach
Ian, thanks for your feedback.
On Mon, Dec 16, 2019 at 4:36 AM Ian Abbott wrote:
>
> On 15/12/2019 01:33, Navid Emamdoost wrote:
> > In the implementation of gsc_hpdi_auto_attach(), the allocated dma
> > description is leaks in case of alignment error, or failure of
> > gsc_hpdi_setup_dma_descriptors() or comedi_alloc_subdevices(). Release
> > devpriv->dma_desc via dma_free_coherent().
> >
> > Signed-off-by: Navid Emamdoost
>
> Actually, there is no memory leak (although there is another problem
> that I'll mention below). If the "auto_attach" handler
> gsc_hpdi_auto_attach() returns an error, then the "detach" handler
> gsc_hpdi_detach() will be called automatically to clean up. (This is
> true for all comedi drivers). gsc_hpdi_detach() calls
> gsc_hpdi_free_dma() to free the DMA buffers and DMA descriptors.
>
I was aware that comedi_alloc_devpriv() is a resource managed
allocation, but was not sure how subsequent dma_desc allocation will
be handled when device detach.
> > ---
> > drivers/staging/comedi/drivers/gsc_hpdi.c | 16 +---
> > 1 file changed, 13 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/staging/comedi/drivers/gsc_hpdi.c
> > b/drivers/staging/comedi/drivers/gsc_hpdi.c
> > index 4bdf44d82879..c0c7047a6d1b 100644
> > --- a/drivers/staging/comedi/drivers/gsc_hpdi.c
> > +++ b/drivers/staging/comedi/drivers/gsc_hpdi.c
> > @@ -633,16 +633,17 @@ static int gsc_hpdi_auto_attach(struct comedi_device
> > *dev,
> > if (devpriv->dma_desc_phys_addr & 0xf) {
> > dev_warn(dev->class_dev,
> >" dma descriptors not quad-word aligned (bug)\n");
> > - return -EIO;
> > + retval = -EIO;
> > + goto release_dma_desc;
> > }
> >
> > retval = gsc_hpdi_setup_dma_descriptors(dev, 0x1000);
> > if (retval < 0)
> > - return retval;
> > + goto release_dma_desc;
> >
> > retval = comedi_alloc_subdevices(dev, 1);
> > if (retval)
> > - return retval;
> > + goto release_dma_desc;
> >
> > /* Digital I/O subdevice */
> > s = &dev->subdevices[0];
> > @@ -660,6 +661,15 @@ static int gsc_hpdi_auto_attach(struct comedi_device
> > *dev,
> > s->cancel = gsc_hpdi_cancel;
> >
> > return gsc_hpdi_init(dev);
> > +
> > +release_dma_desc:
> > + if (devpriv->dma_desc)
> > + dma_free_coherent(&pcidev->dev,
> > + sizeof(struct plx_dma_desc) *
> > + NUM_DMA_DESCRIPTORS,
> > + devpriv->dma_desc,
> > + devpriv->dma_desc_phys_addr);
> > + return retval;
> > }
> >
> > static void gsc_hpdi_detach(struct comedi_device *dev)
> >
>
> This patch could actually result in devpriv->dma_desc being freed twice
> - once in the 'release_dma_desc:' code and again when gsc_hpdi_detach()
> is called externally as part of the clean-up.
>
> The real bug in the original code is that it does not check whether any
> of the calls to dma_alloc_coherent() returned NULL. If any of the calls
> to dma_alloc_coherent() returns NULL, gsc_hpdi_auto_attach() needs to
> return an error (-ENOMEM). The subsequent call to gsc_hpdi_detach()
> will then free whatever DMA coherent buffers where allocated.
>
Yes, this potential null deref is another type of bug, which I will
send a patch for separately.
> --
> -=( Ian Abbott || Web: www.mev.co.uk )=-
> -=( MEV Ltd. is a company registered in England & Wales. )=-
> -=( Registered number: 02862268. Registered address:)=-
> -=( 15 West Park Road, Bramhall, STOCKPORT, SK7 3JZ, UK. )=-
--
Navid.
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
[PATCH] media: staging: tegra-vde: add missing pm_runtime_put_autosuspend
Call to pm_runtime_get_sync increments counter even in case of
failure leading to incorrect ref count.
Call pm_runtime_put_autosuspend if pm_runtime_get_sync fails.
Signed-off-by: Navid Emamdoost
---
drivers/staging/media/tegra-vde/vde.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/media/tegra-vde/vde.c
b/drivers/staging/media/tegra-vde/vde.c
index d3e63512a765..52cdd4a91e93 100644
--- a/drivers/staging/media/tegra-vde/vde.c
+++ b/drivers/staging/media/tegra-vde/vde.c
@@ -776,8 +776,10 @@ static int tegra_vde_ioctl_decode_h264(struct tegra_vde
*vde,
goto release_dpb_frames;
ret = pm_runtime_get_sync(dev);
- if (ret < 0)
+ if (ret < 0) {
+ pm_runtime_put_autosuspend(dev);
goto unlock;
+ }
/*
* We rely on the VDE registers reset value, otherwise VDE
--
2.17.1
___
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
