[PATCH v2] qed: Add cleanup in qed_slowpath_start()
If qed_mcp_send_drv_version() fails, no cleanup is executed, leading to
memory leaks. To fix this issue, introduce the label 'err4' to perform the
cleanup work before returning the error.
Signed-off-by: Wenwen Wang
---
drivers/net/ethernet/qlogic/qed/qed_main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c
b/drivers/net/ethernet/qlogic/qed/qed_main.c
index 829dd60..1efff7f 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_main.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_main.c
@@ -1325,7 +1325,7 @@ static int qed_slowpath_start(struct qed_dev *cdev,
_version);
if (rc) {
DP_NOTICE(cdev, "Failed sending drv version command\n");
- return rc;
+ goto err4;
}
}
@@ -1333,6 +1333,8 @@ static int qed_slowpath_start(struct qed_dev *cdev,
return 0;
+err4:
+ qed_ll2_dealloc_if(cdev);
err3:
qed_hw_stop(cdev);
err2:
--
2.7.4
Re: [EXT] [PATCH] qed: Add cleanup in qed_slowpath_start()
On Tue, Aug 13, 2019 at 6:46 AM Sudarsana Reddy Kalluru
wrote:
>
> > -Original Message-
> > From: Wenwen Wang
> > Sent: Tuesday, August 13, 2019 3:35 PM
> > To: Wenwen Wang
> > Cc: Ariel Elior ; GR-everest-linux-l2 > l...@marvell.com>; David S. Miller ; open
> > list:QLOGIC QL4xxx ETHERNET DRIVER ; open list
> >
> > Subject: [EXT] [PATCH] qed: Add cleanup in qed_slowpath_start()
> >
> > External Email
> >
> > --
> > If qed_mcp_send_drv_version() fails, no cleanup is executed, leading to
> > memory leaks. To fix this issue, redirect the execution to the label 'err3'
> > before returning the error.
> >
> > Signed-off-by: Wenwen Wang
> > ---
> > drivers/net/ethernet/qlogic/qed/qed_main.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c
> > b/drivers/net/ethernet/qlogic/qed/qed_main.c
> > index 829dd60..d16a251 100644
> > --- a/drivers/net/ethernet/qlogic/qed/qed_main.c
> > +++ b/drivers/net/ethernet/qlogic/qed/qed_main.c
> > @@ -1325,7 +1325,7 @@ static int qed_slowpath_start(struct qed_dev
> > *cdev,
> > _version);
> > if (rc) {
> > DP_NOTICE(cdev, "Failed sending drv version
> > command\n");
> > - return rc;
> > + goto err3;
>
> In this case, we might need to free the ll2-buf allocated at the below path
> (?),
> 1312 /* Allocate LL2 interface if needed */
> 1313 if (QED_LEADING_HWFN(cdev)->using_ll2) {
> 1314 rc = qed_ll2_alloc_if(cdev);
> May be by adding a new goto label 'err4'.
Thanks for your suggestion! I will rework the patch.
Wenwen
>
> > }
> > }
> >
> > --
> > 2.7.4
>
[PATCH v2] net: pch_gbe: Fix memory leaks
In pch_gbe_set_ringparam(), if netif_running() returns false, 'tx_old' and 'rx_old' are not deallocated, leading to memory leaks. To fix this issue, move the free statements to the outside of the if() statement. Signed-off-by: Wenwen Wang --- drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_ethtool.c | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_ethtool.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_ethtool.c index 1a3008e..cb43919 100644 --- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_ethtool.c +++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_ethtool.c @@ -340,12 +340,10 @@ static int pch_gbe_set_ringparam(struct net_device *netdev, goto err_setup_tx; pch_gbe_free_rx_resources(adapter, rx_old); pch_gbe_free_tx_resources(adapter, tx_old); - kfree(tx_old); - kfree(rx_old); - adapter->rx_ring = rxdr; - adapter->tx_ring = txdr; err = pch_gbe_up(adapter); } + kfree(tx_old); + kfree(rx_old); return err; err_setup_tx: -- 2.7.4
Re: [PATCH] net: pch_gbe: Fix memory leaks
On Thu, Aug 15, 2019 at 4:51 PM David Miller wrote: > > From: Wenwen Wang > Date: Thu, 15 Aug 2019 16:46:05 -0400 > > > On Thu, Aug 15, 2019 at 4:42 PM David Miller wrote: > >> > >> From: Wenwen Wang > >> Date: Thu, 15 Aug 2019 16:03:39 -0400 > >> > >> > On Thu, Aug 15, 2019 at 3:34 PM David Miller wrote: > >> >> > >> >> From: Wenwen Wang > >> >> Date: Tue, 13 Aug 2019 20:33:45 -0500 > >> >> > >> >> > In pch_gbe_set_ringparam(), if netif_running() returns false, > >> >> > 'tx_old' and > >> >> > 'rx_old' are not deallocated, leading to memory leaks. To fix this > >> >> > issue, > >> >> > move the free statements after the if branch. > >> >> > > >> >> > Signed-off-by: Wenwen Wang > >> >> > >> >> Why would they be "deallocated"? They are still assigned to > >> >> adapter->tx_ring and adapter->rx_ring. > >> > > >> > 'adapter->tx_ring' and 'adapter->rx_ring' has been covered by newly > >> > allocated 'txdr' and 'rxdr' respectively before this if statement. > >> > >> That only happens inside of the if() statement, that's why rx_old and > >> tx_old are only freed in that code path. > > > > That happens not only inside of the if statement, but also before the > > if statement, just after 'txdr' and 'rxdr' are allocated. > > Then the assignments inside of the if() statement are redundant. > > Something doesn't add up here, please make the code consistent. Thanks for your suggestion! I will remove the assignments inside of the if() statement. Wenwen
[PATCH v2] ACPI / PCI: fix acpi_pci_irq_enable() memory leak
In acpi_pci_irq_enable(), 'entry' is allocated by kzalloc() in
acpi_pci_irq_check_entry() (invoked from acpi_pci_irq_lookup()). However,
it is not deallocated if acpi_pci_irq_valid() returns false, leading to a
memory leak. To fix this issue, free 'entry' before returning 0.
Fixes: e237a5518425 ("x86/ACPI/PCI: Recognize that Interrupt Line 255 means
"not connected"")
Signed-off-by: Wenwen Wang
---
drivers/acpi/pci_irq.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/pci_irq.c b/drivers/acpi/pci_irq.c
index d2549ae..dea8a60 100644
--- a/drivers/acpi/pci_irq.c
+++ b/drivers/acpi/pci_irq.c
@@ -449,8 +449,10 @@ int acpi_pci_irq_enable(struct pci_dev *dev)
* No IRQ known to the ACPI subsystem - maybe the BIOS /
* driver reported one, then use it. Exit in any case.
*/
- if (!acpi_pci_irq_valid(dev, pin))
+ if (!acpi_pci_irq_valid(dev, pin)) {
+ kfree(entry);
return 0;
+ }
if (acpi_isa_register_gsi(dev))
dev_warn(>dev, "PCI INT %c: no GSI\n",
--
2.7.4
Re: [PATCH] ACPI / PCI: fix a memory leak bug
On Mon, Aug 19, 2019 at 5:23 PM Bjorn Helgaas wrote:
>
> The subject line should give a clue about where the leak is, e.g.,
>
> ACPI / PCI: fix acpi_pci_irq_enable() memory leak
>
> On Thu, Aug 15, 2019 at 11:33:22PM -0500, Wenwen Wang wrote:
> > In acpi_pci_irq_enable(), 'entry' is allocated by invoking
> > acpi_pci_irq_lookup(). However, it is not deallocated if
> > acpi_pci_irq_valid() returns false, leading to a memory leak. To fix this
> > issue, free 'entry' before returning 0.
>
> I think the corresponding kzalloc() is the one in
> acpi_pci_irq_check_entry().
>
> > Signed-off-by: Wenwen Wang
> > ---
> > drivers/acpi/pci_irq.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/acpi/pci_irq.c b/drivers/acpi/pci_irq.c
> > index d2549ae..dea8a60 100644
> > --- a/drivers/acpi/pci_irq.c
> > +++ b/drivers/acpi/pci_irq.c
> > @@ -449,8 +449,10 @@ int acpi_pci_irq_enable(struct pci_dev *dev)
> >* No IRQ known to the ACPI subsystem - maybe the BIOS /
> >* driver reported one, then use it. Exit in any case.
> >*/
> > - if (!acpi_pci_irq_valid(dev, pin))
> > + if (!acpi_pci_irq_valid(dev, pin)) {
> > + kfree(entry);
> > return 0;
> > + }
>
> Looks like we missed this when e237a5518425 ("x86/ACPI/PCI: Recognize
> that Interrupt Line 255 means "not connected"") was merged.
>
> You could add:
>
> Fixes: e237a5518425 ("x86/ACPI/PCI: Recognize that Interrupt Line 255 means
> "not connected"")
>
> > if (acpi_isa_register_gsi(dev))
> > dev_warn(>dev, "PCI INT %c: no GSI\n",
> > --
> > 2.7.4
> >
Thanks for your comments and suggestions! I will rework the patch.
Wenwen
[PATCH v2] NFSv4: Fix a memory leak bug
In nfs4_try_migration(), if nfs4_begin_drain_session() fails, the
previously allocated 'page' and 'locations' are not deallocated, leading to
memory leaks. To fix this issue, go to the 'out' label to free 'page' and
'locations' before returning the error.
Signed-off-by: Wenwen Wang
---
fs/nfs/nfs4state.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
index cad4e06..e916aba 100644
--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -2095,8 +2095,10 @@ static int nfs4_try_migration(struct nfs_server *server,
const struct cred *cred
}
status = nfs4_begin_drain_session(clp);
- if (status != 0)
- return status;
+ if (status != 0) {
+ result = status;
+ goto out;
+ }
status = nfs4_replace_transport(server, locations);
if (status != 0) {
--
2.7.4
Re: [PATCH] NFSv4: Fix a memory leak bug
On Tue, Aug 20, 2019 at 9:41 AM Schumaker, Anna
wrote:
>
> Hi Wenwen,
>
> On Tue, 2019-08-20 at 02:54 -0500, Wenwen Wang wrote:
> > In nfs4_try_migration(), if nfs4_begin_drain_session() fails, the
> > previously allocated 'page' and 'locations' are not deallocated,
> > leading to
> > memory leaks. To fix this issue, free 'page' and 'locations' before
> > returning the error.
> >
> > Signed-off-by: Wenwen Wang
> > ---
> > fs/nfs/nfs4state.c | 6 +-
> > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
> > index cad4e06..37823dc 100644
> > --- a/fs/nfs/nfs4state.c
> > +++ b/fs/nfs/nfs4state.c
> > @@ -2095,8 +2095,12 @@ static int nfs4_try_migration(struct
> > nfs_server *server, const struct cred *cred
> > }
> >
> > status = nfs4_begin_drain_session(clp);
> > - if (status != 0)
> > + if (status != 0) {
> > + if (page != NULL)
> > + __free_page(page);
> > + kfree(locations);
> > return status;
>
> Thanks for the suggestion! I think a better option would be to switch
> the "return status" into a "goto out" so we can keep all our cleanup
> code in a single place in case we ever need to change it in the future.
>
> What do you think?
Thanks for your comments! I will rework the patch.
Wenwen
> Anna
>
> > + }
> >
> > status = nfs4_replace_transport(server, locations);
> > if (status != 0) {
> > --
> > 2.7.4
> >
[PATCH] NFSv4: Fix a memory leak bug
In nfs4_try_migration(), if nfs4_begin_drain_session() fails, the
previously allocated 'page' and 'locations' are not deallocated, leading to
memory leaks. To fix this issue, free 'page' and 'locations' before
returning the error.
Signed-off-by: Wenwen Wang
---
fs/nfs/nfs4state.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
index cad4e06..37823dc 100644
--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -2095,8 +2095,12 @@ static int nfs4_try_migration(struct nfs_server *server,
const struct cred *cred
}
status = nfs4_begin_drain_session(clp);
- if (status != 0)
+ if (status != 0) {
+ if (page != NULL)
+ __free_page(page);
+ kfree(locations);
return status;
+ }
status = nfs4_replace_transport(server, locations);
if (status != 0) {
--
2.7.4
[PATCH] omfs: Fix a memory leak bug
In omfs_get_imap(), 'sbi->s_imap' is allocated through kcalloc(). However,
it is not deallocated in the following execution if 'block' is not less
than 'sbi->s_num_blocks', leading to a memory leak bug. To fix this issue,
go to the 'nomem_free' label to free 'sbi->s_imap'.
Signed-off-by: Wenwen Wang
---
fs/omfs/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/omfs/inode.c b/fs/omfs/inode.c
index 08226a8..e4d89a6 100644
--- a/fs/omfs/inode.c
+++ b/fs/omfs/inode.c
@@ -356,7 +356,7 @@ static int omfs_get_imap(struct super_block *sb)
block = clus_to_blk(sbi, sbi->s_bitmap_ino);
if (block >= sbi->s_num_blocks)
- goto nomem;
+ goto nomem_free;
ptr = sbi->s_imap;
for (count = bitmap_size; count > 0; count -= sb->s_blocksize) {
--
2.7.4
[PATCH] ecryptfs: fix a memory leak bug
In ecryptfs_init_messaging(), if the allocation for 'ecryptfs_msg_ctx_arr'
fails, the previously allocated 'ecryptfs_daemon_hash' is not deallocated,
leading to a memory leak bug. To fix this issue, free
'ecryptfs_daemon_hash' before returning the error.
Signed-off-by: Wenwen Wang
---
fs/ecryptfs/messaging.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/ecryptfs/messaging.c b/fs/ecryptfs/messaging.c
index d668e60..c05ca39 100644
--- a/fs/ecryptfs/messaging.c
+++ b/fs/ecryptfs/messaging.c
@@ -379,6 +379,7 @@ int __init ecryptfs_init_messaging(void)
* ecryptfs_message_buf_len),
GFP_KERNEL);
if (!ecryptfs_msg_ctx_arr) {
+ kfree(ecryptfs_daemon_hash);
rc = -ENOMEM;
goto out;
}
--
2.7.4
[PATCH] ecryptfs: fix a memory leak bug
In parse_tag_1_packet(), if tag 1 packet contains a key larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES, no cleanup is executed, leading to a memory leak on the allocated 'auth_tok_list_item'. To fix this issue, go to the label 'out_free' to perform the cleanup work. Signed-off-by: Wenwen Wang --- fs/ecryptfs/keystore.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ecryptfs/keystore.c b/fs/ecryptfs/keystore.c index 216fbe6..4dc0963 100644 --- a/fs/ecryptfs/keystore.c +++ b/fs/ecryptfs/keystore.c @@ -1304,7 +1304,7 @@ parse_tag_1_packet(struct ecryptfs_crypt_stat *crypt_stat, printk(KERN_WARNING "Tag 1 packet contains key larger " "than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES\n"); rc = -EINVAL; - goto out; + goto out_free; } memcpy((*new_auth_tok)->session_key.encrypted_key, [(*packet_size)], (body_size - (ECRYPTFS_SIG_SIZE + 2))); -- 2.7.4
[PATCH] ubifs: fix a memory leak bug
In ubifs_mount(), 'c' is allocated through kzalloc() in alloc_ubifs_info().
However, it is not deallocated in the following execution if
ubifs_fill_super() fails, leading to a memory leak bug. To fix this issue,
free 'c' before going to the 'out_deact' label.
Signed-off-by: Wenwen Wang
---
fs/ubifs/super.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
index 2c0803b..46e30e2 100644
--- a/fs/ubifs/super.c
+++ b/fs/ubifs/super.c
@@ -2252,8 +2252,10 @@ static struct dentry *ubifs_mount(struct
file_system_type *fs_type, int flags,
}
} else {
err = ubifs_fill_super(sb, data, flags & SB_SILENT ? 1 : 0);
- if (err)
+ if (err) {
+ kfree(c);
goto out_deact;
+ }
/* We do not support atime */
sb->s_flags |= SB_ACTIVE;
if (IS_ENABLED(CONFIG_UBIFS_ATIME_SUPPORT))
--
2.7.4
[PATCH] ubifs: fix a memory leak bug
In __ubifs_node_verify_hmac(), 'hmac' is allocated through kmalloc().
However, it is not deallocated in the following execution if
ubifs_node_calc_hmac() fails, leading to a memory leak bug. To fix this
issue, free 'hmac' before returning the error.
Signed-off-by: Wenwen Wang
---
fs/ubifs/auth.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/ubifs/auth.c b/fs/ubifs/auth.c
index d9af2de..8cdbd53 100644
--- a/fs/ubifs/auth.c
+++ b/fs/ubifs/auth.c
@@ -479,8 +479,10 @@ int __ubifs_node_verify_hmac(const struct ubifs_info *c,
const void *node,
return -ENOMEM;
err = ubifs_node_calc_hmac(c, node, len, ofs_hmac, hmac);
- if (err)
+ if (err) {
+ kfree(hmac);
return err;
+ }
err = crypto_memneq(hmac, node + ofs_hmac, hmac_len);
--
2.7.4
[PATCH] ubifs: fix a memory leak bug
In read_znode(), the indexing node 'idx' is allocated by kmalloc().
However, it is not deallocated in the following execution if
ubifs_node_check_hash() fails, leading to a memory leak bug. To fix this
issue, free 'idx' before returning the error.
Signed-off-by: Wenwen Wang
---
fs/ubifs/tnc_misc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/ubifs/tnc_misc.c b/fs/ubifs/tnc_misc.c
index 6f293f6..49cb34c 100644
--- a/fs/ubifs/tnc_misc.c
+++ b/fs/ubifs/tnc_misc.c
@@ -284,6 +284,7 @@ static int read_znode(struct ubifs_info *c, struct
ubifs_zbranch *zzbr,
err = ubifs_node_check_hash(c, idx, zzbr->hash);
if (err) {
ubifs_bad_hash(c, idx, zzbr->hash, lnum, offs);
+ kfree(idx);
return err;
}
--
2.7.4
[PATCH] locks: fix a memory leak bug
In __break_lease(), the file lock 'new_fl' is allocated in lease_alloc().
However, it is not deallocated in the following execution if
smp_load_acquire() fails, leading to a memory leak bug. To fix this issue,
free 'new_fl' before returning the error.
Signed-off-by: Wenwen Wang
---
fs/locks.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/locks.c b/fs/locks.c
index 686eae2..5993b2a 100644
--- a/fs/locks.c
+++ b/fs/locks.c
@@ -1592,7 +1592,7 @@ int __break_lease(struct inode *inode, unsigned int mode,
unsigned int type)
ctx = smp_load_acquire(>i_flctx);
if (!ctx) {
WARN_ON_ONCE(1);
- return error;
+ goto free_lock;
}
percpu_down_read(_rwsem);
@@ -1672,6 +1672,7 @@ int __break_lease(struct inode *inode, unsigned int mode,
unsigned int type)
spin_unlock(>flc_lock);
percpu_up_read(_rwsem);
locks_dispose_list();
+free_lock:
locks_free_lock(new_fl);
return error;
}
--
2.7.4
[PATCH] jffs2: fix a memory leak bug
In jffs2_scan_eraseblock(), 'sumptr' is allocated through kmalloc() if
'sumlen' is larger than 'buf_size'. However, it is not deallocated in the
following execution if jffs2_fill_scan_buf() fails, leading to a memory
leak bug. To fix this issue, free 'sumptr' before returning the error.
Signed-off-by: Wenwen Wang
---
fs/jffs2/scan.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/jffs2/scan.c b/fs/jffs2/scan.c
index 90431dd..5f7e284 100644
--- a/fs/jffs2/scan.c
+++ b/fs/jffs2/scan.c
@@ -527,8 +527,11 @@ static int jffs2_scan_eraseblock (struct jffs2_sb_info *c,
struct jffs2_eraseblo
err = jffs2_fill_scan_buf(c, sumptr,
jeb->offset +
c->sector_size - sumlen,
sumlen -
buf_len);
- if (err)
+ if (err) {
+ if (sumlen > buf_size)
+ kfree(sumptr);
return err;
+ }
}
}
--
2.7.4
[PATCH] led: triggers: Fix a memory leak bug
In led_trigger_set(), 'event' is allocated in kasprintf(). However, it is not deallocated in the following execution if the label 'err_activate' or 'err_add_groups' is entered, leading to memory leaks. To fix this issue, free 'event' before returning the error. Signed-off-by: Wenwen Wang --- drivers/leds/led-triggers.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/leds/led-triggers.c b/drivers/leds/led-triggers.c index 8d11a5e..eff1bda 100644 --- a/drivers/leds/led-triggers.c +++ b/drivers/leds/led-triggers.c @@ -173,6 +173,7 @@ int led_trigger_set(struct led_classdev *led_cdev, struct led_trigger *trig) list_del(_cdev->trig_list); write_unlock_irqrestore(_cdev->trigger->leddev_list_lock, flags); led_set_brightness(led_cdev, LED_OFF); + kfree(event); return ret; } -- 2.7.4
[PATCH v2] mtd: spi-nor: fix a memory leak bug
In spi_nor_parse_4bait(), 'dwords' is allocated through kmalloc(). However,
it is not deallocated in the following execution if spi_nor_read_sfdp()
fails, leading to a memory leak. To fix this issue, free 'dwords' before
returning the error.
Fixes: 816873eaeec6 ("mtd: spi-nor: parse SFDP 4-byte Address Instruction
Table")
Signed-off-by: Wenwen Wang
---
drivers/mtd/spi-nor/spi-nor.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/spi-nor/spi-nor.c b/drivers/mtd/spi-nor/spi-nor.c
index 03cc788..a41a466 100644
--- a/drivers/mtd/spi-nor/spi-nor.c
+++ b/drivers/mtd/spi-nor/spi-nor.c
@@ -3453,7 +3453,7 @@ static int spi_nor_parse_4bait(struct spi_nor *nor,
addr = SFDP_PARAM_HEADER_PTP(param_header);
ret = spi_nor_read_sfdp(nor, addr, len, dwords);
if (ret)
- return ret;
+ goto out;
/* Fix endianness of the 4BAIT DWORDs. */
for (i = 0; i < SFDP_4BAIT_DWORD_MAX; i++)
--
2.7.4
Re: [PATCH] mtd: spi-nor: fix a memory leak bug
On Mon, Aug 19, 2019 at 2:03 AM wrote: > > > > On 08/18/2019 08:39 PM, Wenwen Wang wrote: > > In spi_nor_parse_4bait(), 'dwords' is allocated through kmalloc(). However, > > it is not deallocated in the following execution if spi_nor_read_sfdp() > > fails, leading to a memory leak. To fix this issue, free 'dwords' before > > returning the error. > > Looks good. Would you add a Fixes tag? Sure, I will add the Fixes tag and resubmit the patch. Thanks! Wenwen > > > > Signed-off-by: Wenwen Wang > > --- > > drivers/mtd/spi-nor/spi-nor.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/mtd/spi-nor/spi-nor.c b/drivers/mtd/spi-nor/spi-nor.c > > index 03cc788..a41a466 100644 > > --- a/drivers/mtd/spi-nor/spi-nor.c > > +++ b/drivers/mtd/spi-nor/spi-nor.c > > @@ -3453,7 +3453,7 @@ static int spi_nor_parse_4bait(struct spi_nor *nor, > > addr = SFDP_PARAM_HEADER_PTP(param_header); > > ret = spi_nor_read_sfdp(nor, addr, len, dwords); > > if (ret) > > - return ret; > > + goto out; > > > > /* Fix endianness of the 4BAIT DWORDs. */ > > for (i = 0; i < SFDP_4BAIT_DWORD_MAX; i++) > >
[PATCH v2] mtd: rawnand: Fix a memory leak bug
In nand_scan_bbt(), a temporary buffer 'buf' is allocated through
vmalloc(). However, if check_create() fails, 'buf' is not deallocated,
leading to a memory leak bug. To fix this issue, free 'buf' before
returning the error.
Signed-off-by: Wenwen Wang
---
drivers/mtd/nand/raw/nand_bbt.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/mtd/nand/raw/nand_bbt.c b/drivers/mtd/nand/raw/nand_bbt.c
index 2ef15ef..96045d6 100644
--- a/drivers/mtd/nand/raw/nand_bbt.c
+++ b/drivers/mtd/nand/raw/nand_bbt.c
@@ -1232,7 +1232,7 @@ static int nand_scan_bbt(struct nand_chip *this, struct
nand_bbt_descr *bd)
if (!td) {
if ((res = nand_memory_bbt(this, bd))) {
pr_err("nand_bbt: can't scan flash and build the
RAM-based BBT\n");
- goto err;
+ goto err_free_bbt;
}
return 0;
}
@@ -1245,7 +1245,7 @@ static int nand_scan_bbt(struct nand_chip *this, struct
nand_bbt_descr *bd)
buf = vmalloc(len);
if (!buf) {
res = -ENOMEM;
- goto err;
+ goto err_free_bbt;
}
/* Is the bbt at a given page? */
@@ -1258,7 +1258,7 @@ static int nand_scan_bbt(struct nand_chip *this, struct
nand_bbt_descr *bd)
res = check_create(this, buf, bd);
if (res)
- goto err;
+ goto err_free_buf;
/* Prevent the bbt regions from erasing / writing */
mark_bbt_region(this, td);
@@ -1268,7 +1268,9 @@ static int nand_scan_bbt(struct nand_chip *this, struct
nand_bbt_descr *bd)
vfree(buf);
return 0;
-err:
+err_free_buf:
+ vfree(buf);
+err_free_bbt:
kfree(this->bbt);
this->bbt = NULL;
return res;
--
2.7.4
[PATCH] IB/mlx4: Fix memory leaks
In mlx4_ib_alloc_pv_bufs(), 'tun_qp->tx_ring' is allocated through
kcalloc(). However, it is not always deallocated in the following execution
if an error occurs, leading to memory leaks. To fix this issue, free
'tun_qp->tx_ring' whenever an error occurs.
Signed-off-by: Wenwen Wang
---
drivers/infiniband/hw/mlx4/mad.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c
index 68c9514..5707911 100644
--- a/drivers/infiniband/hw/mlx4/mad.c
+++ b/drivers/infiniband/hw/mlx4/mad.c
@@ -1677,8 +1677,6 @@ static int mlx4_ib_alloc_pv_bufs(struct
mlx4_ib_demux_pv_ctx *ctx,
tx_buf_size, DMA_TO_DEVICE);
kfree(tun_qp->tx_ring[i].buf.addr);
}
- kfree(tun_qp->tx_ring);
- tun_qp->tx_ring = NULL;
i = MLX4_NUM_TUNNEL_BUFS;
err:
while (i > 0) {
@@ -1687,6 +1685,8 @@ static int mlx4_ib_alloc_pv_bufs(struct
mlx4_ib_demux_pv_ctx *ctx,
rx_buf_size, DMA_FROM_DEVICE);
kfree(tun_qp->ring[i].addr);
}
+ kfree(tun_qp->tx_ring);
+ tun_qp->tx_ring = NULL;
kfree(tun_qp->ring);
tun_qp->ring = NULL;
return -ENOMEM;
--
2.7.4
[PATCH] infiniband: hfi1: fix a memory leak bug
In fault_opcodes_read(), 'data' is not deallocated if debugfs_file_get()
fails, leading to a memory leak. To fix this bug, introduce the 'free_data'
label to free 'data' before returning the error.
Signed-off-by: Wenwen Wang
---
drivers/infiniband/hw/hfi1/fault.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/hfi1/fault.c
b/drivers/infiniband/hw/hfi1/fault.c
index 93613e5..814324d 100644
--- a/drivers/infiniband/hw/hfi1/fault.c
+++ b/drivers/infiniband/hw/hfi1/fault.c
@@ -214,7 +214,7 @@ static ssize_t fault_opcodes_read(struct file *file, char
__user *buf,
return -ENOMEM;
ret = debugfs_file_get(file->f_path.dentry);
if (unlikely(ret))
- return ret;
+ goto free_data;
bit = find_first_bit(fault->opcodes, bitsize);
while (bit < bitsize) {
zero = find_next_zero_bit(fault->opcodes, bitsize, bit);
@@ -232,6 +232,7 @@ static ssize_t fault_opcodes_read(struct file *file, char
__user *buf,
data[size - 1] = '\n';
data[size] = '\0';
ret = simple_read_from_buffer(buf, len, pos, data, size);
+free_data:
kfree(data);
return ret;
}
--
2.7.4
[PATCH] infiniband: hfi1: fix memory leaks
In fault_opcodes_write(), 'data' is allocated through kcalloc(). However,
it is not deallocated in the following execution if an error occurs,
leading to memory leaks. To fix this issue, introduce the 'free_data' label
to free 'data' before returning the error.
Signed-off-by: Wenwen Wang
---
drivers/infiniband/hw/hfi1/fault.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/hw/hfi1/fault.c
b/drivers/infiniband/hw/hfi1/fault.c
index 93613e5..a999183 100644
--- a/drivers/infiniband/hw/hfi1/fault.c
+++ b/drivers/infiniband/hw/hfi1/fault.c
@@ -141,12 +141,14 @@ static ssize_t fault_opcodes_write(struct file *file,
const char __user *buf,
if (!data)
return -ENOMEM;
copy = min(len, datalen - 1);
- if (copy_from_user(data, buf, copy))
- return -EFAULT;
+ if (copy_from_user(data, buf, copy)) {
+ ret = -EFAULT;
+ goto free_data;
+ }
ret = debugfs_file_get(file->f_path.dentry);
if (unlikely(ret))
- return ret;
+ goto free_data;
ptr = data;
token = ptr;
for (ptr = data; *ptr; ptr = end + 1, token = ptr) {
@@ -195,6 +197,7 @@ static ssize_t fault_opcodes_write(struct file *file, const
char __user *buf,
ret = len;
debugfs_file_put(file->f_path.dentry);
+free_data:
kfree(data);
return ret;
}
--
2.7.4
[PATCH] mtd: spi-nor: fix a memory leak bug
In spi_nor_parse_4bait(), 'dwords' is allocated through kmalloc(). However, it is not deallocated in the following execution if spi_nor_read_sfdp() fails, leading to a memory leak. To fix this issue, free 'dwords' before returning the error. Signed-off-by: Wenwen Wang --- drivers/mtd/spi-nor/spi-nor.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/spi-nor/spi-nor.c b/drivers/mtd/spi-nor/spi-nor.c index 03cc788..a41a466 100644 --- a/drivers/mtd/spi-nor/spi-nor.c +++ b/drivers/mtd/spi-nor/spi-nor.c @@ -3453,7 +3453,7 @@ static int spi_nor_parse_4bait(struct spi_nor *nor, addr = SFDP_PARAM_HEADER_PTP(param_header); ret = spi_nor_read_sfdp(nor, addr, len, dwords); if (ret) - return ret; + goto out; /* Fix endianness of the 4BAIT DWORDs. */ for (i = 0; i < SFDP_4BAIT_DWORD_MAX; i++) -- 2.7.4
[PATCH] mtd: sm_ftl: fix memory leaks
In sm_init_zone(), 'zone->lba_to_phys_table' is allocated through
kmalloc_array() and 'zone->free_sectors' is allocated in kfifo_alloc()
respectively. However, they are not deallocated in the following execution
if sm_read_sector() fails, leading to memory leaks. To fix this issue, free
them before returning -EIO.
Signed-off-by: Wenwen Wang
---
drivers/mtd/sm_ftl.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/mtd/sm_ftl.c b/drivers/mtd/sm_ftl.c
index dfc47a4..4744bf9 100644
--- a/drivers/mtd/sm_ftl.c
+++ b/drivers/mtd/sm_ftl.c
@@ -774,8 +774,11 @@ static int sm_init_zone(struct sm_ftl *ftl, int zone_num)
continue;
/* Read the oob of first sector */
- if (sm_read_sector(ftl, zone_num, block, 0, NULL, ))
+ if (sm_read_sector(ftl, zone_num, block, 0, NULL, )) {
+ kfifo_free(>free_sectors);
+ kfree(zone->lba_to_phys_table);
return -EIO;
+ }
/* Test to see if block is erased. It is enough to test
first sector, because erase happens in one shot */
--
2.7.4
[PATCH] mtd: onenand_base: Fix a memory leak bug
In onenand_scan(), if CONFIG_MTD_ONENAND_VERIFY_WRITE is defined,
'this->verify_buf' is allocated through kzalloc(). However, it is not
deallocated in the following execution, if the allocation for
'this->oob_buf' fails, leading to a memory leak bug. To fix this issue,
free 'this->verify_buf' before returning the error.
Signed-off-by: Wenwen Wang
---
drivers/mtd/nand/onenand/onenand_base.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/mtd/nand/onenand/onenand_base.c
b/drivers/mtd/nand/onenand/onenand_base.c
index e082d63..77bd32a 100644
--- a/drivers/mtd/nand/onenand/onenand_base.c
+++ b/drivers/mtd/nand/onenand/onenand_base.c
@@ -3880,6 +3880,9 @@ int onenand_scan(struct mtd_info *mtd, int maxchips)
if (!this->oob_buf) {
if (this->options & ONENAND_PAGEBUF_ALLOC) {
this->options &= ~ONENAND_PAGEBUF_ALLOC;
+#ifdef CONFIG_MTD_ONENAND_VERIFY_WRITE
+ kfree(this->verify_buf);
+#endif
kfree(this->page_buf);
}
return -ENOMEM;
--
2.7.4
[PATCH] mtd: rawnand: Fix a memory leak bug
In nand_scan_bbt(), a temporary buffer 'buf' is allocated through
vmalloc(). However, if check_create() fails, 'buf' is not deallocated,
leading to a memory leak bug. To fix this issue, free 'buf' before
returning the error.
Signed-off-by: Wenwen Wang
---
drivers/mtd/nand/raw/nand_bbt.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/mtd/nand/raw/nand_bbt.c b/drivers/mtd/nand/raw/nand_bbt.c
index 2ef15ef..864a00a 100644
--- a/drivers/mtd/nand/raw/nand_bbt.c
+++ b/drivers/mtd/nand/raw/nand_bbt.c
@@ -1245,7 +1245,7 @@ static int nand_scan_bbt(struct nand_chip *this, struct
nand_bbt_descr *bd)
buf = vmalloc(len);
if (!buf) {
res = -ENOMEM;
- goto err;
+ goto err_free_bbt;
}
/* Is the bbt at a given page? */
@@ -1258,7 +1258,7 @@ static int nand_scan_bbt(struct nand_chip *this, struct
nand_bbt_descr *bd)
res = check_create(this, buf, bd);
if (res)
- goto err;
+ goto err_free_buf;
/* Prevent the bbt regions from erasing / writing */
mark_bbt_region(this, td);
@@ -1268,7 +1268,9 @@ static int nand_scan_bbt(struct nand_chip *this, struct
nand_bbt_descr *bd)
vfree(buf);
return 0;
-err:
+err_free_buf:
+ vfree(buf);
+err_free_bbt:
kfree(this->bbt);
this->bbt = NULL;
return res;
--
2.7.4
[PATCH] media: ti-vpe: Add cleanup in vpdma_list_cleanup()
If an error occurs in this function, no cleanup is executed, leading to
memory/resource leaks. To fix this issue, introduce two labels to perform
the cleanup work.
Signed-off-by: Wenwen Wang
---
drivers/media/platform/ti-vpe/vpdma.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/media/platform/ti-vpe/vpdma.c
b/drivers/media/platform/ti-vpe/vpdma.c
index fd37d79..53d27cd 100644
--- a/drivers/media/platform/ti-vpe/vpdma.c
+++ b/drivers/media/platform/ti-vpe/vpdma.c
@@ -445,23 +445,25 @@ int vpdma_list_cleanup(struct vpdma_data *vpdma, int
list_num,
ret = vpdma_map_desc_buf(vpdma, _list.buf);
if (ret)
- return ret;
+ goto free_desc;
ret = vpdma_submit_descs(vpdma, _list, list_num);
if (ret)
- return ret;
+ goto unmap_desc;
while (vpdma_list_busy(vpdma, list_num) && --timeout)
;
if (timeout == 0) {
dev_err(>pdev->dev, "Timed out cleaning up VPDMA
list\n");
- return -EBUSY;
+ ret = -EBUSY;
}
+unmap_desc:
vpdma_unmap_desc_buf(vpdma, _list.buf);
+free_desc:
vpdma_free_desc_buf(_list.buf);
- return 0;
+ return ret;
}
EXPORT_SYMBOL(vpdma_list_cleanup);
--
2.7.4
[PATCH] media: fdp1: Fix a memory leak bug
In fdp1_open(), 'ctx' is allocated through kzalloc(). However, it is not
deallocated if v4l2_ctrl_new_std() fails, leading to a memory leak bug. To
fix this issue, free 'ctx' before going to the 'done' label.
Signed-off-by: Wenwen Wang
---
drivers/media/platform/rcar_fdp1.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/platform/rcar_fdp1.c
b/drivers/media/platform/rcar_fdp1.c
index 43aae9b..9e4b330 100644
--- a/drivers/media/platform/rcar_fdp1.c
+++ b/drivers/media/platform/rcar_fdp1.c
@@ -2122,6 +2122,7 @@ static int fdp1_open(struct file *file)
if (ctx->hdl.error) {
ret = ctx->hdl.error;
v4l2_ctrl_handler_free(>hdl);
+ kfree(ctx);
goto done;
}
--
2.7.4
[PATCH v2] media: saa7146: add cleanup in hexium_attach()
If saa7146_register_device() fails, no cleanup is executed, leading to
memory/resource leaks. To fix this issue, perform necessary cleanup work
before returning the error.
Signed-off-by: Wenwen Wang
---
drivers/media/pci/saa7146/hexium_gemini.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/pci/saa7146/hexium_gemini.c
b/drivers/media/pci/saa7146/hexium_gemini.c
index dca20a3..f962269 100644
--- a/drivers/media/pci/saa7146/hexium_gemini.c
+++ b/drivers/media/pci/saa7146/hexium_gemini.c
@@ -292,6 +292,9 @@ static int hexium_attach(struct saa7146_dev *dev, struct
saa7146_pci_extension_d
ret = saa7146_register_device(>video_dev, dev, "hexium gemini",
VFL_TYPE_GRABBER);
if (ret < 0) {
pr_err("cannot register capture v4l2 device. skipping.\n");
+ saa7146_vv_release(dev);
+ i2c_del_adapter(>i2c_adapter);
+ kfree(hexium);
return ret;
}
--
2.7.4
[PATCH] media: saa7146: add cleanup in hexium_attach()
If saa7146_register_device(), no cleanup is executed, leading to
memory/resource leaks. To fix this issue, perform necessary cleanup work
before returning the error.
Signed-off-by: Wenwen Wang
---
drivers/media/pci/saa7146/hexium_gemini.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/pci/saa7146/hexium_gemini.c
b/drivers/media/pci/saa7146/hexium_gemini.c
index dca20a3..f962269 100644
--- a/drivers/media/pci/saa7146/hexium_gemini.c
+++ b/drivers/media/pci/saa7146/hexium_gemini.c
@@ -292,6 +292,9 @@ static int hexium_attach(struct saa7146_dev *dev, struct
saa7146_pci_extension_d
ret = saa7146_register_device(>video_dev, dev, "hexium gemini",
VFL_TYPE_GRABBER);
if (ret < 0) {
pr_err("cannot register capture v4l2 device. skipping.\n");
+ saa7146_vv_release(dev);
+ i2c_del_adapter(>i2c_adapter);
+ kfree(hexium);
return ret;
}
--
2.7.4
[PATCH] media: dvb-core: fix a memory leak bug
In dvb_create_media_entity(), 'dvbdev->entity' is allocated through
kzalloc(). Then, 'dvbdev->pads' is allocated through kcalloc(). However, if
kcalloc() fails, the allocated 'dvbdev->entity' is not deallocated, leading
to a memory leak bug. To fix this issue, free 'dvbdev->entity' before
returning -ENOMEM.
Signed-off-by: Wenwen Wang
---
drivers/media/dvb-core/dvbdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
index a3393cd..7557fbf 100644
--- a/drivers/media/dvb-core/dvbdev.c
+++ b/drivers/media/dvb-core/dvbdev.c
@@ -339,8 +339,10 @@ static int dvb_create_media_entity(struct dvb_device
*dvbdev,
if (npads) {
dvbdev->pads = kcalloc(npads, sizeof(*dvbdev->pads),
GFP_KERNEL);
- if (!dvbdev->pads)
+ if (!dvbdev->pads) {
+ kfree(dvbdev->entity);
return -ENOMEM;
+ }
}
switch (type) {
--
2.7.4
[PATCH] media: dvb-frontends: fix a memory leak bug
In cx24117_load_firmware(), 'buf' is allocated through kmalloc() to hold
the firmware. However, if i2c_transfer() fails, it is not deallocated,
leading to a memory leak bug.
Signed-off-by: Wenwen Wang
---
drivers/media/dvb-frontends/cx24117.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/media/dvb-frontends/cx24117.c
b/drivers/media/dvb-frontends/cx24117.c
index 42697a5..9fccc90 100644
--- a/drivers/media/dvb-frontends/cx24117.c
+++ b/drivers/media/dvb-frontends/cx24117.c
@@ -619,8 +619,10 @@ static int cx24117_load_firmware(struct dvb_frontend *fe,
/* send fw */
ret = i2c_transfer(state->priv->i2c, , 1);
- if (ret < 0)
+ if (ret < 0) {
+ kfree(buf);
return ret;
+ }
kfree(buf);
--
2.7.4
[PATCH] media: dvb-frontends: fix memory leaks
In dib7000pc_detection(), 'tx' and 'rx' are allocated through kzalloc()
respectively. However, if DiB7000PC is detected, they are not deallocated,
leading to memory leaks. To fix this issue, create a label to free 'tx' and
'rx' before returning from the function.
Signed-off-by: Wenwen Wang
---
drivers/media/dvb-frontends/dib7000p.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/media/dvb-frontends/dib7000p.c
b/drivers/media/dvb-frontends/dib7000p.c
index 52f5e697..0d22c70 100644
--- a/drivers/media/dvb-frontends/dib7000p.c
+++ b/drivers/media/dvb-frontends/dib7000p.c
@@ -2036,7 +2036,8 @@ static int dib7000pc_detection(struct i2c_adapter
*i2c_adap)
if (i2c_transfer(i2c_adap, msg, 2) == 2)
if (rx[0] == 0x01 && rx[1] == 0xb3) {
dprintk("-D- DiB7000PC detected\n");
- return 1;
+ ret = 1;
+ goto out;
}
msg[0].addr = msg[1].addr = 0x40;
@@ -2044,11 +2045,13 @@ static int dib7000pc_detection(struct i2c_adapter
*i2c_adap)
if (i2c_transfer(i2c_adap, msg, 2) == 2)
if (rx[0] == 0x01 && rx[1] == 0xb3) {
dprintk("-D- DiB7000PC detected\n");
- return 1;
+ ret = 1;
+ goto out;
}
dprintk("-D- DiB7000PC not detected\n");
+out:
kfree(rx);
rx_memory_error:
kfree(tx);
--
2.7.4
[PATCH] media: usb: cx231xx-417: fix a memory leak bug
In cx231xx_load_firmware(), 'p_buffer' is allocated through vmalloc() to hold the firmware. However, after the usage, it is not deallocated, leading to a memory leak bug. Signed-off-by: Wenwen Wang --- drivers/media/usb/cx231xx/cx231xx-417.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/usb/cx231xx/cx231xx-417.c b/drivers/media/usb/cx231xx/cx231xx-417.c index 2475f69..5e2e1fd 100644 --- a/drivers/media/usb/cx231xx/cx231xx-417.c +++ b/drivers/media/usb/cx231xx/cx231xx-417.c @@ -1051,6 +1051,7 @@ static int cx231xx_load_firmware(struct cx231xx *dev) p_current_fw = p_fw; vfree(p_current_fw); p_current_fw = NULL; + vfree(p_buffer); uninitGPIO(dev); release_firmware(firmware); dprintk(1, "Firmware upload successful.\n"); -- 2.7.4
[PATCH] media: cpia2_usb: fix memory leaks
In submit_urbs(), 'cam->sbuf[i].data' is allocated through kmalloc_array().
However, it is not deallocated if the following allocation for urbs fails.
To fix this issue, free 'cam->sbuf[i].data' if usb_alloc_urb() fails.
Signed-off-by: Wenwen Wang
---
drivers/media/usb/cpia2/cpia2_usb.c | 4
1 file changed, 4 insertions(+)
diff --git a/drivers/media/usb/cpia2/cpia2_usb.c
b/drivers/media/usb/cpia2/cpia2_usb.c
index 17468f7..3ab80a7 100644
--- a/drivers/media/usb/cpia2/cpia2_usb.c
+++ b/drivers/media/usb/cpia2/cpia2_usb.c
@@ -676,6 +676,10 @@ static int submit_urbs(struct camera_data *cam)
if (!urb) {
for (j = 0; j < i; j++)
usb_free_urb(cam->sbuf[j].urb);
+ for (j = 0; j < NUM_SBUF; j++) {
+ kfree(cam->sbuf[j].data);
+ cam->sbuf[j].data = NULL;
+ }
return -ENOMEM;
}
--
2.7.4
[PATCH] libata: Fix a memory leak bug
In ata_init(), 'ata_force_tbl' is allocated through kcalloc() in
ata_parse_force_param(). However, it is not deallocated if
ata_attach_transport() fails, leading to a memory leak bug. To fix this
issue, free 'ata_force_tbl' before go to the 'err_out' label.
Signed-off-by: Wenwen Wang
---
drivers/ata/libata-core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index 28c492b..185dd69 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -7040,6 +7040,7 @@ static int __init ata_init(void)
ata_scsi_transport_template = ata_attach_transport();
if (!ata_scsi_transport_template) {
ata_sff_exit();
+ kfree(ata_force_tbl);
rc = -ENOMEM;
goto err_out;
}
--
2.7.4
[PATCH] dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe()
If devm_request_irq() fails to disable all interrupts, no cleanup is
performed before retuning the error. To fix this issue, invoke
omap_dma_free() to do the cleanup.
Signed-off-by: Wenwen Wang
---
drivers/dma/ti/omap-dma.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/ti/omap-dma.c b/drivers/dma/ti/omap-dma.c
index ba2489d..5158b58 100644
--- a/drivers/dma/ti/omap-dma.c
+++ b/drivers/dma/ti/omap-dma.c
@@ -1540,8 +1540,10 @@ static int omap_dma_probe(struct platform_device *pdev)
rc = devm_request_irq(>dev, irq, omap_dma_irq,
IRQF_SHARED, "omap-dma-engine", od);
- if (rc)
+ if (rc) {
+ omap_dma_free(od);
return rc;
+ }
}
if (omap_dma_glbl_read(od, CAPS_0) & CAPS_0_SUPPORT_LL123)
--
2.7.4
[PATCH v2] dmaengine: ti: dma-crossbar: Fix a memory leak bug
In ti_dra7_xbar_probe(), 'rsv_events' is allocated through kcalloc(). Then
of_property_read_u32_array() is invoked to search for the property.
However, if this process fails, 'rsv_events' is not deallocated, leading to
a memory leak bug. To fix this issue, free 'rsv_events' before returning
the error.
Signed-off-by: Wenwen Wang
---
drivers/dma/ti/dma-crossbar.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/ti/dma-crossbar.c b/drivers/dma/ti/dma-crossbar.c
index ad2f0a4..f255056 100644
--- a/drivers/dma/ti/dma-crossbar.c
+++ b/drivers/dma/ti/dma-crossbar.c
@@ -391,8 +391,10 @@ static int ti_dra7_xbar_probe(struct platform_device *pdev)
ret = of_property_read_u32_array(node, pname, (u32 *)rsv_events,
nelm * 2);
- if (ret)
+ if (ret) {
+ kfree(rsv_events);
return ret;
+ }
for (i = 0; i < nelm; i++) {
ti_dra7_xbar_reserve(rsv_events[i][0], rsv_events[i][1],
--
2.7.4
Re: [PATCH] dmaengine: ti: Fix a memory leak bug
On Fri, Aug 16, 2019 at 2:42 AM Peter Ujfalusi wrote:
>
>
>
> On 16/08/2019 9.23, Wenwen Wang wrote:
> > In ti_dra7_xbar_probe(), 'rsv_events' is allocated through kcalloc(). Then
> > of_property_read_u32_array() is invoked to search for the property.
> > However, if this process fails, 'rsv_events' is not deallocated, leading to
> > a memory leak bug. To fix this issue, free 'rsv_events' before returning
> > the error.
>
> Can you change the subject to:
> "dmaengine: ti: dma-crossbar: Fix a memory leak bug" ?
No problem. I will rework the patch. Thanks for your suggestion!
Wenwen
>
> Otherwise: Thank you, and
> Acked-by: Peter Ujfalusi
>
> >
> > Signed-off-by: Wenwen Wang
> > ---
> > drivers/dma/ti/dma-crossbar.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/dma/ti/dma-crossbar.c b/drivers/dma/ti/dma-crossbar.c
> > index ad2f0a4..f255056 100644
> > --- a/drivers/dma/ti/dma-crossbar.c
> > +++ b/drivers/dma/ti/dma-crossbar.c
> > @@ -391,8 +391,10 @@ static int ti_dra7_xbar_probe(struct platform_device
> > *pdev)
> >
> > ret = of_property_read_u32_array(node, pname, (u32
> > *)rsv_events,
> >nelm * 2);
> > - if (ret)
> > + if (ret) {
> > + kfree(rsv_events);
> > return ret;
> > + }
> >
> > for (i = 0; i < nelm; i++) {
> > ti_dra7_xbar_reserve(rsv_events[i][0],
> > rsv_events[i][1],
> >
>
> - Péter
>
> Texas Instruments Finland Oy, Porkkalankatu 22, 00180 Helsinki.
> Y-tunnus/Business ID: 0615521-4. Kotipaikka/Domicile: Helsinki
[PATCH] dmaengine: ti: Fix a memory leak bug
In ti_dra7_xbar_probe(), 'rsv_events' is allocated through kcalloc(). Then
of_property_read_u32_array() is invoked to search for the property.
However, if this process fails, 'rsv_events' is not deallocated, leading to
a memory leak bug. To fix this issue, free 'rsv_events' before returning
the error.
Signed-off-by: Wenwen Wang
---
drivers/dma/ti/dma-crossbar.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/ti/dma-crossbar.c b/drivers/dma/ti/dma-crossbar.c
index ad2f0a4..f255056 100644
--- a/drivers/dma/ti/dma-crossbar.c
+++ b/drivers/dma/ti/dma-crossbar.c
@@ -391,8 +391,10 @@ static int ti_dra7_xbar_probe(struct platform_device *pdev)
ret = of_property_read_u32_array(node, pname, (u32 *)rsv_events,
nelm * 2);
- if (ret)
+ if (ret) {
+ kfree(rsv_events);
return ret;
+ }
for (i = 0; i < nelm; i++) {
ti_dra7_xbar_reserve(rsv_events[i][0], rsv_events[i][1],
--
2.7.4
[PATCH] ACPI: custom_method: fix memory leaks
In cm_write(), 'buf' is allocated through kzalloc(). In the following
execution, if an error occurs, 'buf' is not deallocated, leading to memory
leaks. To fix this issue, free 'buf' before returning the error.
Signed-off-by: Wenwen Wang
---
drivers/acpi/custom_method.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
index b2ef4c2..fd66a73 100644
--- a/drivers/acpi/custom_method.c
+++ b/drivers/acpi/custom_method.c
@@ -49,8 +49,10 @@ static ssize_t cm_write(struct file *file, const char __user
* user_buf,
if ((*ppos > max_size) ||
(*ppos + count > max_size) ||
(*ppos + count < count) ||
- (count > uncopied_bytes))
+ (count > uncopied_bytes)) {
+ kfree(buf);
return -EINVAL;
+ }
if (copy_from_user(buf + (*ppos), user_buf, count)) {
kfree(buf);
@@ -70,6 +72,7 @@ static ssize_t cm_write(struct file *file, const char __user
* user_buf,
add_taint(TAINT_OVERRIDDEN_ACPI_TABLE, LOCKDEP_NOW_UNRELIABLE);
}
+ kfree(buf);
return count;
}
--
2.7.4
[PATCH] ACPI / PCI: fix a memory leak bug
In acpi_pci_irq_enable(), 'entry' is allocated by invoking
acpi_pci_irq_lookup(). However, it is not deallocated if
acpi_pci_irq_valid() returns false, leading to a memory leak. To fix this
issue, free 'entry' before returning 0.
Signed-off-by: Wenwen Wang
---
drivers/acpi/pci_irq.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/pci_irq.c b/drivers/acpi/pci_irq.c
index d2549ae..dea8a60 100644
--- a/drivers/acpi/pci_irq.c
+++ b/drivers/acpi/pci_irq.c
@@ -449,8 +449,10 @@ int acpi_pci_irq_enable(struct pci_dev *dev)
* No IRQ known to the ACPI subsystem - maybe the BIOS /
* driver reported one, then use it. Exit in any case.
*/
- if (!acpi_pci_irq_valid(dev, pin))
+ if (!acpi_pci_irq_valid(dev, pin)) {
+ kfree(entry);
return 0;
+ }
if (acpi_isa_register_gsi(dev))
dev_warn(>dev, "PCI INT %c: no GSI\n",
--
2.7.4
[PATCH] airo: fix memory leaks
In proc_BSSList_open(), 'file->private_data' is allocated through kzalloc()
and 'data->rbuffer' is allocated through kmalloc(). In the following
execution, if an error occurs, they are not deallocated, leading to memory
leaks. To fix this issue, free the allocated memory regions before
returning the error.
Signed-off-by: Wenwen Wang
---
drivers/net/wireless/cisco/airo.c | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/cisco/airo.c
b/drivers/net/wireless/cisco/airo.c
index 9342ffb..f43c065 100644
--- a/drivers/net/wireless/cisco/airo.c
+++ b/drivers/net/wireless/cisco/airo.c
@@ -5441,11 +5441,18 @@ static int proc_BSSList_open( struct inode *inode,
struct file *file ) {
Cmd cmd;
Resp rsp;
- if (ai->flags & FLAG_RADIO_MASK) return -ENETDOWN;
+ if (ai->flags & FLAG_RADIO_MASK) {
+ kfree(data->rbuffer);
+ kfree(file->private_data);
+ return -ENETDOWN;
+ }
memset(, 0, sizeof(cmd));
cmd.cmd=CMD_LISTBSS;
- if (down_interruptible(>sem))
+ if (down_interruptible(>sem)) {
+ kfree(data->rbuffer);
+ kfree(file->private_data);
return -ERESTARTSYS;
+ }
issuecommand(ai, , );
up(>sem);
data->readlen = 0;
--
2.7.4
Re: [PATCH] net: pch_gbe: Fix memory leaks
On Thu, Aug 15, 2019 at 4:42 PM David Miller wrote: > > From: Wenwen Wang > Date: Thu, 15 Aug 2019 16:03:39 -0400 > > > On Thu, Aug 15, 2019 at 3:34 PM David Miller wrote: > >> > >> From: Wenwen Wang > >> Date: Tue, 13 Aug 2019 20:33:45 -0500 > >> > >> > In pch_gbe_set_ringparam(), if netif_running() returns false, 'tx_old' > >> > and > >> > 'rx_old' are not deallocated, leading to memory leaks. To fix this issue, > >> > move the free statements after the if branch. > >> > > >> > Signed-off-by: Wenwen Wang > >> > >> Why would they be "deallocated"? They are still assigned to > >> adapter->tx_ring and adapter->rx_ring. > > > > 'adapter->tx_ring' and 'adapter->rx_ring' has been covered by newly > > allocated 'txdr' and 'rxdr' respectively before this if statement. > > That only happens inside of the if() statement, that's why rx_old and > tx_old are only freed in that code path. That happens not only inside of the if statement, but also before the if statement, just after 'txdr' and 'rxdr' are allocated. Wenwen
[PATCH v2] wimax/i2400m: fix a memory leak bug
In i2400m_barker_db_init(), 'options_orig' is allocated through kstrdup() to hold the original command line options. Then, the options are parsed. However, if an error occurs during the parsing process, 'options_orig' is not deallocated, leading to a memory leak bug. To fix this issue, free 'options_orig' before returning the error. Signed-off-by: Wenwen Wang --- drivers/net/wimax/i2400m/fw.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wimax/i2400m/fw.c b/drivers/net/wimax/i2400m/fw.c index e9fc168..489cba9 100644 --- a/drivers/net/wimax/i2400m/fw.c +++ b/drivers/net/wimax/i2400m/fw.c @@ -351,13 +351,15 @@ int i2400m_barker_db_init(const char *_options) } result = i2400m_barker_db_add(barker); if (result < 0) - goto error_add; + goto error_parse_add; } kfree(options_orig); } return 0; +error_parse_add: error_parse: + kfree(options_orig); error_add: kfree(i2400m_barker_db); return result; -- 2.7.4
Re: [PATCH] wimax/i2400m: fix a memory leak bug
On Thu, Aug 15, 2019 at 2:45 PM Liam R. Howlett wrote:
>
> * Wenwen Wang [190815 14:05]:
> > In i2400m_barker_db_init(), 'options_orig' is allocated through kstrdup()
> > to hold the original command line options. Then, the options are parsed.
> > However, if an error occurs during the parsing process, 'options_orig' is
> > not deallocated, leading to a memory leak bug. To fix this issue, free
> > 'options_orig' before returning the error.
> >
> > Signed-off-by: Wenwen Wang
> > ---
> > drivers/net/wimax/i2400m/fw.c | 5 -
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/net/wimax/i2400m/fw.c b/drivers/net/wimax/i2400m/fw.c
> > index e9fc168..6b36f6d 100644
> > --- a/drivers/net/wimax/i2400m/fw.c
> > +++ b/drivers/net/wimax/i2400m/fw.c
> > @@ -342,6 +342,7 @@ int i2400m_barker_db_init(const char *_options)
> > "a 32-bit number\n",
> > __func__, token);
> > result = -EINVAL;
> > + kfree(options_orig);
> > goto error_parse;
> > }
> > if (barker == 0) {
> > @@ -350,8 +351,10 @@ int i2400m_barker_db_init(const char *_options)
> > continue;
> > }
> > result = i2400m_barker_db_add(barker);
> > - if (result < 0)
> > + if (result < 0) {
> > + kfree(options_orig);
> > goto error_add;
>
> I know that you didn't add this error_add label, but it seems like the
> incorrect goto label. Although looking at the caller indicates an add
> failed, this label is used prior to and after the memory leak you are
> trying to fix. It might be better to change this label to something
> like error_parse_add and move the kfree to the unwinding. If a new
> label is used, it becomes more clear as to what is being undone and
> there aren't two jumps into an unwind from two very different stages of
> the function. Adding a new label also has the benefit of moving the
> kfree to the unwind of error_parse.
Thanks for your suggestion! I will rework the patch.
Wenwen
Re: [PATCH] net: pch_gbe: Fix memory leaks
On Thu, Aug 15, 2019 at 3:34 PM David Miller wrote: > > From: Wenwen Wang > Date: Tue, 13 Aug 2019 20:33:45 -0500 > > > In pch_gbe_set_ringparam(), if netif_running() returns false, 'tx_old' and > > 'rx_old' are not deallocated, leading to memory leaks. To fix this issue, > > move the free statements after the if branch. > > > > Signed-off-by: Wenwen Wang > > Why would they be "deallocated"? They are still assigned to > adapter->tx_ring and adapter->rx_ring. 'adapter->tx_ring' and 'adapter->rx_ring' has been covered by newly allocated 'txdr' and 'rxdr' respectively before this if statement. Wenwen
[PATCH] wimax/i2400m: fix a memory leak bug
In i2400m_barker_db_init(), 'options_orig' is allocated through kstrdup()
to hold the original command line options. Then, the options are parsed.
However, if an error occurs during the parsing process, 'options_orig' is
not deallocated, leading to a memory leak bug. To fix this issue, free
'options_orig' before returning the error.
Signed-off-by: Wenwen Wang
---
drivers/net/wimax/i2400m/fw.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wimax/i2400m/fw.c b/drivers/net/wimax/i2400m/fw.c
index e9fc168..6b36f6d 100644
--- a/drivers/net/wimax/i2400m/fw.c
+++ b/drivers/net/wimax/i2400m/fw.c
@@ -342,6 +342,7 @@ int i2400m_barker_db_init(const char *_options)
"a 32-bit number\n",
__func__, token);
result = -EINVAL;
+ kfree(options_orig);
goto error_parse;
}
if (barker == 0) {
@@ -350,8 +351,10 @@ int i2400m_barker_db_init(const char *_options)
continue;
}
result = i2400m_barker_db_add(barker);
- if (result < 0)
+ if (result < 0) {
+ kfree(options_orig);
goto error_add;
+ }
}
kfree(options_orig);
}
--
2.7.4
[PATCH] hv_netvsc: Fix a memory leak bug
In rndis_filter_device_add(), 'rndis_device' is allocated through kzalloc() by invoking get_rndis_device(). In the following execution, if an error occurs, the execution will go to the 'err_dev_remv' label. However, the allocated 'rndis_device' is not deallocated, leading to a memory leak bug. Signed-off-by: Wenwen Wang --- drivers/net/hyperv/rndis_filter.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c index 317dbe9..ed35085 100644 --- a/drivers/net/hyperv/rndis_filter.c +++ b/drivers/net/hyperv/rndis_filter.c @@ -1420,6 +1420,7 @@ struct netvsc_device *rndis_filter_device_add(struct hv_device *dev, err_dev_remv: rndis_filter_device_remove(dev, net_device); + kfree(rndis_device); return ERR_PTR(ret); } -- 2.7.4
[PATCH] cx82310_eth: fix a memory leak bug
In cx82310_bind(), 'dev->partial_data' is allocated through kmalloc().
Then, the execution waits for the firmware to become ready. If the firmware
is not ready in time, the execution is terminated. However, the allocated
'dev->partial_data' is not deallocated on this path, leading to a memory
leak bug. To fix this issue, free 'dev->partial_data' before returning the
error.
Signed-off-by: Wenwen Wang
---
drivers/net/usb/cx82310_eth.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/usb/cx82310_eth.c
index 5519248..32b08b1 100644
--- a/drivers/net/usb/cx82310_eth.c
+++ b/drivers/net/usb/cx82310_eth.c
@@ -163,7 +163,8 @@ static int cx82310_bind(struct usbnet *dev, struct
usb_interface *intf)
}
if (!timeout) {
dev_err(>dev, "firmware not ready in time\n");
- return -ETIMEDOUT;
+ ret = -ETIMEDOUT;
+ goto err;
}
/* enable ethernet mode (?) */
--
2.7.4
[PATCH] net: usbnet: fix a memory leak bug
In usbnet_start_xmit(), 'urb->sg' is allocated through kmalloc_array() by invoking build_dma_sg(). Later on, if 'CONFIG_PM' is defined and the if branch is taken, the execution will go to the label 'deferred'. However, 'urb->sg' is not deallocated on this execution path, leading to a memory leak bug. Signed-off-by: Wenwen Wang --- drivers/net/usb/usbnet.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c index 72514c4..f17fafa 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -1433,6 +1433,7 @@ netdev_tx_t usbnet_start_xmit (struct sk_buff *skb, usb_anchor_urb(urb, >deferred); /* no use to process more packets */ netif_stop_queue(net); + kfree(urb->sg); usb_put_urb(urb); spin_unlock_irqrestore(>txq.lock, flags); netdev_dbg(dev->net, "Delaying transmission for resumption\n"); -- 2.7.4
[PATCH] net: myri10ge: fix memory leaks
In myri10ge_probe(), myri10ge_alloc_slices() is invoked to allocate slices related structures. Later on, myri10ge_request_irq() is used to get an irq. However, if this process fails, the allocated slices related structures are not deallocated, leading to memory leaks. To fix this issue, revise the target label of the goto statement to 'abort_with_slices'. Signed-off-by: Wenwen Wang --- drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c index d8b7fba..337b0cb 100644 --- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c @@ -3919,7 +3919,7 @@ static int myri10ge_probe(struct pci_dev *pdev, const struct pci_device_id *ent) * setup (if available). */ status = myri10ge_request_irq(mgp); if (status != 0) - goto abort_with_firmware; + goto abort_with_slices; myri10ge_free_irq(mgp); /* Save configuration space to be restored if the -- 2.7.4
[PATCH] liquidio: add cleanup in octeon_setup_iq()
If oct->fn_list.enable_io_queues() fails, no cleanup is executed, leading
to memory/resource leaks. To fix this issue, invoke
octeon_delete_instr_queue() before returning from the function.
Signed-off-by: Wenwen Wang
---
drivers/net/ethernet/cavium/liquidio/request_manager.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/cavium/liquidio/request_manager.c
b/drivers/net/ethernet/cavium/liquidio/request_manager.c
index 0322241..6dd65f9 100644
--- a/drivers/net/ethernet/cavium/liquidio/request_manager.c
+++ b/drivers/net/ethernet/cavium/liquidio/request_manager.c
@@ -237,8 +237,10 @@ int octeon_setup_iq(struct octeon_device *oct,
}
oct->num_iqs++;
- if (oct->fn_list.enable_io_queues(oct))
+ if (oct->fn_list.enable_io_queues(oct)) {
+ octeon_delete_instr_queue(oct, iq_no);
return 1;
+ }
return 0;
}
--
2.7.4
[PATCH] net: pch_gbe: Fix memory leaks
In pch_gbe_set_ringparam(), if netif_running() returns false, 'tx_old' and 'rx_old' are not deallocated, leading to memory leaks. To fix this issue, move the free statements after the if branch. Signed-off-by: Wenwen Wang --- drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_ethtool.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_ethtool.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_ethtool.c index 1a3008e..ef6311cd 100644 --- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_ethtool.c +++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_ethtool.c @@ -340,12 +340,12 @@ static int pch_gbe_set_ringparam(struct net_device *netdev, goto err_setup_tx; pch_gbe_free_rx_resources(adapter, rx_old); pch_gbe_free_tx_resources(adapter, tx_old); - kfree(tx_old); - kfree(rx_old); adapter->rx_ring = rxdr; adapter->tx_ring = txdr; err = pch_gbe_up(adapter); } + kfree(tx_old); + kfree(rx_old); return err; err_setup_tx: -- 2.7.4
[PATCH] qed: Add cleanup in qed_slowpath_start()
If qed_mcp_send_drv_version() fails, no cleanup is executed, leading to
memory leaks. To fix this issue, redirect the execution to the label 'err3'
before returning the error.
Signed-off-by: Wenwen Wang
---
drivers/net/ethernet/qlogic/qed/qed_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/qlogic/qed/qed_main.c
b/drivers/net/ethernet/qlogic/qed/qed_main.c
index 829dd60..d16a251 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_main.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_main.c
@@ -1325,7 +1325,7 @@ static int qed_slowpath_start(struct qed_dev *cdev,
_version);
if (rc) {
DP_NOTICE(cdev, "Failed sending drv version command\n");
- return rc;
+ goto err3;
}
}
--
2.7.4
[PATCH] cxgb4: fix a memory leak bug
In blocked_fl_write(), 't' is not deallocated if bitmap_parse_user() fails,
leading to a memory leak bug. To fix this issue, free t before returning
the error.
Signed-off-by: Wenwen Wang
---
drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
index 0295903..d692251 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
@@ -3236,8 +3236,10 @@ static ssize_t blocked_fl_write(struct file *filp, const
char __user *ubuf,
return -ENOMEM;
err = bitmap_parse_user(ubuf, count, t, adap->sge.egr_sz);
- if (err)
+ if (err) {
+ kvfree(t);
return err;
+ }
bitmap_copy(adap->sge.blocked_fl, t, adap->sge.egr_sz);
kvfree(t);
--
2.7.4
[PATCH] net/mlx5: Fix a memory leak bug
In mlx5_cmd_invoke(), 'ent' is allocated through kzalloc() in alloc_cmd(). After the work is queued, wait_func() is invoked to wait the completion of the work. If wait_func() returns -ETIMEDOUT, the following execution will be terminated. However, the allocated 'ent' is not deallocated on this program path, leading to a memory leak bug. To fix the above issue, free 'ent' before returning the error. Signed-off-by: Wenwen Wang --- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c index 8cdd7e6..90cdb9a 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c @@ -1036,7 +1036,7 @@ static int mlx5_cmd_invoke(struct mlx5_core_dev *dev, struct mlx5_cmd_msg *in, err = wait_func(dev, ent); if (err == -ETIMEDOUT) - goto out; + goto out_free; ds = ent->ts2 - ent->ts1; op = MLX5_GET(mbox_in, in->first.data, opcode); -- 2.7.4
[PATCH v2] net/mlx4_en: fix a memory leak bug
In mlx4_en_config_rss_steer(), 'rss_map->indir_qp' is allocated through
kzalloc(). After that, mlx4_qp_alloc() is invoked to configure RSS
indirection. However, if mlx4_qp_alloc() fails, the allocated
'rss_map->indir_qp' is not deallocated, leading to a memory leak bug.
To fix the above issue, add the 'qp_alloc_err' label to free
'rss_map->indir_qp'.
Fixes: 4931c6ef04b4 ("net/mlx4_en: Optimized single ring steering")
Signed-off-by: Wenwen Wang
---
drivers/net/ethernet/mellanox/mlx4/en_rx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/en_rx.c
b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
index 6c01314..db3552f 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
@@ -1187,7 +1187,7 @@ int mlx4_en_config_rss_steer(struct mlx4_en_priv *priv)
err = mlx4_qp_alloc(mdev->dev, priv->base_qpn, rss_map->indir_qp);
if (err) {
en_err(priv, "Failed to allocate RSS indirection QP\n");
- goto rss_err;
+ goto qp_alloc_err;
}
rss_map->indir_qp->event = mlx4_en_sqp_event;
@@ -1241,6 +1241,7 @@ int mlx4_en_config_rss_steer(struct mlx4_en_priv *priv)
MLX4_QP_STATE_RST, NULL, 0, 0, rss_map->indir_qp);
mlx4_qp_remove(mdev->dev, rss_map->indir_qp);
mlx4_qp_free(mdev->dev, rss_map->indir_qp);
+qp_alloc_err:
kfree(rss_map->indir_qp);
rss_map->indir_qp = NULL;
rss_err:
--
2.7.4
Re: [PATCH] net/mlx4_en: fix a memory leak bug
On Mon, Aug 12, 2019 at 5:05 AM Tariq Toukan wrote:
>
> Hi Wenwen,
>
> Thanks for your patch.
>
> On 8/12/2019 9:36 AM, Wenwen Wang wrote:
> > In mlx4_en_config_rss_steer(), 'rss_map->indir_qp' is allocated through
> > kzalloc(). After that, mlx4_qp_alloc() is invoked to configure RSS
> > indirection. However, if mlx4_qp_alloc() fails, the allocated
> > 'rss_map->indir_qp' is not deallocated, leading to a memory leak bug.
> >
> > To fix the above issue, add the 'mlx4_err' label to free
> > 'rss_map->indir_qp'.
> >
>
> Add a Fixes line.
>
> > Signed-off-by: Wenwen Wang > ---
> > drivers/net/ethernet/mellanox/mlx4/en_rx.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/net/ethernet/mellanox/mlx4/en_rx.c
> > b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
> > index 6c01314..9476dbd 100644
> > --- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c
> > +++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
> > @@ -1187,7 +1187,7 @@ int mlx4_en_config_rss_steer(struct mlx4_en_priv
> > *priv)
> > err = mlx4_qp_alloc(mdev->dev, priv->base_qpn, rss_map->indir_qp);
> > if (err) {
> > en_err(priv, "Failed to allocate RSS indirection QP\n");
> > - goto rss_err;
> > + goto mlx4_err;
> > }
> >
> > rss_map->indir_qp->event = mlx4_en_sqp_event;
> > @@ -1241,6 +1241,7 @@ int mlx4_en_config_rss_steer(struct mlx4_en_priv
> > *priv)
> > MLX4_QP_STATE_RST, NULL, 0, 0, rss_map->indir_qp);
> > mlx4_qp_remove(mdev->dev, rss_map->indir_qp);
> > mlx4_qp_free(mdev->dev, rss_map->indir_qp);
> > +mlx4_err:
>
> I don't like the label name. It's too general and not informative.
> Maybe qp_alloc_err?
Thanks! I will rework the patch.
Wenwen
[PATCH] net/mlx4_en: fix a memory leak bug
In mlx4_en_config_rss_steer(), 'rss_map->indir_qp' is allocated through
kzalloc(). After that, mlx4_qp_alloc() is invoked to configure RSS
indirection. However, if mlx4_qp_alloc() fails, the allocated
'rss_map->indir_qp' is not deallocated, leading to a memory leak bug.
To fix the above issue, add the 'mlx4_err' label to free
'rss_map->indir_qp'.
Signed-off-by: Wenwen Wang
---
drivers/net/ethernet/mellanox/mlx4/en_rx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/en_rx.c
b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
index 6c01314..9476dbd 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c
@@ -1187,7 +1187,7 @@ int mlx4_en_config_rss_steer(struct mlx4_en_priv *priv)
err = mlx4_qp_alloc(mdev->dev, priv->base_qpn, rss_map->indir_qp);
if (err) {
en_err(priv, "Failed to allocate RSS indirection QP\n");
- goto rss_err;
+ goto mlx4_err;
}
rss_map->indir_qp->event = mlx4_en_sqp_event;
@@ -1241,6 +1241,7 @@ int mlx4_en_config_rss_steer(struct mlx4_en_priv *priv)
MLX4_QP_STATE_RST, NULL, 0, 0, rss_map->indir_qp);
mlx4_qp_remove(mdev->dev, rss_map->indir_qp);
mlx4_qp_free(mdev->dev, rss_map->indir_qp);
+mlx4_err:
kfree(rss_map->indir_qp);
rss_map->indir_qp = NULL;
rss_err:
--
2.7.4
[PATCH] e1000: fix memory leaks
In e1000_set_ringparam(), 'tx_old' and 'rx_old' are not deallocated if
e1000_up() fails, leading to memory leaks. Refactor the code to fix this
issue.
Signed-off-by: Wenwen Wang
---
drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
index a410085..2e07ffa 100644
--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
+++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c
@@ -607,6 +607,7 @@ static int e1000_set_ringparam(struct net_device *netdev,
for (i = 0; i < adapter->num_rx_queues; i++)
rxdr[i].count = rxdr->count;
+ err = 0;
if (netif_running(adapter->netdev)) {
/* Try to get new resources before deleting old */
err = e1000_setup_all_rx_resources(adapter);
@@ -627,14 +628,13 @@ static int e1000_set_ringparam(struct net_device *netdev,
adapter->rx_ring = rxdr;
adapter->tx_ring = txdr;
err = e1000_up(adapter);
- if (err)
- goto err_setup;
}
kfree(tx_old);
kfree(rx_old);
clear_bit(__E1000_RESETTING, >flags);
- return 0;
+ return err;
+
err_setup_tx:
e1000_free_all_rx_resources(adapter);
err_setup_rx:
@@ -646,7 +646,6 @@ static int e1000_set_ringparam(struct net_device *netdev,
err_alloc_tx:
if (netif_running(adapter->netdev))
e1000_up(adapter);
-err_setup:
clear_bit(__E1000_RESETTING, >flags);
return err;
}
--
2.7.4
[PATCH] net: ixgbe: fix memory leaks
In ixgbe_configure_clsu32(), 'jump', 'input', and 'mask' are allocated
through kzalloc() respectively in a for loop body. Then,
ixgbe_clsu32_build_input() is invoked to build the input. If this process
fails, next iteration of the for loop will be executed. However, the
allocated 'jump', 'input', and 'mask' are not deallocated on this execution
path, leading to memory leaks.
Signed-off-by: Wenwen Wang
---
drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 4
1 file changed, 4 insertions(+)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
index cbaf712..6b7ea87 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
@@ -9490,6 +9490,10 @@ static int ixgbe_configure_clsu32(struct ixgbe_adapter
*adapter,
jump->mat = nexthdr[i].jump;
adapter->jump_tables[link_uhtid] = jump;
break;
+ } else {
+ kfree(mask);
+ kfree(input);
+ kfree(jump);
}
}
return 0;
--
2.7.4
[PATCH] i3c: master: fix a memory leak bug
In i3c_master_getmwl_locked(), the buffer used for the dest payload data is
allocated using kzalloc() in i3c_ccc_cmd_dest_init(). Later on, the length
of the dest payload data is checked against 'sizeof(*mwl)'. If they are not
equal, -EIO is returned to indicate the error. However, the allocated
buffer is not deallocated on this path, leading to a memory leak.
To fix the above issue, free the buffer before returning the error.
Signed-off-by: Wenwen Wang
---
drivers/i3c/master.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
index d6f8b03..562f69f 100644
--- a/drivers/i3c/master.c
+++ b/drivers/i3c/master.c
@@ -1084,8 +1084,10 @@ static int i3c_master_getmwl_locked(struct
i3c_master_controller *master,
if (ret)
goto out;
- if (dest.payload.len != sizeof(*mwl))
- return -EIO;
+ if (dest.payload.len != sizeof(*mwl)) {
+ ret = -EIO;
+ goto out;
+ }
info->max_write_len = be16_to_cpu(mwl->len);
--
2.7.4
[PATCH] ALSA: hda - Fix a memory leak bug
In snd_hda_parse_generic_codec(), 'spec' is allocated through kzalloc(). Then, the pin widgets in 'codec' are parsed. However, if the parsing process fails, 'spec' is not deallocated, leading to a memory leak. To fix the above issue, free 'spec' before returning the error. Signed-off-by: Wenwen Wang --- sound/pci/hda/hda_generic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c index 485edab..8f2beb1 100644 --- a/sound/pci/hda/hda_generic.c +++ b/sound/pci/hda/hda_generic.c @@ -6100,7 +6100,7 @@ static int snd_hda_parse_generic_codec(struct hda_codec *codec) err = snd_hda_parse_pin_defcfg(codec, >autocfg, NULL, 0); if (err < 0) - return err; + goto error; err = snd_hda_gen_parse_auto_config(codec, >autocfg); if (err < 0) -- 2.7.4
[PATCH] ALSA: firewire: fix a memory leak bug
In iso_packets_buffer_init(), 'b->packets' is allocated through
kmalloc_array(). Then, the aligned packet size is checked. If it is
larger than PAGE_SIZE, -EINVAL will be returned to indicate the error.
However, the allocated 'b->packets' is not deallocated on this path,
leading to a memory leak.
To fix the above issue, free 'b->packets' before returning the error code.
Signed-off-by: Wenwen Wang
---
sound/firewire/packets-buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/firewire/packets-buffer.c b/sound/firewire/packets-buffer.c
index 0d35359..0ecafd0 100644
--- a/sound/firewire/packets-buffer.c
+++ b/sound/firewire/packets-buffer.c
@@ -37,7 +37,7 @@ int iso_packets_buffer_init(struct iso_packets_buffer *b,
struct fw_unit *unit,
packets_per_page = PAGE_SIZE / packet_size;
if (WARN_ON(!packets_per_page)) {
err = -EINVAL;
- goto error;
+ goto err_packets;
}
pages = DIV_ROUND_UP(count, packets_per_page);
--
2.7.4
[PATCH] sound: fix a memory leak bug
In sound_insert_unit(), the controlling structure 's' is allocated through kmalloc(). Then it is added to the sound driver list by invoking __sound_insert_unit(). Later on, if __register_chrdev() fails, 's' is removed from the list through __sound_remove_unit(). If 'index' is not less than 0, -EBUSY is returned to indicate the error. However, 's' is not deallocated on this execution path, leading to a memory leak bug. To fix the above issue, free 's' before -EBUSY is returned. Signed-off-by: Wenwen Wang --- sound/sound_core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sound/sound_core.c b/sound/sound_core.c index b730d97..90d118c 100644 --- a/sound/sound_core.c +++ b/sound/sound_core.c @@ -275,7 +275,8 @@ static int sound_insert_unit(struct sound_unit **list, const struct file_operati goto retry; } spin_unlock(_loader_lock); - return -EBUSY; + r = -EBUSY; + goto fail; } } -- 2.7.4
[PATCH v3] ALSA: hiface: fix multiple memory leak bugs
In hiface_pcm_init(), 'rt' is firstly allocated through kzalloc(). Later
on, hiface_pcm_init_urb() is invoked to initialize 'rt->out_urbs[i]'. In
hiface_pcm_init_urb(), 'rt->out_urbs[i].buffer' is allocated through
kzalloc(). However, if hiface_pcm_init_urb() fails, both 'rt' and
'rt->out_urbs[i].buffer' are not deallocated, leading to memory leak bugs.
Also, 'rt->out_urbs[i].buffer' is not deallocated if snd_pcm_new() fails.
To fix the above issues, free 'rt' and 'rt->out_urbs[i].buffer'.
Signed-off-by: Wenwen Wang
---
sound/usb/hiface/pcm.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/sound/usb/hiface/pcm.c b/sound/usb/hiface/pcm.c
index 14fc1e1..c406497 100644
--- a/sound/usb/hiface/pcm.c
+++ b/sound/usb/hiface/pcm.c
@@ -600,14 +600,13 @@ int hiface_pcm_init(struct hiface_chip *chip, u8
extra_freq)
ret = hiface_pcm_init_urb(>out_urbs[i], chip, OUT_EP,
hiface_pcm_out_urb_handler);
if (ret < 0)
- return ret;
+ goto error;
}
ret = snd_pcm_new(chip->card, "USB-SPDIF Audio", 0, 1, 0, );
if (ret < 0) {
- kfree(rt);
dev_err(>dev->dev, "Cannot create pcm instance\n");
- return ret;
+ goto error;
}
pcm->private_data = rt;
@@ -620,4 +619,10 @@ int hiface_pcm_init(struct hiface_chip *chip, u8
extra_freq)
chip->pcm = rt;
return 0;
+
+error:
+ for (i = 0; i < PCM_N_URBS; i++)
+ kfree(rt->out_urbs[i].buffer);
+ kfree(rt);
+ return ret;
}
--
2.7.4
Re: [PATCH v2] ALSA: pcm: fix multiple memory leak bugs
On Wed, Aug 7, 2019 at 3:18 AM Takashi Iwai wrote:
>
> On Wed, 07 Aug 2019 09:09:59 +0200,
> Wenwen Wang wrote:
> >
> > In hiface_pcm_init(), 'rt' is firstly allocated through kzalloc(). Later
> > on, hiface_pcm_init_urb() is invoked to initialize 'rt->out_urbs[i]'. In
> > hiface_pcm_init_urb(), 'rt->out_urbs[i].buffer' is allocated through
> > kzalloc(). However, if hiface_pcm_init_urb() fails, both 'rt' and
> > 'rt->out_urbs[i].buffer' are not deallocated, leading to memory leak bugs.
> > Also, 'rt->out_urbs[i].buffer' is not deallocated if snd_pcm_new() fails.
> >
> > To fix the above issues, free 'rt' and 'rt->out_urbs[i].buffer'.
> >
> > Signed-off-by: Wenwen Wang
> > ---
> > sound/usb/hiface/pcm.c | 8 +++-
> > 1 file changed, 7 insertions(+), 1 deletion(-)
> >
> > diff --git a/sound/usb/hiface/pcm.c b/sound/usb/hiface/pcm.c
> > index 14fc1e1..9b132aa 100644
> > --- a/sound/usb/hiface/pcm.c
> > +++ b/sound/usb/hiface/pcm.c
> > @@ -599,12 +599,18 @@ int hiface_pcm_init(struct hiface_chip *chip, u8
> > extra_freq)
> > for (i = 0; i < PCM_N_URBS; i++) {
> > ret = hiface_pcm_init_urb(>out_urbs[i], chip, OUT_EP,
> > hiface_pcm_out_urb_handler);
> > - if (ret < 0)
> > + if (ret < 0) {
> > + for (; i >= 0; i--)
> > + kfree(rt->out_urbs[i].buffer);
> > + kfree(rt);
> > return ret;
> > + }
> > }
> >
> > ret = snd_pcm_new(chip->card, "USB-SPDIF Audio", 0, 1, 0, );
> > if (ret < 0) {
> > + for (i = 0; i < PCM_N_URBS; i++)
> > + kfree(rt->out_urbs[i].buffer);
> > kfree(rt);
> > dev_err(>dev->dev, "Cannot create pcm instance\n");
> > return ret;
>
> The fixes look correct, but since we can unconditionally call kfree()
> for NULL, both error paths can be unified as:
>
> for (i = 0; i < PCM_N_URBS; i++)
> kfree(rt->out_urbs[i].buffer);
> kfree(rt);
>
> and this would be better to be put in the common path at the end and
> do "goto error" or such from both places.
I will rework the patch and revise the subject line.
> BTW, your patch doesn't seem cleanly applicable in anyway because the
> tabs are converted to spaces. Please check the mail setup.
>
> Also, please try to make the subject line more unique. This is about
> hiface driver, so "ALSA: hiface: xxx" should be more appropriate.
I will also check my mail setup. Thanks!
Wenwen
[PATCH v2] ALSA: pcm: fix multiple memory leak bugs
In hiface_pcm_init(), 'rt' is firstly allocated through kzalloc(). Later
on, hiface_pcm_init_urb() is invoked to initialize 'rt->out_urbs[i]'. In
hiface_pcm_init_urb(), 'rt->out_urbs[i].buffer' is allocated through
kzalloc(). However, if hiface_pcm_init_urb() fails, both 'rt' and
'rt->out_urbs[i].buffer' are not deallocated, leading to memory leak bugs.
Also, 'rt->out_urbs[i].buffer' is not deallocated if snd_pcm_new() fails.
To fix the above issues, free 'rt' and 'rt->out_urbs[i].buffer'.
Signed-off-by: Wenwen Wang
---
sound/usb/hiface/pcm.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/sound/usb/hiface/pcm.c b/sound/usb/hiface/pcm.c
index 14fc1e1..9b132aa 100644
--- a/sound/usb/hiface/pcm.c
+++ b/sound/usb/hiface/pcm.c
@@ -599,12 +599,18 @@ int hiface_pcm_init(struct hiface_chip *chip, u8
extra_freq)
for (i = 0; i < PCM_N_URBS; i++) {
ret = hiface_pcm_init_urb(>out_urbs[i], chip, OUT_EP,
hiface_pcm_out_urb_handler);
- if (ret < 0)
+ if (ret < 0) {
+ for (; i >= 0; i--)
+ kfree(rt->out_urbs[i].buffer);
+ kfree(rt);
return ret;
+ }
}
ret = snd_pcm_new(chip->card, "USB-SPDIF Audio", 0, 1, 0, );
if (ret < 0) {
+ for (i = 0; i < PCM_N_URBS; i++)
+ kfree(rt->out_urbs[i].buffer);
kfree(rt);
dev_err(>dev->dev, "Cannot create pcm instance\n");
return ret;
--
2.7.4
Re: [PATCH] ALSA: pcm: fix a memory leak bug
On Wed, Aug 7, 2019 at 2:33 AM Takashi Iwai wrote:
>
> On Wed, 07 Aug 2019 08:15:17 +0200,
> Wenwen Wang wrote:
> >
> > In hiface_pcm_init(), 'rt' is firstly allocated through kzalloc(). Later
> > on, hiface_pcm_init_urb() is invoked to initialize 'rt->out_urbs[i]'.
> > However, if the initialization fails, 'rt' is not deallocated, leading to a
> > memory leak bug.
> >
> > To fix the above issue, free 'rt' before returning the error.
> >
> > Signed-off-by: Wenwen Wang
> > ---
> > sound/usb/hiface/pcm.c | 4 +++-
> > 1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/sound/usb/hiface/pcm.c b/sound/usb/hiface/pcm.c
> > index 14fc1e1..5dbcd0d 100644
> > --- a/sound/usb/hiface/pcm.c
> > +++ b/sound/usb/hiface/pcm.c
> > @@ -599,8 +599,10 @@ int hiface_pcm_init(struct hiface_chip *chip, u8
> > extra_freq)
> > for (i = 0; i < PCM_N_URBS; i++) {
> > ret = hiface_pcm_init_urb(>out_urbs[i], chip, OUT_EP,
> > hiface_pcm_out_urb_handler);
> > - if (ret < 0)
> > + if (ret < 0) {
> > + kfree(rt);
> > return ret;
> > + }
>
> Unfortunately this still leaves some memory. We need to release
> rt->out_urbs[], too. The relevant code is already in
> hiface_pcm_destroy(), so factor out the looped kfree() there and call
> it from both places.
>
> Care to resubmit with more fixes?
Thanks for your comments! I also found this issue, and am working on
another patch to fix it.
Wenwen
[PATCH] ALSA: pcm: fix a memory leak bug
In hiface_pcm_init(), 'rt' is firstly allocated through kzalloc(). Later
on, hiface_pcm_init_urb() is invoked to initialize 'rt->out_urbs[i]'.
However, if the initialization fails, 'rt' is not deallocated, leading to a
memory leak bug.
To fix the above issue, free 'rt' before returning the error.
Signed-off-by: Wenwen Wang
---
sound/usb/hiface/pcm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/usb/hiface/pcm.c b/sound/usb/hiface/pcm.c
index 14fc1e1..5dbcd0d 100644
--- a/sound/usb/hiface/pcm.c
+++ b/sound/usb/hiface/pcm.c
@@ -599,8 +599,10 @@ int hiface_pcm_init(struct hiface_chip *chip, u8
extra_freq)
for (i = 0; i < PCM_N_URBS; i++) {
ret = hiface_pcm_init_urb(>out_urbs[i], chip, OUT_EP,
hiface_pcm_out_urb_handler);
- if (ret < 0)
+ if (ret < 0) {
+ kfree(rt);
return ret;
+ }
}
ret = snd_pcm_new(chip->card, "USB-SPDIF Audio", 0, 1, 0, );
--
2.7.4
Re: [PATCH] ALSA: usb-midi: fix a memory leak bug
On Wed, Aug 7, 2019 at 1:31 AM Takashi Iwai wrote: > > On Wed, 07 Aug 2019 05:22:09 +0200, > Wenwen Wang wrote: > > > > In __snd_usbmidi_create(), a MIDI streaming interface structure is > > allocated through kzalloc() and the pointer is saved to 'umidi'. Later on, > > the endpoint structures are created by invoking > > snd_usbmidi_create_endpoints_midiman() or snd_usbmidi_create_endpoints(), > > depending on the type of the audio quirk type. However, if the creation > > fails, the allocated 'umidi' is not deallocated, leading to a memory leak > > bug. > > > > To fix the above issue, free 'umidi' before returning the error. > > > > Signed-off-by: Wenwen Wang > > It's again a false-positive report. The object is released > automatically by the destructor of its base snd_rawmidi object. Thanks for your response! Sorry for the false positives. :( Wenwen
[PATCH] ALSA: usb-midi: fix a memory leak bug
In __snd_usbmidi_create(), a MIDI streaming interface structure is allocated through kzalloc() and the pointer is saved to 'umidi'. Later on, the endpoint structures are created by invoking snd_usbmidi_create_endpoints_midiman() or snd_usbmidi_create_endpoints(), depending on the type of the audio quirk type. However, if the creation fails, the allocated 'umidi' is not deallocated, leading to a memory leak bug. To fix the above issue, free 'umidi' before returning the error. Signed-off-by: Wenwen Wang --- sound/usb/midi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sound/usb/midi.c b/sound/usb/midi.c index b737f0e..22db37f 100644 --- a/sound/usb/midi.c +++ b/sound/usb/midi.c @@ -2476,7 +2476,7 @@ int __snd_usbmidi_create(struct snd_card *card, else err = snd_usbmidi_create_endpoints(umidi, endpoints); if (err < 0) - goto exit; + goto free_midi; usb_autopm_get_interface_no_resume(umidi->iface); -- 2.7.4
[PATCH] ALSA: usb-audio: fix a memory leak bug
In snd_usb_get_audioformat_uac3(), a structure for channel maps 'chmap' is
allocated through kzalloc() before the execution goto 'found_clock'.
However, this structure is not deallocated if the memory allocation for
'pd' fails, leading to a memory leak bug.
To fix the above issue, free 'fp->chmap' before returning NULL.
Signed-off-by: Wenwen Wang
---
sound/usb/stream.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index 7ee9d17..e852c7f 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -1043,6 +1043,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
pd = kzalloc(sizeof(*pd), GFP_KERNEL);
if (!pd) {
+ kfree(fp->chmap);
kfree(fp->rate_table);
kfree(fp);
return NULL;
--
2.7.4
[PATCH] ALSA: usb-audio: fix a memory leak bug
In add_new_ctl(), a mixer element structure is allocated through kzalloc()
and the pointer is saved to 'elem'. Later on, a new alsa control element is
created and added to this structure. In case the add process fails, i.e.,
the return value of snd_usb_mixer_add_control() is less than 0, the
allocated structure is not freed, leading to a memory leak.
To fix the above issue, free 'elem' before returning the error.
Signed-off-by: Wenwen Wang
---
sound/usb/mixer_scarlett.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/usb/mixer_scarlett.c b/sound/usb/mixer_scarlett.c
index 83715fd..a6c028a 100644
--- a/sound/usb/mixer_scarlett.c
+++ b/sound/usb/mixer_scarlett.c
@@ -562,8 +562,10 @@ static int add_new_ctl(struct usb_mixer_interface *mixer,
strlcpy(kctl->id.name, name, sizeof(kctl->id.name));
err = snd_usb_mixer_add_control(>head, kctl);
- if (err < 0)
+ if (err < 0) {
+ kfree(elem);
return err;
+ }
if (elem_ret)
*elem_ret = elem;
--
2.7.4
[PATCH] ASoC: dapm: fix a memory leak bug
From: Wenwen Wang In snd_soc_dapm_new_control_unlocked(), a kernel buffer is allocated in dapm_cnew_widget() to hold the new dapm widget. Then, different actions are taken according to the id of the widget, i.e., 'w->id'. If any failure occurs during this process, snd_soc_dapm_new_control_unlocked() should be terminated by going to the 'request_failed' label. However, the allocated kernel buffer is not freed on this code path, leading to a memory leak bug. To fix the above issue, free the buffer before returning from snd_soc_dapm_new_control_unlocked() through the 'request_failed' label. Signed-off-by: Wenwen Wang --- sound/soc/soc-dapm.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c index f013b24..23b9b25 100644 --- a/sound/soc/soc-dapm.c +++ b/sound/soc/soc-dapm.c @@ -3706,6 +3706,8 @@ snd_soc_dapm_new_control_unlocked(struct snd_soc_dapm_context *dapm, dev_err(dapm->dev, "ASoC: Failed to request %s: %d\n", w->name, ret); + kfree_const(w->sname); + kfree(w); return ERR_PTR(ret); } -- 2.7.4
[PATCH] test_firmware: fix a memory leak bug
From: Wenwen Wang
In test_firmware_init(), the buffer pointed to by the global pointer
'test_fw_config' is allocated through kzalloc(). Then, the buffer is
initialized in __test_firmware_config_init(). In the case that the
initialization fails, the following execution in test_firmware_init() needs
to be terminated with an error code returned to indicate this failure.
However, the allocated buffer is not freed on this execution path, leading
to a memory leak bug.
To fix the above issue, free the allocated buffer before returning from
test_firmware_init().
Signed-off-by: Wenwen Wang
---
lib/test_firmware.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/test_firmware.c b/lib/test_firmware.c
index 83ea6c4..6ca97a6 100644
--- a/lib/test_firmware.c
+++ b/lib/test_firmware.c
@@ -886,8 +886,11 @@ static int __init test_firmware_init(void)
return -ENOMEM;
rc = __test_firmware_config_init();
- if (rc)
+ if (rc) {
+ kfree(test_fw_config);
+ pr_err("could not init firmware test config: %d\n", rc);
return rc;
+ }
rc = misc_register(_fw_misc_device);
if (rc) {
--
2.7.4
[PATCH v2] ALSA: usx2y: fix a double free bug
In usX2Y_In04_init(), a new urb is firstly created through usb_alloc_urb()
and saved to 'usX2Y->In04urb'. Then, a buffer is allocated through
kmalloc() and saved to 'usX2Y->In04Buf'. If the allocation of the buffer
fails, the error code ENOMEM is returned after usb_free_urb(), which frees
the created urb. However, the urb is actually freed at card->private_free
callback, i.e., snd_usX2Y_card_private_free(). So the free operation here
leads to a double free bug.
To fix the above issue, simply remove usb_free_urb().
Signed-off-by: Wenwen Wang
---
sound/usb/usx2y/usbusx2y.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c
index da4a5a5..1f0b0100 100644
--- a/sound/usb/usx2y/usbusx2y.c
+++ b/sound/usb/usx2y/usbusx2y.c
@@ -293,10 +293,8 @@ int usX2Y_In04_init(struct usX2Ydev *usX2Y)
if (! (usX2Y->In04urb = usb_alloc_urb(0, GFP_KERNEL)))
return -ENOMEM;
- if (! (usX2Y->In04Buf = kmalloc(21, GFP_KERNEL))) {
- usb_free_urb(usX2Y->In04urb);
+ if (! (usX2Y->In04Buf = kmalloc(21, GFP_KERNEL)))
return -ENOMEM;
- }
init_waitqueue_head(>In04WaitQueue);
usb_fill_int_urb(usX2Y->In04urb, usX2Y->dev, usb_rcvintpipe(usX2Y->dev,
0x4),
--
2.7.4
Re: [PATCH] ALSA: usx2y: fix a memory leak bug
On Mon, Apr 29, 2019 at 1:42 AM Takashi Iwai wrote: > > On Mon, 29 Apr 2019 07:50:11 +0200, > Wenwen Wang wrote: > > > > On Mon, Apr 29, 2019 at 12:36 AM Takashi Iwai wrote: > > > > > > On Sun, 28 Apr 2019 09:18:40 +0200, > > > Takashi Iwai wrote: > > > > > > > > On Sun, 28 Apr 2019 08:42:32 +0200, > > > > Wenwen Wang wrote: > > > > > > > > > > In usX2Y_In04_init(), a new urb is firstly created through > > > > > usb_alloc_urb() > > > > > and saved to 'usX2Y->In04urb'. Then, a buffer is allocated through > > > > > kmalloc() and saved to 'usX2Y->In04Buf'. After the urb is > > > > > initialized, a > > > > > sanity check is performed for the endpoint in the urb by invoking > > > > > usb_urb_ep_type_check(). If the check fails, the error code EINVAL > > > > > will be > > > > > returned. In that case, however, the created urb and the allocated > > > > > buffer > > > > > are not freed, leading to memory leaks. > > > > > > > > > > To fix the above issue, free the urb and the buffer if the check > > > > > fails. > > > > > > > > > > Signed-off-by: Wenwen Wang > > > > > > > > Applied now, thanks. > > > > > > ... and looking at the code again, this patch turned out to be wrong. > > > The in04 urb and transfer buffer are freed at card->private_free > > > callback (snd_usX2Y_card_private_free()) later, so this patch would > > > lead to double-free. > > > > Thanks for your comment! Does that mean we should remove > > usb_free_urb() in the if statement of allocating 'usX2Y->In04Buf', > > because it may also lead to double free? > > Yes, that's another superfluous code. Thanks! I will rework the patch. Wenwen
Re: [PATCH] ALSA: usx2y: fix a memory leak bug
On Mon, Apr 29, 2019 at 12:36 AM Takashi Iwai wrote: > > On Sun, 28 Apr 2019 09:18:40 +0200, > Takashi Iwai wrote: > > > > On Sun, 28 Apr 2019 08:42:32 +0200, > > Wenwen Wang wrote: > > > > > > In usX2Y_In04_init(), a new urb is firstly created through usb_alloc_urb() > > > and saved to 'usX2Y->In04urb'. Then, a buffer is allocated through > > > kmalloc() and saved to 'usX2Y->In04Buf'. After the urb is initialized, a > > > sanity check is performed for the endpoint in the urb by invoking > > > usb_urb_ep_type_check(). If the check fails, the error code EINVAL will be > > > returned. In that case, however, the created urb and the allocated buffer > > > are not freed, leading to memory leaks. > > > > > > To fix the above issue, free the urb and the buffer if the check fails. > > > > > > Signed-off-by: Wenwen Wang > > > > Applied now, thanks. > > ... and looking at the code again, this patch turned out to be wrong. > The in04 urb and transfer buffer are freed at card->private_free > callback (snd_usX2Y_card_private_free()) later, so this patch would > lead to double-free. Thanks for your comment! Does that mean we should remove usb_free_urb() in the if statement of allocating 'usX2Y->In04Buf', because it may also lead to double free? Wenwen
[PATCH] ALSA: usx2y: fix a memory leak bug
In usX2Y_In04_init(), a new urb is firstly created through usb_alloc_urb()
and saved to 'usX2Y->In04urb'. Then, a buffer is allocated through
kmalloc() and saved to 'usX2Y->In04Buf'. After the urb is initialized, a
sanity check is performed for the endpoint in the urb by invoking
usb_urb_ep_type_check(). If the check fails, the error code EINVAL will be
returned. In that case, however, the created urb and the allocated buffer
are not freed, leading to memory leaks.
To fix the above issue, free the urb and the buffer if the check fails.
Signed-off-by: Wenwen Wang
---
sound/usb/usx2y/usbusx2y.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c
index da4a5a5..0817018 100644
--- a/sound/usb/usx2y/usbusx2y.c
+++ b/sound/usb/usx2y/usbusx2y.c
@@ -303,8 +303,11 @@ int usX2Y_In04_init(struct usX2Ydev *usX2Y)
usX2Y->In04Buf, 21,
i_usX2Y_In04Int, usX2Y,
10);
- if (usb_urb_ep_type_check(usX2Y->In04urb))
+ if (usb_urb_ep_type_check(usX2Y->In04urb)) {
+ kfree(usX2Y->In04Buf);
+ usb_put_urb(usX2Y->In04urb);
return -EINVAL;
+ }
return usb_submit_urb(usX2Y->In04urb, GFP_KERNEL);
}
--
2.7.4
[PATCH] ALSA: usb-audio: Fix a memory leak bug
In parse_audio_selector_unit(), the string array 'namelist' is allocated
through kmalloc_array(), and each string pointer in this array, i.e.,
'namelist[]', is allocated through kmalloc() in the following for loop.
Then, a control instance 'kctl' is created by invoking snd_ctl_new1(). If
an error occurs during the creation process, the string array 'namelist',
including all string pointers in the array 'namelist[]', should be freed,
before the error code ENOMEM is returned. However, the current code does
not free 'namelist[]', resulting in memory leaks.
To fix the above issue, free all string pointers 'namelist[]' in a loop.
Signed-off-by: Wenwen Wang
---
sound/usb/mixer.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 73d7dff..53dccbf 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -2675,6 +2675,8 @@ static int parse_audio_selector_unit(struct mixer_build
*state, int unitid,
kctl = snd_ctl_new1(_selectunit_ctl, cval);
if (! kctl) {
usb_audio_err(state->chip, "cannot malloc kcontrol\n");
+ for (i = 0; i < desc->bNrInPins; i++)
+ kfree(namelist[i]);
kfree(namelist);
kfree(cval);
return -ENOMEM;
--
2.7.4
Re: [PATCH] tracing: Fix a memory leak bug
On Fri, Apr 19, 2019 at 9:37 PM Steven Rostedt wrote: > > On Fri, 19 Apr 2019 21:22:59 -0500 > Wenwen Wang wrote: > > > In trace_pid_write(), the buffer for trace parser is allocated through > > kmalloc() in trace_parser_get_init(). Later on, after the buffer is used, > > it is then freed through kfree() in trace_parser_put(). However, it is > > possible that trace_pid_write() is terminated due to unexpected errors, > > e.g., ENOMEM. In that case, the allocated buffer will not be freed, which > > is a memory leak bug. > > > > To fix this issue, free the allocated buffer when an error is encountered. > > Thanks for the patch. Did you find this through manual inspection, > running KASAN or via one of the static analyzers? Thanks for your question, Steve. It was based on a prototype of a research project, which aims to statically detect memory leak bugs in operating system kernels. Wenwen
[PATCH] tracing: Fix a memory leak bug
In trace_pid_write(), the buffer for trace parser is allocated through
kmalloc() in trace_parser_get_init(). Later on, after the buffer is used,
it is then freed through kfree() in trace_parser_put(). However, it is
possible that trace_pid_write() is terminated due to unexpected errors,
e.g., ENOMEM. In that case, the allocated buffer will not be freed, which
is a memory leak bug.
To fix this issue, free the allocated buffer when an error is encountered.
Signed-off-by: Wenwen Wang
---
kernel/trace/trace.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 6c24755..fd12c9c 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -496,8 +496,10 @@ int trace_pid_write(struct trace_pid_list *filtered_pids,
* not modified.
*/
pid_list = kmalloc(sizeof(*pid_list), GFP_KERNEL);
- if (!pid_list)
+ if (!pid_list) {
+ trace_parser_put();
return -ENOMEM;
+ }
pid_list->pid_max = READ_ONCE(pid_max);
@@ -507,6 +509,7 @@ int trace_pid_write(struct trace_pid_list *filtered_pids,
pid_list->pids = vzalloc((pid_list->pid_max + 7) >> 3);
if (!pid_list->pids) {
+ trace_parser_put();
kfree(pid_list);
return -ENOMEM;
}
--
2.7.4
[PATCH v4] x86/PCI: fix a memory leak bug
In pcibios_irq_init(), the PCI IRQ routing table 'pirq_table' is firstly
found through pirq_find_routing_table(). If the table is not found and
'CONFIG_PCI_BIOS' is defined, the table is then allocated in
pcibios_get_irq_routing_table() using kmalloc(). In the following
execution, if the I/O APIC is used, this table is actually not used.
However, in that case, the allocated table is not freed, which is a memory
leak bug.
To fix this issue, free the allocated table if it is not used.
Signed-off-by: Wenwen Wang
Acked-by: Thomas Gleixner
---
arch/x86/pci/irq.c | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/arch/x86/pci/irq.c b/arch/x86/pci/irq.c
index 52e5510..d3a73f9 100644
--- a/arch/x86/pci/irq.c
+++ b/arch/x86/pci/irq.c
@@ -1119,6 +1119,8 @@ static const struct dmi_system_id pciirq_dmi_table[]
__initconst = {
void __init pcibios_irq_init(void)
{
+ struct irq_routing_table *rtable = NULL;
+
DBG(KERN_DEBUG "PCI: IRQ init\n");
if (raw_pci_ops == NULL)
@@ -1129,8 +1131,10 @@ void __init pcibios_irq_init(void)
pirq_table = pirq_find_routing_table();
#ifdef CONFIG_PCI_BIOS
- if (!pirq_table && (pci_probe & PCI_BIOS_IRQ_SCAN))
+ if (!pirq_table && (pci_probe & PCI_BIOS_IRQ_SCAN)) {
pirq_table = pcibios_get_irq_routing_table();
+ rtable = pirq_table;
+ }
#endif
if (pirq_table) {
pirq_peer_trick();
@@ -1145,8 +1149,10 @@ void __init pcibios_irq_init(void)
* If we're using the I/O APIC, avoid using the PCI IRQ
* routing table
*/
- if (io_apic_assign_pci_irqs)
+ if (io_apic_assign_pci_irqs) {
+ kfree(rtable);
pirq_table = NULL;
+ }
}
x86_init.pci.fixup_irqs();
--
2.7.4
Re: [PATCH v2] x86/PCI: fix a memory leak bug
On Wed, Apr 17, 2019 at 12:58 AM Ingo Molnar wrote: > > > * Wenwen Wang wrote: > > > On Tue, Apr 16, 2019 at 3:33 PM Thomas Gleixner wrote: > > > > > > On Tue, 16 Apr 2019, Wenwen Wang wrote: > > > > > > > In pcibios_irq_init(), the PCI IRQ routing table 'pirq_table' is firstly > > > > found through pirq_find_routing_table(). If the table is not found and > > > > 'CONFIG_PCI_BIOS' is defined, the table is then allocated in > > > > pcibios_get_irq_routing_table() using kmalloc(). In the following > > > > execution, if the I/O APIC is used, this table is actually not used. > > > > However, in that case, the allocated table is not freed, which can lead > > > > to > > > > a memory leak bug. > > > > > > s/which can lead to/which is/ > > > > > > There is no 'can'. It simply is a memory leak. > > > > > > > To fix this issue, this patch frees the allocated table if it is not > > > > used. > > > > > > To fix this issue, free the allocated table if it is not used. > > > > > > 'this patch' is completely redundant information and discouraged in > > > Documentation/process/ > > > > > > > Thanks for your suggestions, Thomas. I will revise the commit's message. > > > > Wenwen > > > > > Other than that: > > > > > > Acked-by: Thomas Gleixner > > You didn't add Thomas's Acked-by to your commit ... > I will add it and resubmit the patch. Thanks, Wenwen
[PATCH v3] x86/PCI: fix a memory leak bug
In pcibios_irq_init(), the PCI IRQ routing table 'pirq_table' is firstly
found through pirq_find_routing_table(). If the table is not found and
'CONFIG_PCI_BIOS' is defined, the table is then allocated in
pcibios_get_irq_routing_table() using kmalloc(). In the following
execution, if the I/O APIC is used, this table is actually not used.
However, in that case, the allocated table is not freed, which is a memory
leak bug.
To fix this issue, free the allocated table if it is not used.
Signed-off-by: Wenwen Wang
---
arch/x86/pci/irq.c | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/arch/x86/pci/irq.c b/arch/x86/pci/irq.c
index 52e5510..d3a73f9 100644
--- a/arch/x86/pci/irq.c
+++ b/arch/x86/pci/irq.c
@@ -1119,6 +1119,8 @@ static const struct dmi_system_id pciirq_dmi_table[]
__initconst = {
void __init pcibios_irq_init(void)
{
+ struct irq_routing_table *rtable = NULL;
+
DBG(KERN_DEBUG "PCI: IRQ init\n");
if (raw_pci_ops == NULL)
@@ -1129,8 +1131,10 @@ void __init pcibios_irq_init(void)
pirq_table = pirq_find_routing_table();
#ifdef CONFIG_PCI_BIOS
- if (!pirq_table && (pci_probe & PCI_BIOS_IRQ_SCAN))
+ if (!pirq_table && (pci_probe & PCI_BIOS_IRQ_SCAN)) {
pirq_table = pcibios_get_irq_routing_table();
+ rtable = pirq_table;
+ }
#endif
if (pirq_table) {
pirq_peer_trick();
@@ -1145,8 +1149,10 @@ void __init pcibios_irq_init(void)
* If we're using the I/O APIC, avoid using the PCI IRQ
* routing table
*/
- if (io_apic_assign_pci_irqs)
+ if (io_apic_assign_pci_irqs) {
+ kfree(rtable);
pirq_table = NULL;
+ }
}
x86_init.pci.fixup_irqs();
--
2.7.4
Re: [PATCH v2] x86/PCI: fix a memory leak bug
On Tue, Apr 16, 2019 at 3:33 PM Thomas Gleixner wrote: > > On Tue, 16 Apr 2019, Wenwen Wang wrote: > > > In pcibios_irq_init(), the PCI IRQ routing table 'pirq_table' is firstly > > found through pirq_find_routing_table(). If the table is not found and > > 'CONFIG_PCI_BIOS' is defined, the table is then allocated in > > pcibios_get_irq_routing_table() using kmalloc(). In the following > > execution, if the I/O APIC is used, this table is actually not used. > > However, in that case, the allocated table is not freed, which can lead to > > a memory leak bug. > > s/which can lead to/which is/ > > There is no 'can'. It simply is a memory leak. > > > To fix this issue, this patch frees the allocated table if it is not used. > > To fix this issue, free the allocated table if it is not used. > > 'this patch' is completely redundant information and discouraged in > Documentation/process/ > Thanks for your suggestions, Thomas. I will revise the commit's message. Wenwen > Other than that: > > Acked-by: Thomas Gleixner
[PATCH v2] x86/PCI: fix a memory leak bug
In pcibios_irq_init(), the PCI IRQ routing table 'pirq_table' is firstly
found through pirq_find_routing_table(). If the table is not found and
'CONFIG_PCI_BIOS' is defined, the table is then allocated in
pcibios_get_irq_routing_table() using kmalloc(). In the following
execution, if the I/O APIC is used, this table is actually not used.
However, in that case, the allocated table is not freed, which can lead to
a memory leak bug.
To fix this issue, this patch frees the allocated table if it is not used.
Signed-off-by: Wenwen Wang
---
arch/x86/pci/irq.c | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/arch/x86/pci/irq.c b/arch/x86/pci/irq.c
index 52e5510..d3a73f9 100644
--- a/arch/x86/pci/irq.c
+++ b/arch/x86/pci/irq.c
@@ -1119,6 +1119,8 @@ static const struct dmi_system_id pciirq_dmi_table[]
__initconst = {
void __init pcibios_irq_init(void)
{
+ struct irq_routing_table *rtable = NULL;
+
DBG(KERN_DEBUG "PCI: IRQ init\n");
if (raw_pci_ops == NULL)
@@ -1129,8 +1131,10 @@ void __init pcibios_irq_init(void)
pirq_table = pirq_find_routing_table();
#ifdef CONFIG_PCI_BIOS
- if (!pirq_table && (pci_probe & PCI_BIOS_IRQ_SCAN))
+ if (!pirq_table && (pci_probe & PCI_BIOS_IRQ_SCAN)) {
pirq_table = pcibios_get_irq_routing_table();
+ rtable = pirq_table;
+ }
#endif
if (pirq_table) {
pirq_peer_trick();
@@ -1145,8 +1149,10 @@ void __init pcibios_irq_init(void)
* If we're using the I/O APIC, avoid using the PCI IRQ
* routing table
*/
- if (io_apic_assign_pci_irqs)
+ if (io_apic_assign_pci_irqs) {
+ kfree(rtable);
pirq_table = NULL;
+ }
}
x86_init.pci.fixup_irqs();
--
2.7.4
Re: [PATCH] x86/PCI: fix a memory leak bug
On Tue, Apr 16, 2019 at 2:23 AM Ingo Molnar wrote:
>
>
> * Wenwen Wang wrote:
>
> > In pcibios_irq_init(), the PCI IRQ routing table 'pirq_table' is firstly
> > found through pirq_find_routing_table(). If the table is not found and
> > 'CONFIG_PCI_BIOS' is defined, the table is then allocated in
> > pcibios_get_irq_routing_table() using kmalloc(). In the following
> > execution, if the I/O APIC is used, this table is actually not used.
> > However, in that case, the allocated table is not freed, which can lead to
> > a memory leak bug.
> >
> > To fix this issue, this patch frees the allocated table if it is not used.
> >
> > Signed-off-by: Wenwen Wang
> > ---
> > arch/x86/pci/irq.c | 10 --
> > 1 file changed, 8 insertions(+), 2 deletions(-)
> >
> > diff --git a/arch/x86/pci/irq.c b/arch/x86/pci/irq.c
> > index 52e5510..d9bcb96 100644
> > --- a/arch/x86/pci/irq.c
> > +++ b/arch/x86/pci/irq.c
> > @@ -1119,6 +1119,8 @@ static const struct dmi_system_id pciirq_dmi_table[]
> > __initconst = {
> >
> > void __init pcibios_irq_init(void)
> > {
> > + struct irq_routing_table *itable = NULL;
> > +
>
> Minor style nit: the canonical name of irq_routing_table local variables
> is usually 'rtable' or 'rt' - let's not add a third naming variant with
> 'itable'?
>
Thanks for your comment! I will rework the patch.
Wenwen
> > DBG(KERN_DEBUG "PCI: IRQ init\n");
> >
> > if (raw_pci_ops == NULL)
> > @@ -1129,8 +1131,10 @@ void __init pcibios_irq_init(void)
> > pirq_table = pirq_find_routing_table();
> >
> > #ifdef CONFIG_PCI_BIOS
> > - if (!pirq_table && (pci_probe & PCI_BIOS_IRQ_SCAN))
> > + if (!pirq_table && (pci_probe & PCI_BIOS_IRQ_SCAN)) {
> > pirq_table = pcibios_get_irq_routing_table();
> > + itable = pirq_table;
> > + }
> > #endif
> > if (pirq_table) {
> > pirq_peer_trick();
> > @@ -1145,8 +1149,10 @@ void __init pcibios_irq_init(void)
> >* If we're using the I/O APIC, avoid using the PCI IRQ
> >* routing table
> >*/
> > - if (io_apic_assign_pci_irqs)
> > + if (io_apic_assign_pci_irqs) {
> > + kfree(itable);
> > pirq_table = NULL;
> > + }
>
> Reviewed-by: Ingo Molnar
>
> Thanks,
>
> Ingo
[PATCH v2] udf: fix an uninitialized read bug and remove dead code
In udf_lookup(), the pointer 'fi' is a local variable initialized by the
return value of the function call udf_find_entry(). However, if the macro
'UDF_RECOVERY' is defined, this variable will become uninitialized if the
else branch is not taken, which can potentially cause incorrect results in
the following execution.
To fix this issue, this patch drops the whole code in the ifdef
'UDF_RECOVERY' region, as it is dead code.
Signed-off-by: Wenwen Wang
---
fs/udf/namei.c | 15 ---
1 file changed, 15 deletions(-)
diff --git a/fs/udf/namei.c b/fs/udf/namei.c
index 58cc241..77b6d89 100644
--- a/fs/udf/namei.c
+++ b/fs/udf/namei.c
@@ -304,21 +304,6 @@ static struct dentry *udf_lookup(struct inode *dir, struct
dentry *dentry,
if (dentry->d_name.len > UDF_NAME_LEN)
return ERR_PTR(-ENAMETOOLONG);
-#ifdef UDF_RECOVERY
- /* temporary shorthand for specifying files by inode number */
- if (!strncmp(dentry->d_name.name, ".B=", 3)) {
- struct kernel_lb_addr lb = {
- .logicalBlockNum = 0,
- .partitionReferenceNum =
- simple_strtoul(dentry->d_name.name + 3,
- NULL, 0),
- };
- inode = udf_iget(dir->i_sb, lb);
- if (IS_ERR(inode))
- return inode;
- } else
-#endif /* UDF_RECOVERY */
-
fi = udf_find_entry(dir, >d_name, , );
if (IS_ERR(fi))
return ERR_CAST(fi);
--
2.7.4
Re: [PATCH] udf: fix an uninitialized read bug
Thanks for your prompt reply, Jan! I will rework the patch. Best regards, Wenwen On Mon, Apr 15, 2019 at 11:05 AM Jan Kara wrote: > > On Mon 15-04-19 10:26:24, Wenwen Wang wrote: > > In udf_lookup(), the pointer 'fi' is a local variable initialized by the > > return value of the function call udf_find_entry(). However, if the macro > > 'UDF_RECOVERY' is defined, this variable will become uninitialized if the > > else branch is not taken, which can potentially cause incorrect results in > > the following execution. > > > > This patch simply initializes this local pointer to NULL. > > > > Signed-off-by: Wenwen Wang > > Thanks for the patch! A better fix is to drop the whole UDF_RECOVERY ifdef > and what's in it. It is just dead code anyway. > > Honza > > > --- > > fs/udf/namei.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/fs/udf/namei.c b/fs/udf/namei.c > > index 58cc241..9d499e1 100644 > > --- a/fs/udf/namei.c > > +++ b/fs/udf/namei.c > > @@ -299,7 +299,7 @@ static struct dentry *udf_lookup(struct inode *dir, > > struct dentry *dentry, > > struct inode *inode = NULL; > > struct fileIdentDesc cfi; > > struct udf_fileident_bh fibh; > > - struct fileIdentDesc *fi; > > + struct fileIdentDesc *fi = NULL; > > > > if (dentry->d_name.len > UDF_NAME_LEN) > > return ERR_PTR(-ENAMETOOLONG); > > -- > > 2.7.4 > > > > > -- > Jan Kara > SUSE Labs, CR
[PATCH] udf: fix an uninitialized read bug
In udf_lookup(), the pointer 'fi' is a local variable initialized by the return value of the function call udf_find_entry(). However, if the macro 'UDF_RECOVERY' is defined, this variable will become uninitialized if the else branch is not taken, which can potentially cause incorrect results in the following execution. This patch simply initializes this local pointer to NULL. Signed-off-by: Wenwen Wang --- fs/udf/namei.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/udf/namei.c b/fs/udf/namei.c index 58cc241..9d499e1 100644 --- a/fs/udf/namei.c +++ b/fs/udf/namei.c @@ -299,7 +299,7 @@ static struct dentry *udf_lookup(struct inode *dir, struct dentry *dentry, struct inode *inode = NULL; struct fileIdentDesc cfi; struct udf_fileident_bh fibh; - struct fileIdentDesc *fi; + struct fileIdentDesc *fi = NULL; if (dentry->d_name.len > UDF_NAME_LEN) return ERR_PTR(-ENAMETOOLONG); -- 2.7.4
[PATCH] x86/PCI: fix a memory leak bug
In pcibios_irq_init(), the PCI IRQ routing table 'pirq_table' is firstly
found through pirq_find_routing_table(). If the table is not found and
'CONFIG_PCI_BIOS' is defined, the table is then allocated in
pcibios_get_irq_routing_table() using kmalloc(). In the following
execution, if the I/O APIC is used, this table is actually not used.
However, in that case, the allocated table is not freed, which can lead to
a memory leak bug.
To fix this issue, this patch frees the allocated table if it is not used.
Signed-off-by: Wenwen Wang
---
arch/x86/pci/irq.c | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/arch/x86/pci/irq.c b/arch/x86/pci/irq.c
index 52e5510..d9bcb96 100644
--- a/arch/x86/pci/irq.c
+++ b/arch/x86/pci/irq.c
@@ -1119,6 +1119,8 @@ static const struct dmi_system_id pciirq_dmi_table[]
__initconst = {
void __init pcibios_irq_init(void)
{
+ struct irq_routing_table *itable = NULL;
+
DBG(KERN_DEBUG "PCI: IRQ init\n");
if (raw_pci_ops == NULL)
@@ -1129,8 +1131,10 @@ void __init pcibios_irq_init(void)
pirq_table = pirq_find_routing_table();
#ifdef CONFIG_PCI_BIOS
- if (!pirq_table && (pci_probe & PCI_BIOS_IRQ_SCAN))
+ if (!pirq_table && (pci_probe & PCI_BIOS_IRQ_SCAN)) {
pirq_table = pcibios_get_irq_routing_table();
+ itable = pirq_table;
+ }
#endif
if (pirq_table) {
pirq_peer_trick();
@@ -1145,8 +1149,10 @@ void __init pcibios_irq_init(void)
* If we're using the I/O APIC, avoid using the PCI IRQ
* routing table
*/
- if (io_apic_assign_pci_irqs)
+ if (io_apic_assign_pci_irqs) {
+ kfree(itable);
pirq_table = NULL;
+ }
}
x86_init.pci.fixup_irqs();
--
2.7.4
[PATCH] gdrom: fix a memory leak bug
In probe_gdrom(), the buffer pointed by 'gd.cd_info' is allocated through kzalloc() and is used to hold the information of the gdrom device. To register and unregister the device, the pointer 'gd.cd_info' is passed to the functions register_cdrom() and unregister_cdrom(), respectively. However, this buffer is not freed after it is used, which can cause a memory leak bug. This patch simply frees the buffer 'gd.cd_info' in exit_gdrom() to fix the above issue. Signed-off-by: Wenwen Wang --- drivers/cdrom/gdrom.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c index a5b8afe..f8b7345 100644 --- a/drivers/cdrom/gdrom.c +++ b/drivers/cdrom/gdrom.c @@ -873,6 +873,7 @@ static void __exit exit_gdrom(void) platform_device_unregister(pd); platform_driver_unregister(_driver); kfree(gd.toc); + kfree(gd.cd_info); } module_init(init_gdrom); -- 2.7.4
[PATCH v2] misc: mic: fix a DMA pool free failure
In _scif_prog_signal(), a DMA pool is allocated if the MIC Coprocessor is
not X100, i.e., the boolean variable 'x100' is false. This DMA pool will be
freed eventually through the callback function scif_prog_signal_cb() with
the parameter of 'status', which actually points to the start of DMA pool.
Specifically, in scif_prog_signal_cb(), the 'ep' field and the
'src_dma_addr' field of 'status' are used to free the DMA pool by invoking
dma_pool_free(). Given that 'status' points to the start address of the DMA
pool, both 'status->ep' and 'status->src_dma_addr' are in the DMA pool. And
so, the device has the permission to access them. Even worse, a malicious
device can modify them. As a result, dma_pool_free() will not succeed.
To avoid the above issue, this patch introduces a new data structure, i.e.,
scif_cb_arg, to store the arguments required by the call back function. A
variable 'cb_arg' is allocated in _scif_prog_signal() to pass the
arguments. 'cb_arg' will be freed after dma_pool_free() in
scif_prog_signal_cb().
Signed-off-by: Wenwen Wang
---
drivers/misc/mic/scif/scif_fence.c | 22 +-
drivers/misc/mic/scif/scif_rma.h | 13 +
2 files changed, 30 insertions(+), 5 deletions(-)
diff --git a/drivers/misc/mic/scif/scif_fence.c
b/drivers/misc/mic/scif/scif_fence.c
index 7bb929f..2e7ce6a 100644
--- a/drivers/misc/mic/scif/scif_fence.c
+++ b/drivers/misc/mic/scif/scif_fence.c
@@ -195,10 +195,11 @@ static inline void *scif_get_local_va(off_t off, struct
scif_window *window)
static void scif_prog_signal_cb(void *arg)
{
- struct scif_status *status = arg;
+ struct scif_cb_arg *cb_arg = arg;
- dma_pool_free(status->ep->remote_dev->signal_pool, status,
- status->src_dma_addr);
+ dma_pool_free(cb_arg->ep->remote_dev->signal_pool, cb_arg->status,
+ cb_arg->src_dma_addr);
+ kfree(cb_arg);
}
static int _scif_prog_signal(scif_epd_t epd, dma_addr_t dst, u64 val)
@@ -209,6 +210,7 @@ static int _scif_prog_signal(scif_epd_t epd, dma_addr_t
dst, u64 val)
bool x100 = !is_dma_copy_aligned(chan->device, 1, 1, 1);
struct dma_async_tx_descriptor *tx;
struct scif_status *status = NULL;
+ struct scif_cb_arg *cb_arg = NULL;
dma_addr_t src;
dma_cookie_t cookie;
int err;
@@ -257,8 +259,16 @@ static int _scif_prog_signal(scif_epd_t epd, dma_addr_t
dst, u64 val)
goto dma_fail;
}
if (!x100) {
+ cb_arg = kmalloc(sizeof(*cb_arg), GFP_KERNEL);
+ if (!cb_arg) {
+ err = -ENOMEM;
+ goto dma_fail;
+ }
+ cb_arg->src_dma_addr = src;
+ cb_arg->status = status;
+ cb_arg->ep = ep;
tx->callback = scif_prog_signal_cb;
- tx->callback_param = status;
+ tx->callback_param = cb_arg;
}
cookie = tx->tx_submit(tx);
if (dma_submit_error(cookie)) {
@@ -270,9 +280,11 @@ static int _scif_prog_signal(scif_epd_t epd, dma_addr_t
dst, u64 val)
dma_async_issue_pending(chan);
return 0;
dma_fail:
- if (!x100)
+ if (!x100) {
dma_pool_free(ep->remote_dev->signal_pool, status,
src - offsetof(struct scif_status, val));
+ kfree(cb_arg);
+ }
alloc_fail:
return err;
}
diff --git a/drivers/misc/mic/scif/scif_rma.h b/drivers/misc/mic/scif/scif_rma.h
index fa67222..84af303 100644
--- a/drivers/misc/mic/scif/scif_rma.h
+++ b/drivers/misc/mic/scif/scif_rma.h
@@ -206,6 +206,19 @@ struct scif_status {
};
/*
+ * struct scif_cb_arg - Stores the argument of the callback func
+ *
+ * @src_dma_addr: Source buffer DMA address
+ * @status: DMA status
+ * @ep: SCIF endpoint
+ */
+struct scif_cb_arg {
+ dma_addr_t src_dma_addr;
+ struct scif_status *status;
+ struct scif_endpt *ep;
+};
+
+/*
* struct scif_window - Registration Window for Self and Remote
*
* @nr_pages: Number of pages which is defined as a s64 instead of an int
--
2.7.4
[PATCH v2] misc: mic: fix a DMA pool free failure
In _scif_prog_signal(), a DMA pool is allocated if the MIC Coprocessor is
not X100, i.e., the boolean variable 'x100' is false. This DMA pool will be
freed eventually through the callback function scif_prog_signal_cb() with
the parameter of 'status', which actually points to the start of DMA pool.
Specifically, in scif_prog_signal_cb(), the 'ep' field and the
'src_dma_addr' field of 'status' are used to free the DMA pool by invoking
dma_pool_free(). Given that 'status' points to the start address of the DMA
pool, both 'status->ep' and 'status->src_dma_addr' are in the DMA pool. And
so, the device has the permission to access them. Even worse, a malicious
device can modify them. As a result, dma_pool_free() will not succeed.
To avoid the above issue, this patch introduces a new data structure, i.e.,
scif_cb_arg, to store the arguments required by the call back function. A
variable 'cb_arg' is allocated in _scif_prog_signal() to pass the
arguments. 'cb_arg' will be freed after dma_pool_free() in
scif_prog_signal_cb().
Signed-off-by: Wenwen Wang
---
drivers/misc/mic/scif/scif_fence.c | 22 +-
drivers/misc/mic/scif/scif_rma.h | 13 +
2 files changed, 30 insertions(+), 5 deletions(-)
diff --git a/drivers/misc/mic/scif/scif_fence.c
b/drivers/misc/mic/scif/scif_fence.c
index 7bb929f..2e7ce6a 100644
--- a/drivers/misc/mic/scif/scif_fence.c
+++ b/drivers/misc/mic/scif/scif_fence.c
@@ -195,10 +195,11 @@ static inline void *scif_get_local_va(off_t off, struct
scif_window *window)
static void scif_prog_signal_cb(void *arg)
{
- struct scif_status *status = arg;
+ struct scif_cb_arg *cb_arg = arg;
- dma_pool_free(status->ep->remote_dev->signal_pool, status,
- status->src_dma_addr);
+ dma_pool_free(cb_arg->ep->remote_dev->signal_pool, cb_arg->status,
+ cb_arg->src_dma_addr);
+ kfree(cb_arg);
}
static int _scif_prog_signal(scif_epd_t epd, dma_addr_t dst, u64 val)
@@ -209,6 +210,7 @@ static int _scif_prog_signal(scif_epd_t epd, dma_addr_t
dst, u64 val)
bool x100 = !is_dma_copy_aligned(chan->device, 1, 1, 1);
struct dma_async_tx_descriptor *tx;
struct scif_status *status = NULL;
+ struct scif_cb_arg *cb_arg = NULL;
dma_addr_t src;
dma_cookie_t cookie;
int err;
@@ -257,8 +259,16 @@ static int _scif_prog_signal(scif_epd_t epd, dma_addr_t
dst, u64 val)
goto dma_fail;
}
if (!x100) {
+ cb_arg = kmalloc(sizeof(*cb_arg), GFP_KERNEL);
+ if (!cb_arg) {
+ err = -ENOMEM;
+ goto dma_fail;
+ }
+ cb_arg->src_dma_addr = src;
+ cb_arg->status = status;
+ cb_arg->ep = ep;
tx->callback = scif_prog_signal_cb;
- tx->callback_param = status;
+ tx->callback_param = cb_arg;
}
cookie = tx->tx_submit(tx);
if (dma_submit_error(cookie)) {
@@ -270,9 +280,11 @@ static int _scif_prog_signal(scif_epd_t epd, dma_addr_t
dst, u64 val)
dma_async_issue_pending(chan);
return 0;
dma_fail:
- if (!x100)
+ if (!x100) {
dma_pool_free(ep->remote_dev->signal_pool, status,
src - offsetof(struct scif_status, val));
+ kfree(cb_arg);
+ }
alloc_fail:
return err;
}
diff --git a/drivers/misc/mic/scif/scif_rma.h b/drivers/misc/mic/scif/scif_rma.h
index fa67222..84af303 100644
--- a/drivers/misc/mic/scif/scif_rma.h
+++ b/drivers/misc/mic/scif/scif_rma.h
@@ -206,6 +206,19 @@ struct scif_status {
};
/*
+ * struct scif_cb_arg - Stores the argument of the callback func
+ *
+ * @src_dma_addr: Source buffer DMA address
+ * @status: DMA status
+ * @ep: SCIF endpoint
+ */
+struct scif_cb_arg {
+ dma_addr_t src_dma_addr;
+ struct scif_status *status;
+ struct scif_endpt *ep;
+};
+
+/*
* struct scif_window - Registration Window for Self and Remote
*
* @nr_pages: Number of pages which is defined as a s64 instead of an int
--
2.7.4
Re: [PATCH] misc: mic: fix a DMA pool free failure
On Sun, Nov 4, 2018 at 8:05 PM Sudeep Dutt wrote:
>
> On Thu, 2018-10-18 at 14:46 -0500, Wenwen Wang wrote:
> > In _scif_prog_signal(), a DMA pool is allocated if the MIC Coprocessor is
> > not X100, i.e., the boolean variable 'x100' is false. This DMA pool will be
> > freed eventually through the callback function scif_prog_signal_cb() with
> > the parameter of 'status', which actually points to the start of DMA pool.
> > Specifically, in scif_prog_signal_cb(), the 'ep' field and the
> > 'src_dma_addr' field of 'status' are used to free the DMA pool by invoking
> > dma_pool_free(). Given that 'status' points to the start address of the DMA
> > pool, both 'status->ep' and 'status->src_dma_addr' are in the DMA pool. And
> > so, the device has the permission to access them. Even worse, a malicious
> > device can modify them. As a result, dma_pool_free() will not succeed.
> >
> > To avoid the above issue, this patch introduces a new data structure, i.e.,
> > scif_cb_arg, to store the arguments required by the call back function. A
> > variable 'cb_arg' is allocated in _scif_prog_signal() to pass the
> > arguments. 'cb_arg' will be freed after dma_pool_free() in
> > scif_prog_signal_cb().
> >
> > Signed-off-by: Wenwen Wang
> > ---
> > drivers/misc/mic/scif/scif_fence.c | 17 +
> > drivers/misc/mic/scif/scif_rma.h | 14 ++
> > 2 files changed, 27 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/misc/mic/scif/scif_fence.c
> > b/drivers/misc/mic/scif/scif_fence.c
> > index cac3bcc..30f7d9b 100644
> > --- a/drivers/misc/mic/scif/scif_fence.c
> > +++ b/drivers/misc/mic/scif/scif_fence.c
> > @@ -195,10 +195,11 @@ static inline void *scif_get_local_va(off_t off,
> > struct scif_window *window)
> >
> > static void scif_prog_signal_cb(void *arg)
> > {
> > - struct scif_status *status = arg;
> > + struct scif_cb_arg *cb_arg = arg;
> >
> > - dma_pool_free(status->ep->remote_dev->signal_pool, status,
> > - status->src_dma_addr);
> > + dma_pool_free(cb_arg->ep->remote_dev->signal_pool, cb_arg->status,
> > + cb_arg->src_dma_addr);
> > + kfree(cb_arg);
> > }
> >
> > static int _scif_prog_signal(scif_epd_t epd, dma_addr_t dst, u64 val)
> > @@ -209,6 +210,7 @@ static int _scif_prog_signal(scif_epd_t epd, dma_addr_t
> > dst, u64 val)
> > bool x100 = !is_dma_copy_aligned(chan->device, 1, 1, 1);
> > struct dma_async_tx_descriptor *tx;
> > struct scif_status *status = NULL;
> > + struct scif_cb_arg *cb_arg = NULL;
> > dma_addr_t src;
> > dma_cookie_t cookie;
> > int err;
> > @@ -257,8 +259,15 @@ static int _scif_prog_signal(scif_epd_t epd,
> > dma_addr_t dst, u64 val)
> > goto dma_fail;
> > }
> > if (!x100) {
> > + err = -ENOMEM;
>
> Should err be set to -ENOMEM only if the cb_arg allocation fails?
>
> > + cb_arg = kmalloc(sizeof(*cb_arg), GFP_KERNEL);
> > + if (!cb_arg)
> > + goto dma_fail;
> > + cb_arg->src_dma_addr = src;
> > + cb_arg->status = status;
> > + cb_arg->ep = ep;
> > tx->callback = scif_prog_signal_cb;
> > - tx->callback_param = status;
> > + tx->callback_param = cb_arg;
> > }
>
> cb_arg should be freed if there is a dma_submit_error(..) below in the
> dma_fail path.
>
> Wenwen, can you please fix these up and resend the patch?
Sure, will fix the issues and resubmit the patch. Thanks!
Wenwen
