Re: [PATCHv2 2/2] hwmon: core: fix potential memory leak in *hwmon_device_register*

2019-06-06 Thread Eduardo Valentin 
On Wed, Jun 05, 2019 at 01:38:38PM -0700, Guenter Roeck wrote:
> On Wed, May 29, 2019 at 07:56:05PM -0700, Eduardo Valentin wrote:
> > When registering a hwmon device with HWMON_C_REGISTER_TZ flag
> > in place, the hwmon subsystem will attempt to register the device
> > also with the thermal subsystem. When the of-thermal registration
> > fails, __hwmon_device_register jumps to ida_remove, leaving
> > the locally allocated hwdev pointer.
> > 
> > This patch fixes the leak by jumping to a new label that
> > will first unregister hdev and then fall into the kfree of hwdev
> > to finally remove the idas and propagate the error code.
> > 
> 
> Hah, actually this is wrong. hwdev is freed indirectly with the
> device_unregister() call. See commit 74e3512731bd ("hwmon: (core)
> Fix double-free in __hwmon_device_register()").

heh.. I see it now. Well, it is not a straight catch though. 

> 
> It may make sense to add a respective comment to the code, though.
> 

I agree. Or a simple comment saying "dont worry about freeing hwdev
because hwmon_dev_release() takes care of it".

Are you patching it ?

> Guenter
> 
> > Cc: Jean Delvare 
> > Cc: Guenter Roeck 
> > Cc: linux-hw...@vger.kernel.org
> > Cc: linux-kernel@vger.kernel.org
> > Signed-off-by: Eduardo Valentin 
> > ---
> > V1->V2: removed the device_unregister() before jumping
> > into the new label, as suggested in the first review round.
> > 
> >  drivers/hwmon/hwmon.c | 8 
> >  1 file changed, 4 insertions(+), 4 deletions(-)
> > 
> > diff --git a/drivers/hwmon/hwmon.c b/drivers/hwmon/hwmon.c
> > index 429784edd5ff..620f05fc412a 100644
> > --- a/drivers/hwmon/hwmon.c
> > +++ b/drivers/hwmon/hwmon.c
> > @@ -652,10 +652,8 @@ __hwmon_device_register(struct device *dev, const char 
> > *name, void *drvdata,
> > if (info[i]->config[j] & HWMON_T_INPUT) {
> > err = hwmon_thermal_add_sensor(dev,
> > hwdev, j);
> > -   if (err) {
> > -   device_unregister(hdev);
> > -   goto ida_remove;
> > -   }
> > +   if (err)
> > +   goto device_unregister;
> > }
> > }
> > }
> > @@ -663,6 +661,8 @@ __hwmon_device_register(struct device *dev, const char 
> > *name, void *drvdata,
> >  
> > return hdev;
> >  
> > +device_unregister:
> > +   device_unregister(hdev);
> >  free_hwmon:
> > kfree(hwdev);
> >  ida_remove:

-- 
All the best,
Eduardo Valentin

Re: [PATCHv2 2/2] hwmon: core: fix potential memory leak in *hwmon_device_register*

2019-06-05 Thread Guenter Roeck 
On Wed, May 29, 2019 at 07:56:05PM -0700, Eduardo Valentin wrote:
> When registering a hwmon device with HWMON_C_REGISTER_TZ flag
> in place, the hwmon subsystem will attempt to register the device
> also with the thermal subsystem. When the of-thermal registration
> fails, __hwmon_device_register jumps to ida_remove, leaving
> the locally allocated hwdev pointer.
> 
> This patch fixes the leak by jumping to a new label that
> will first unregister hdev and then fall into the kfree of hwdev
> to finally remove the idas and propagate the error code.
> 

Hah, actually this is wrong. hwdev is freed indirectly with the
device_unregister() call. See commit 74e3512731bd ("hwmon: (core)
Fix double-free in __hwmon_device_register()").

It may make sense to add a respective comment to the code, though.

Guenter

> Cc: Jean Delvare 
> Cc: Guenter Roeck 
> Cc: linux-hw...@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> Signed-off-by: Eduardo Valentin 
> ---
> V1->V2: removed the device_unregister() before jumping
> into the new label, as suggested in the first review round.
> 
>  drivers/hwmon/hwmon.c | 8 
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/hwmon/hwmon.c b/drivers/hwmon/hwmon.c
> index 429784edd5ff..620f05fc412a 100644
> --- a/drivers/hwmon/hwmon.c
> +++ b/drivers/hwmon/hwmon.c
> @@ -652,10 +652,8 @@ __hwmon_device_register(struct device *dev, const char 
> *name, void *drvdata,
>   if (info[i]->config[j] & HWMON_T_INPUT) {
>   err = hwmon_thermal_add_sensor(dev,
>   hwdev, j);
> - if (err) {
> - device_unregister(hdev);
> - goto ida_remove;
> - }
> + if (err)
> + goto device_unregister;
>   }
>   }
>   }
> @@ -663,6 +661,8 @@ __hwmon_device_register(struct device *dev, const char 
> *name, void *drvdata,
>  
>   return hdev;
>  
> +device_unregister:
> + device_unregister(hdev);
>  free_hwmon:
>   kfree(hwdev);
>  ida_remove: