lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <1490320241-9250-3-git-send-email-jeffy.chen@rock-chips.com>
Date:   Fri, 24 Mar 2017 09:50:41 +0800
From:   Jeffy Chen <jeffy.chen@...k-chips.com>
To:     linux-kernel@...r.kernel.org
Cc:     robh@...nel.org, toshi.kani@....com, shawn.lin@...k-chips.com,
        briannorris@...omium.org, dianders@...omium.org,
        bhelgaas@...gle.com, dtor@...omium.org,
        Jeffy Chen <jeffy.chen@...k-chips.com>,
        Frank Rowand <frowand.list@...il.com>,
        devicetree@...r.kernel.org, Rob Herring <robh+dt@...nel.org>
Subject: [PATCH v3 2/2] of/pci: Fix memory leak in of_pci_get_host_bridge_resources

Currently we only free the allocated resource struct when error.
This would cause memory leak after pci_free_resource_list.

Signed-off-by: Jeffy Chen <jeffy.chen@...k-chips.com>
---

Changes in v3:
Add some comments.

Changes in v2:
Don't change the resource_list_create_entry's behavior.

 drivers/of/of_pci.c | 68 ++++++++++++++++++++++++++++-------------------------
 1 file changed, 36 insertions(+), 32 deletions(-)

diff --git a/drivers/of/of_pci.c b/drivers/of/of_pci.c
index 0ee42c3..6956e17 100644
--- a/drivers/of/of_pci.c
+++ b/drivers/of/of_pci.c
@@ -190,8 +190,7 @@ int of_pci_get_host_bridge_resources(struct device_node *dev,
 			struct list_head *resources, resource_size_t *io_base)
 {
 	struct resource_entry *window;
-	struct resource *res;
-	struct resource *bus_range;
+	struct resource res;
 	struct of_pci_range range;
 	struct of_pci_range_parser parser;
 	char range_type[4];
@@ -200,24 +199,30 @@ int of_pci_get_host_bridge_resources(struct device_node *dev,
 	if (io_base)
 		*io_base = (resource_size_t)OF_BAD_ADDR;
 
-	bus_range = kzalloc(sizeof(*bus_range), GFP_KERNEL);
-	if (!bus_range)
-		return -ENOMEM;
-
 	pr_info("host bridge %s ranges:\n", dev->full_name);
 
-	err = of_pci_parse_bus_range(dev, bus_range);
+	err = of_pci_parse_bus_range(dev, &res);
 	if (err) {
-		bus_range->start = busno;
-		bus_range->end = bus_max;
-		bus_range->flags = IORESOURCE_BUS;
-		pr_info("  No bus range found for %s, using %pR\n",
-			dev->full_name, bus_range);
+		res.start = busno;
+		res.end = bus_max;
+		res.flags = IORESOURCE_BUS;
+		pr_info("  No bus range found for %s\n", dev->full_name);
 	} else {
-		if (bus_range->end > bus_range->start + bus_max)
-			bus_range->end = bus_range->start + bus_max;
+		if (res.end > res.start + bus_max)
+			res.end = res.start + bus_max;
+	}
+
+	/*
+	 * We add an empty resource and fill it in, to avoid allocating new
+	 * resource struct.
+	 * It might be racy here, but empty resources are harmless.
+	 */
+	window = pci_add_resource(resources, NULL);
+	if (!window) {
+		err = -ENOMEM;
+		goto parse_failed;
 	}
-	pci_add_resource(resources, bus_range);
+	*window->res = res;
 
 	/* Check for ranges property */
 	err = of_pci_range_parser_init(&parser, dev);
@@ -244,24 +249,16 @@ int of_pci_get_host_bridge_resources(struct device_node *dev,
 		if (range.cpu_addr == OF_BAD_ADDR || range.size == 0)
 			continue;
 
-		res = kzalloc(sizeof(struct resource), GFP_KERNEL);
-		if (!res) {
-			err = -ENOMEM;
-			goto parse_failed;
-		}
-
-		err = of_pci_range_to_resource(&range, dev, res);
-		if (err) {
-			kfree(res);
+		err = of_pci_range_to_resource(&range, dev, &res);
+		if (err)
 			continue;
-		}
 
-		if (resource_type(res) == IORESOURCE_IO) {
+		if (resource_type(&res) == IORESOURCE_IO) {
 			if (!io_base) {
 				pr_err("I/O range found for %s. Please provide an io_base pointer to save CPU base address\n",
 					dev->full_name);
 				err = -EINVAL;
-				goto conversion_failed;
+				goto parse_failed;
 			}
 			if (*io_base != (resource_size_t)OF_BAD_ADDR)
 				pr_warn("More than one I/O resource converted for %s. CPU base address for old range lost!\n",
@@ -269,16 +266,23 @@ int of_pci_get_host_bridge_resources(struct device_node *dev,
 			*io_base = range.cpu_addr;
 		}
 
-		pci_add_resource_offset(resources, res,	res->start - range.pci_addr);
+		/*
+		 * We add an empty resource and fill it in, to avoid allocating
+		 * new resource struct.
+		 * It might be racy here, but empty resources are harmless.
+		 */
+		window = pci_add_resource(resources, NULL);
+		if (!window) {
+			err = -ENOMEM;
+			goto parse_failed;
+		}
+		*window->res = res;
+		window->offset = res.start - range.pci_addr;
 	}
 
 	return 0;
 
-conversion_failed:
-	kfree(res);
 parse_failed:
-	resource_list_for_each_entry(window, resources)
-		kfree(window->res);
 	pci_free_resource_list(resources);
 	return err;
 }
-- 
2.1.4


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ