[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6e7a5df7-6ded-7777-5552-879934c185ad@linaro.org>
Date: Tue, 18 Feb 2020 09:56:13 +0000
From: Srinivas Kandagatla <srinivas.kandagatla@...aro.org>
To: Bartosz Golaszewski <brgl@...ev.pl>,
Linus Walleij <linus.walleij@...aro.org>,
Khouloud Touil <ktouil@...libre.com>,
Geert Uytterhoeven <geert@...ux-m68k.org>
Cc: linux-gpio@...r.kernel.org, linux-kernel@...r.kernel.org,
Bartosz Golaszewski <bgolaszewski@...libre.com>,
stable@...r.kernel.org
Subject: Re: [PATCH v2 2/7] nvmem: fix another memory leak in error path
On 18/02/2020 09:42, Bartosz Golaszewski wrote:
> From: Bartosz Golaszewski <bgolaszewski@...libre.com>
>
> The nvmem struct is only freed on the first error check after its
> allocation and leaked after that. Fix it with a new label.
>
> Cc: <stable@...r.kernel.org>
> Signed-off-by: Bartosz Golaszewski <bgolaszewski@...libre.com>
> ---
> drivers/nvmem/core.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c
> index b0be03d5f240..c9b3f4047154 100644
> --- a/drivers/nvmem/core.c
> +++ b/drivers/nvmem/core.c
> @@ -343,10 +343,8 @@ struct nvmem_device *nvmem_register(const struct nvmem_config *config)
> return ERR_PTR(-ENOMEM);
>
> rval = ida_simple_get(&nvmem_ida, 0, 0, GFP_KERNEL);
> - if (rval < 0) {
> - kfree(nvmem);
> - return ERR_PTR(rval);
> - }
> + if (rval < 0)
> + goto err_free_nvmem;
> if (config->wp_gpio)
> nvmem->wp_gpio = config->wp_gpio;
> else
> @@ -432,6 +430,8 @@ struct nvmem_device *nvmem_register(const struct nvmem_config *config)
> put_device(&nvmem->dev);
> err_ida_remove:
> ida_simple_remove(&nvmem_ida, nvmem->id);
> +err_free_nvmem:
> + kfree(nvmem);
This is not correct fix to start with, if the device has already been
intialized before jumping here then nvmem would be freed as part of
nvmem_release().
So the bug was actually introduced by adding err_ida_remove label.
You can free nvmem at that point but not at any point after that as
device core would be holding a reference to it.
--srini
>
> return ERR_PTR(rval);
> }
>
Powered by blists - more mailing lists