lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri,  1 May 2020 21:37:03 -0700
From:   Amit Sunil Dhamne <amit.sunil.dhamne@...inx.com>
To:     mturquette@...libre.com, sboyd@...nel.org, michal.simek@...inx.com,
        mark.rutland@....com, linux-clk@...r.kernel.org
Cc:     rajanv@...inx.com, jollys@...inx.com,
        linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
        Quanyang Wang <quanyang.wang@...driver.com>,
        Tejas Patel <tejas.patel@...inx.com>,
        Jolly Shah <jolly.shah@...inx.com>,
        Amit Sunil Dhamne <amit.sunil.dhamne@...inx.com>
Subject: [RESEND PATCH v2 4/4] drivers: clk: zynqmp: fix memory leak in zynqmp_register_clocks

From: Quanyang Wang <quanyang.wang@...driver.com>

This is detected by kmemleak running on zcu102 board:

unreferenced object 0xffffffc877e48180 (size 128):
comm "swapper/0", pid 1, jiffies 4294892909 (age 315.436s)
hex dump (first 32 bytes):
64 70 5f 76 69 64 65 6f 5f 72 65 66 5f 64 69 76 dp_video_ref_div
31 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1...............
backtrace:
[<00000000c9be883b>] __kmalloc_track_caller+0x200/0x380
[<00000000f02c3809>] kvasprintf+0x7c/0x100
[<00000000e51dde4d>] kasprintf+0x60/0x80
[<0000000092298b05>] zynqmp_register_clocks+0x29c/0x398
[<00000000faaff182>] zynqmp_clock_probe+0x3cc/0x4c0
[<000000005f5986f0>] platform_drv_probe+0x58/0xa8
[<00000000d5810136>] really_probe+0xd8/0x2a8
[<00000000f5b671be>] driver_probe_device+0x5c/0x100
[<0000000038f91fcf>] __device_attach_driver+0x98/0xb8
[<000000008a3f2ac2>] bus_for_each_drv+0x74/0xd8
[<000000001cb2783d>] __device_attach+0xe0/0x140
[<00000000c268031b>] device_initial_probe+0x24/0x30
[<000000006998de4b>] bus_probe_device+0x9c/0xa8
[<00000000647ae6ff>] device_add+0x3c0/0x610
[<0000000071c14bb8>] of_device_add+0x40/0x50
[<000000004bb5d132>] of_platform_device_create_pdata+0xbc/0x138

This is because that when num_nodes is larger than 1, clk_out is
allocated using kasprintf for these nodes but only the last node's
clk_out is freed.

Signed-off-by: Quanyang Wang <quanyang.wang@...driver.com>
Signed-off-by: Michal Simek <michal.simek@...inx.com>
Signed-off-by: Tejas Patel <tejas.patel@...inx.com>
Signed-off-by: Jolly Shah <jolly.shah@...inx.com>
Signed-off-by: Amit Sunil Dhamne <amit.sunil.dhamne@...inx.com>
---
 drivers/clk/zynqmp/clkc.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/drivers/clk/zynqmp/clkc.c b/drivers/clk/zynqmp/clkc.c
index 3e83c51..e8b2cf2 100644
--- a/drivers/clk/zynqmp/clkc.c
+++ b/drivers/clk/zynqmp/clkc.c
@@ -558,7 +558,7 @@ static struct clk_hw *zynqmp_register_clk_topology(int clk_id, char *clk_name,
 {
        int j;
        u32 num_nodes, clk_dev_id;
-       char *clk_out = NULL;
+       char *clk_out[MAX_NODES];
        struct clock_topology *nodes;
        struct clk_hw *hw = NULL;

@@ -572,16 +572,16 @@ static struct clk_hw *zynqmp_register_clk_topology(int clk_id, char *clk_name,
                 * Intermediate clock names are postfixed with type of clock.
                 */
                if (j != (num_nodes - 1)) {
-                       clk_out = kasprintf(GFP_KERNEL, "%s%s", clk_name,
+                       clk_out[j] = kasprintf(GFP_KERNEL, "%s%s", clk_name,
                                            clk_type_postfix[nodes[j].type]);
                } else {
-                       clk_out = kasprintf(GFP_KERNEL, "%s", clk_name);
+                       clk_out[j] = kasprintf(GFP_KERNEL, "%s", clk_name);
                }

                if (!clk_topology[nodes[j].type])
                        continue;

-               hw = (*clk_topology[nodes[j].type])(clk_out, clk_dev_id,
+               hw = (*clk_topology[nodes[j].type])(clk_out[j], clk_dev_id,
                                                    parent_names,
                                                    num_parents,
                                                    &nodes[j]);
@@ -590,9 +590,12 @@ static struct clk_hw *zynqmp_register_clk_topology(int clk_id, char *clk_name,
                                     __func__,  clk_dev_id, clk_name,
                                     PTR_ERR(hw));

-               parent_names[0] = clk_out;
+               parent_names[0] = clk_out[j];
        }
-       kfree(clk_out);
+
+       for (j = 0; j < num_nodes; j++)
+               kfree(clk_out[j]);
+
        return hw;
 }

--
2.7.4

This email and any attachments are intended for the sole use of the named recipient(s) and contain(s) confidential information that may be proprietary, privileged or copyrighted under applicable law. If you are not the intended recipient, do not read, copy, or forward this email message or any attachments. Delete this email message and any attachments immediately.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ