lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8b0eb4d0-ca10-35a5-a74c-fd0f7d11713c@opensource.wdc.com>
Date:   Sun, 12 Mar 2023 09:56:25 +0900
From:   Damien Le Moal <damien.lemoal@...nsource.wdc.com>
To:     Ondrej Zary <linux@...y.sk>
Cc:     Christoph Hellwig <hch@....de>,
        Sergey Shtylyov <s.shtylyov@....ru>, linux-ide@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] pata_parport: fix possible memory leak

On 3/12/23 06:44, Ondrej Zary wrote:
> When ida_alloc() fails, "pi" is not freed although the misleading
> comment says otherwise.
> Move the ida_alloc() call up so we really don't have to free it.

Certainly you meant: "so we really do free it in case of error.", no ?

> 
> Reported-by: kernel test robot <lkp@...el.com>
> Reported-by: Dan Carpenter <error27@...il.com>
> Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
> Signed-off-by: Ondrej Zary <linux@...y.sk>
> ---
>  drivers/ata/pata_parport/pata_parport.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c
> index 6165ee9aa7da..a9eff6003098 100644
> --- a/drivers/ata/pata_parport/pata_parport.c
> +++ b/drivers/ata/pata_parport/pata_parport.c
> @@ -503,18 +503,19 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
>  	if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
>  		return NULL;
>  
> +	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
> +	if (id < 0)
> +		return NULL;
> +
>  	pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
>  	if (!pi)
> -		return NULL;
> +		goto out_ida_free;
>  
>  	/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
>  	pi->dev.parent = &pata_parport_bus;
>  	pi->dev.bus = &pata_parport_bus_type;
>  	pi->dev.driver = &pr->driver;
>  	pi->dev.release = pata_parport_dev_release;
> -	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
> -	if (id < 0)
> -		return NULL; /* pata_parport_dev_release will do kfree(pi) */
>  	pi->dev.id = id;
>  	dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
>  	if (device_register(&pi->dev)) {
> @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
>  out_unreg_dev:
>  	device_unregister(&pi->dev);

Same comment as Sergey: isn't this going to do the ida free ? So shouldn't you
return here ?

>  out_ida_free:
> -	ida_free(&pata_parport_bus_dev_ids, pi->dev.id);
> +	ida_free(&pata_parport_bus_dev_ids, id);
>  	return NULL;
>  }
>  

-- 
Damien Le Moal
Western Digital Research

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ