ata: pata_parport: fix memory leaks
When ida_alloc() fails, "pi" is not freed although the misleading comment says otherwise. Move the ida_alloc() call up so we really don't have to free "pi" in case of ida_alloc() failure. Also move ida_free() call from pi_remove_one() to pata_parport_dev_release(). It was dereferencing already freed dev pointer. Testing revealed leak even in non-failure case which was tracked down to missing put_device() call after bus_find_device_by_name(). As a result, pata_parport_dev_release() was never called. Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <error27@gmail.com> Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/ Signed-off-by: Ondrej Zary <linux@zary.sk> Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
This commit is contained in:
parent
dc472c7612
commit
5bc9e2d43f
|
@ -381,6 +381,7 @@ static void pata_parport_dev_release(struct device *dev)
|
|||
{
|
||||
struct pi_adapter *pi = container_of(dev, struct pi_adapter, dev);
|
||||
|
||||
ida_free(&pata_parport_bus_dev_ids, dev->id);
|
||||
kfree(pi);
|
||||
}
|
||||
|
||||
|
@ -433,23 +434,27 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
|
|||
if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
|
||||
return NULL;
|
||||
|
||||
pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
|
||||
if (!pi)
|
||||
id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
|
||||
if (id < 0)
|
||||
return NULL;
|
||||
|
||||
pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
|
||||
if (!pi) {
|
||||
ida_free(&pata_parport_bus_dev_ids, id);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
|
||||
pi->dev.parent = &pata_parport_bus;
|
||||
pi->dev.bus = &pata_parport_bus_type;
|
||||
pi->dev.driver = &pr->driver;
|
||||
pi->dev.release = pata_parport_dev_release;
|
||||
id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
|
||||
if (id < 0)
|
||||
return NULL; /* pata_parport_dev_release will do kfree(pi) */
|
||||
pi->dev.id = id;
|
||||
dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
|
||||
if (device_register(&pi->dev)) {
|
||||
put_device(&pi->dev);
|
||||
goto out_ida_free;
|
||||
/* pata_parport_dev_release will do ida_free(dev->id) and kfree(pi) */
|
||||
return NULL;
|
||||
}
|
||||
|
||||
pi->proto = pr;
|
||||
|
@ -464,8 +469,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
|
|||
pi->port = parport->base;
|
||||
|
||||
par_cb.private = pi;
|
||||
pi->pardev = parport_register_dev_model(parport, DRV_NAME, &par_cb,
|
||||
pi->dev.id);
|
||||
pi->pardev = parport_register_dev_model(parport, DRV_NAME, &par_cb, id);
|
||||
if (!pi->pardev)
|
||||
goto out_module_put;
|
||||
|
||||
|
@ -501,8 +505,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
|
|||
module_put(pi->proto->owner);
|
||||
out_unreg_dev:
|
||||
device_unregister(&pi->dev);
|
||||
out_ida_free:
|
||||
ida_free(&pata_parport_bus_dev_ids, pi->dev.id);
|
||||
/* pata_parport_dev_release will do ida_free(dev->id) and kfree(pi) */
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
@ -627,8 +630,7 @@ static void pi_remove_one(struct device *dev)
|
|||
pi_disconnect(pi);
|
||||
pi_release(pi);
|
||||
device_unregister(dev);
|
||||
ida_free(&pata_parport_bus_dev_ids, dev->id);
|
||||
/* pata_parport_dev_release will do kfree(pi) */
|
||||
/* pata_parport_dev_release will do ida_free(dev->id) and kfree(pi) */
|
||||
}
|
||||
|
||||
static ssize_t delete_device_store(struct bus_type *bus, const char *buf,
|
||||
|
@ -644,6 +646,7 @@ static ssize_t delete_device_store(struct bus_type *bus, const char *buf,
|
|||
}
|
||||
|
||||
pi_remove_one(dev);
|
||||
put_device(dev);
|
||||
mutex_unlock(&pi_mutex);
|
||||
|
||||
return count;
|
||||
|
|
Loading…
Reference in New Issue