From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Yang Yingliang <yangyingliang@huawei.com>,
Ulf Hansson <ulf.hansson@linaro.org>
Subject: [PATCH 4.14 39/53] mmc: sdio: fix possible resource leaks in some error paths
Date: Mon, 20 Feb 2023 14:36:05 +0100 [thread overview]
Message-ID: <20230220133549.563145145@linuxfoundation.org> (raw)
In-Reply-To: <20230220133548.158615609@linuxfoundation.org>
From: Yang Yingliang <yangyingliang@huawei.com>
commit 605d9fb9556f8f5fb4566f4df1480f280f308ded upstream.
If sdio_add_func() or sdio_init_func() fails, sdio_remove_func() can
not release the resources, because the sdio function is not presented
in these two cases, it won't call of_node_put() or put_device().
To fix these leaks, make sdio_func_present() only control whether
device_del() needs to be called or not, then always call of_node_put()
and put_device().
In error case in sdio_init_func(), the reference of 'card->dev' is
not get, to avoid redundant put in sdio_free_func_cis(), move the
get_device() to sdio_alloc_func() and put_device() to sdio_release_func(),
it can keep the get/put function be balanced.
Without this patch, while doing fault inject test, it can get the
following leak reports, after this fix, the leak is gone.
unreferenced object 0xffff888112514000 (size 2048):
comm "kworker/3:2", pid 65, jiffies 4294741614 (age 124.774s)
hex dump (first 32 bytes):
00 e0 6f 12 81 88 ff ff 60 58 8d 06 81 88 ff ff ..o.....`X......
10 40 51 12 81 88 ff ff 10 40 51 12 81 88 ff ff .@Q......@Q.....
backtrace:
[<000000009e5931da>] kmalloc_trace+0x21/0x110
[<000000002f839ccb>] mmc_alloc_card+0x38/0xb0 [mmc_core]
[<0000000004adcbf6>] mmc_sdio_init_card+0xde/0x170 [mmc_core]
[<000000007538fea0>] mmc_attach_sdio+0xcb/0x1b0 [mmc_core]
[<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]
unreferenced object 0xffff888112511000 (size 2048):
comm "kworker/3:2", pid 65, jiffies 4294741623 (age 124.766s)
hex dump (first 32 bytes):
00 40 51 12 81 88 ff ff e0 58 8d 06 81 88 ff ff .@Q......X......
10 10 51 12 81 88 ff ff 10 10 51 12 81 88 ff ff ..Q.......Q.....
backtrace:
[<000000009e5931da>] kmalloc_trace+0x21/0x110
[<00000000fcbe706c>] sdio_alloc_func+0x35/0x100 [mmc_core]
[<00000000c68f4b50>] mmc_attach_sdio.cold.18+0xb1/0x395 [mmc_core]
[<00000000d4fdeba7>] mmc_rescan+0x54a/0x640 [mmc_core]
Fixes: 3d10a1ba0d37 ("sdio: fix reference counting in sdio_remove_func()")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20230130125808.3471254-1-yangyingliang@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/sdio_bus.c | 17 ++++++++++++++---
drivers/mmc/core/sdio_cis.c | 12 ------------
2 files changed, 14 insertions(+), 15 deletions(-)
--- a/drivers/mmc/core/sdio_bus.c
+++ b/drivers/mmc/core/sdio_bus.c
@@ -267,6 +267,12 @@ static void sdio_release_func(struct dev
if (!(func->card->quirks & MMC_QUIRK_NONSTD_SDIO))
sdio_free_func_cis(func);
+ /*
+ * We have now removed the link to the tuples in the
+ * card structure, so remove the reference.
+ */
+ put_device(&func->card->dev);
+
kfree(func->info);
kfree(func->tmpbuf);
kfree(func);
@@ -297,6 +303,12 @@ struct sdio_func *sdio_alloc_func(struct
device_initialize(&func->dev);
+ /*
+ * We may link to tuples in the card structure,
+ * we need make sure we have a reference to it.
+ */
+ get_device(&func->card->dev);
+
func->dev.parent = &card->dev;
func->dev.bus = &sdio_bus_type;
func->dev.release = sdio_release_func;
@@ -350,10 +362,9 @@ int sdio_add_func(struct sdio_func *func
*/
void sdio_remove_func(struct sdio_func *func)
{
- if (!sdio_func_present(func))
- return;
+ if (sdio_func_present(func))
+ device_del(&func->dev);
- device_del(&func->dev);
of_node_put(func->dev.of_node);
put_device(&func->dev);
}
--- a/drivers/mmc/core/sdio_cis.c
+++ b/drivers/mmc/core/sdio_cis.c
@@ -388,12 +388,6 @@ int sdio_read_func_cis(struct sdio_func
return ret;
/*
- * Since we've linked to tuples in the card structure,
- * we must make sure we have a reference to it.
- */
- get_device(&func->card->dev);
-
- /*
* Vendor/device id is optional for function CIS, so
* copy it from the card structure as needed.
*/
@@ -418,11 +412,5 @@ void sdio_free_func_cis(struct sdio_func
}
func->tuples = NULL;
-
- /*
- * We have now removed the link to the tuples in the
- * card structure, so remove the reference.
- */
- put_device(&func->card->dev);
}
next prev parent reply other threads:[~2023-02-20 13:39 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-20 13:35 [PATCH 4.14 00/53] 4.14.306-rc1 review Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 01/53] firewire: fix memory leak for payload of request subaction to IEC 61883-1 FCP region Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 02/53] bus: sunxi-rsb: Fix error handling in sunxi_rsb_init() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 03/53] ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 04/53] netrom: Fix use-after-free caused by accept on already connected socket Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 05/53] squashfs: harden sanity check in squashfs_read_xattr_id_table Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 06/53] sctp: do not check hb_timer.expires when resetting hb_timer Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 07/53] net: openvswitch: fix flow memory leak in ovs_flow_cmd_new Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 08/53] scsi: target: core: Fix warning on RT kernels Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 09/53] scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 10/53] net/x25: Fix to not accept on connected socket Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 11/53] usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 12/53] fbcon: Check font dimension limits Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 13/53] watchdog: diag288_wdt: do not use stack buffers for hardware data Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 14/53] watchdog: diag288_wdt: fix __diag288() inline assembly Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 15/53] efi: Accept version 2 of memory attributes table Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 16/53] iio: hid: fix the retval in accel_3d_capture_sample Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 17/53] iio: adc: berlin2-adc: Add missing of_node_put() in error path Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 18/53] iio:adc:twl6030: Enable measurements of VUSB, VBAT and others Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 19/53] parisc: Fix return code of pdc_iodc_print() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 20/53] parisc: Wire up PTRACE_GETREGS/PTRACE_SETREGS for compat case Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 21/53] mm: hugetlb: proc: check for hugetlb shared PMD in /proc/PID/smaps Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 22/53] mm/swapfile: add cond_resched() in get_swap_pages() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 23/53] Squashfs: fix handling and sanity checking of xattr_ids count Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 24/53] serial: 8250_dma: Fix DMA Rx completion race Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 25/53] serial: 8250_dma: Fix DMA Rx rearm race Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 26/53] btrfs: limit device extents to the device size Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 27/53] ALSA: emux: Avoid potential array out-of-bound in snd_emux_xg_control() Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 28/53] ALSA: pci: lx6464es: fix a debug loop Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 29/53] pinctrl: aspeed: Fix confusing types in return value Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 30/53] pinctrl: single: fix potential NULL dereference Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 31/53] net: USB: Fix wrong-direction WARNING in plusb.c Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 32/53] usb: core: add quirk for Alcor Link AK9563 smartcard reader Greg Kroah-Hartman
2023-02-20 13:35 ` [PATCH 4.14 33/53] migrate: hugetlb: check for hugetlb shared PMD in node migration Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 34/53] tools/virtio: fix the vringh test for virtio ring changes Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 35/53] net/rose: Fix to not accept on connected socket Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 36/53] nvme-fc: fix a missing queue put in nvmet_fc_ls_create_association Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 37/53] aio: fix mremap after fork null-deref Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 38/53] Revert "x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN" Greg Kroah-Hartman
2023-02-20 13:36 ` Greg Kroah-Hartman [this message]
2023-02-20 13:36 ` [PATCH 4.14 40/53] ALSA: hda/conexant: add a new hda codec SN6180 Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 41/53] hugetlb: check for undefined shift on 32 bit architectures Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 42/53] revert "squashfs: harden sanity check in squashfs_read_xattr_id_table" Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 43/53] i40e: add double of VLAN header when computing the max MTU Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 44/53] net: bgmac: fix BCM5358 support by setting correct flags Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 45/53] dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 46/53] net/usb: kalmia: Dont pass act_len in usb_bulk_msg error path Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 47/53] net: stmmac: Restrict warning on disabling DMA store and fwd mode Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 48/53] net: mpls: fix stale pointer if allocation fails during device rename Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 49/53] ipv6: Fix datagram socket connection with DSCP Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 50/53] ipv6: Fix tcp " Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 51/53] i40e: Add checking for null for nlmsg_find_attr() Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 52/53] kvm: initialize all of the kvm_debugregs structure before sending it to userspace Greg Kroah-Hartman
2023-02-20 13:36 ` [PATCH 4.14 53/53] nilfs2: fix underflow in second superblock position calculations Greg Kroah-Hartman
2023-02-21 12:41 ` [PATCH 4.14 00/53] 4.14.306-rc1 review Naresh Kamboju
2023-02-21 14:20 ` Jon Hunter
2023-02-21 16:19 ` Guenter Roeck
2023-02-23 2:55 ` Slade Watkins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230220133549.563145145@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=ulf.hansson@linaro.org \
--cc=yangyingliang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.