* Re: [PATCH v2] ata: libata: Fix memory leak for error path in ata_host_alloc()
2024-08-22 3:30 [PATCH v2] ata: libata: Fix memory leak for error path in ata_host_alloc() Zheng Qixing
@ 2024-08-22 3:37 ` Yu Kuai
2024-08-23 1:10 ` Damien Le Moal
2024-08-23 10:12 ` Niklas Cassel
2 siblings, 0 replies; 7+ messages in thread
From: Yu Kuai @ 2024-08-22 3:37 UTC (permalink / raw)
To: Zheng Qixing, dlemoal, cassel
Cc: linux-ide, linux-kernel, yi.zhang, yangerkun, zhengqixing,
yukuai (C)
在 2024/08/22 11:30, Zheng Qixing 写道:
> From: Zheng Qixing <zhengqixing@huawei.com>
>
> In ata_host_alloc(), if ata_port_alloc(host) fails to allocate memory
> for a port, the allocated 'host' structure is not freed before returning
> from the function. This results in a potential memory leak.
>
> This patch adds a kfree(host) before the error handling code is executed
> to ensure that the 'host' structure is properly freed in case of an
> allocation failure.
>
> Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
LGTM
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
Thanks.
> ---
> Changes in v2:
> - error path is wrong in v1
>
> drivers/ata/libata-core.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
> index e4023fc288ac..f27a18990c38 100644
> --- a/drivers/ata/libata-core.c
> +++ b/drivers/ata/libata-core.c
> @@ -5663,8 +5663,10 @@ struct ata_host *ata_host_alloc(struct device *dev, int n_ports)
> }
>
> dr = devres_alloc(ata_devres_release, 0, GFP_KERNEL);
> - if (!dr)
> + if (!dr) {
> + kfree(host);
> goto err_out;
> + }
>
> devres_add(dev, dr);
> dev_set_drvdata(dev, host);
>
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH v2] ata: libata: Fix memory leak for error path in ata_host_alloc()
2024-08-22 3:30 [PATCH v2] ata: libata: Fix memory leak for error path in ata_host_alloc() Zheng Qixing
2024-08-22 3:37 ` Yu Kuai
@ 2024-08-23 1:10 ` Damien Le Moal
2024-08-26 2:49 ` Zheng Qixing
2024-08-23 10:12 ` Niklas Cassel
2 siblings, 1 reply; 7+ messages in thread
From: Damien Le Moal @ 2024-08-23 1:10 UTC (permalink / raw)
To: Zheng Qixing, cassel
Cc: linux-ide, linux-kernel, yukuai3, yi.zhang, yangerkun,
zhengqixing
On 8/22/24 12:30 PM, Zheng Qixing wrote:
> From: Zheng Qixing <zhengqixing@huawei.com>
>
> In ata_host_alloc(), if ata_port_alloc(host) fails to allocate memory
> for a port, the allocated 'host' structure is not freed before returning
> from the function. This results in a potential memory leak.
>
> This patch adds a kfree(host) before the error handling code is executed
> to ensure that the 'host' structure is properly freed in case of an
> allocation failure.
>
> Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
This needs a Fixes tag. So I added:
Fixes: 2623c7a5f279 ("libata: add refcounting to ata_host")
Cc: stable@vger.kernel.org>
and applied to for-6.11-fixes. Thanks.
> ---
> Changes in v2:
> - error path is wrong in v1
>
> drivers/ata/libata-core.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
> index e4023fc288ac..f27a18990c38 100644
> --- a/drivers/ata/libata-core.c
> +++ b/drivers/ata/libata-core.c
> @@ -5663,8 +5663,10 @@ struct ata_host *ata_host_alloc(struct device *dev, int n_ports)
> }
>
> dr = devres_alloc(ata_devres_release, 0, GFP_KERNEL);
> - if (!dr)
> + if (!dr) {
> + kfree(host);
> goto err_out;
> + }
>
> devres_add(dev, dr);
> dev_set_drvdata(dev, host);
--
Damien Le Moal
Western Digital Research
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH v2] ata: libata: Fix memory leak for error path in ata_host_alloc()
2024-08-23 1:10 ` Damien Le Moal
@ 2024-08-26 2:49 ` Zheng Qixing
2024-08-26 4:02 ` Damien Le Moal
0 siblings, 1 reply; 7+ messages in thread
From: Zheng Qixing @ 2024-08-26 2:49 UTC (permalink / raw)
To: Damien Le Moal, Zheng Qixing, cassel
Cc: linux-ide, linux-kernel, yukuai3, yi.zhang, yangerkun
在 2024/8/23 9:10, Damien Le Moal 写道:
> On 8/22/24 12:30 PM, Zheng Qixing wrote:
>> From: Zheng Qixing <zhengqixing@huawei.com>
>>
>> In ata_host_alloc(), if ata_port_alloc(host) fails to allocate memory
>> for a port, the allocated 'host' structure is not freed before returning
>> from the function. This results in a potential memory leak.
>>
>> This patch adds a kfree(host) before the error handling code is executed
>> to ensure that the 'host' structure is properly freed in case of an
>> allocation failure.
>>
>> Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
> This needs a Fixes tag. So I added:
>
> Fixes: 2623c7a5f279 ("libata: add refcounting to ata_host")
> Cc: stable@vger.kernel.org>
>
> and applied to for-6.11-fixes. Thanks.
Based on Niklas Cassel's suggestion, the commit message and the actual
content of the patch do not match.
It should state "if devres_alloc(ata_devres_release, 0, GFP_KERNEL)
fails to allocate memory" instead of "if ata_port_alloc(host) fails to
allocate
memory for a port".
Should I modify the commit message and submit a new version of the patch?
Zheng Qixing
>> ---
>> Changes in v2:
>> - error path is wrong in v1
>>
>> drivers/ata/libata-core.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
>> index e4023fc288ac..f27a18990c38 100644
>> --- a/drivers/ata/libata-core.c
>> +++ b/drivers/ata/libata-core.c
>> @@ -5663,8 +5663,10 @@ struct ata_host *ata_host_alloc(struct device *dev, int n_ports)
>> }
>>
>> dr = devres_alloc(ata_devres_release, 0, GFP_KERNEL);
>> - if (!dr)
>> + if (!dr) {
>> + kfree(host);
>> goto err_out;
>> + }
>>
>> devres_add(dev, dr);
>> dev_set_drvdata(dev, host);
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH v2] ata: libata: Fix memory leak for error path in ata_host_alloc()
2024-08-26 2:49 ` Zheng Qixing
@ 2024-08-26 4:02 ` Damien Le Moal
2024-08-27 1:46 ` Zheng Qixing
0 siblings, 1 reply; 7+ messages in thread
From: Damien Le Moal @ 2024-08-26 4:02 UTC (permalink / raw)
To: Zheng Qixing, cassel
Cc: linux-ide, linux-kernel, yukuai3, yi.zhang, yangerkun
On 8/26/24 11:49 AM, Zheng Qixing wrote:
>
> 在 2024/8/23 9:10, Damien Le Moal 写道:
>> On 8/22/24 12:30 PM, Zheng Qixing wrote:
>>> From: Zheng Qixing <zhengqixing@huawei.com>
>>>
>>> In ata_host_alloc(), if ata_port_alloc(host) fails to allocate memory
>>> for a port, the allocated 'host' structure is not freed before returning
>>> from the function. This results in a potential memory leak.
>>>
>>> This patch adds a kfree(host) before the error handling code is executed
>>> to ensure that the 'host' structure is properly freed in case of an
>>> allocation failure.
>>>
>>> Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
>> This needs a Fixes tag. So I added:
>>
>> Fixes: 2623c7a5f279 ("libata: add refcounting to ata_host")
>> Cc: stable@vger.kernel.org>
>>
>> and applied to for-6.11-fixes. Thanks.
>
>
> Based on Niklas Cassel's suggestion, the commit message and the actual
> content of the patch do not match.
>
> It should state "if devres_alloc(ata_devres_release, 0, GFP_KERNEL)
> fails to allocate memory" instead of "if ata_port_alloc(host) fails to allocate
> memory for a port".
>
> Should I modify the commit message and submit a new version of the patch?
No need. I fixed it up. The commit message now is:
ata: libata: Fix memory leak for error path in ata_host_alloc()
In ata_host_alloc(), if devres_alloc() fails to allocate the device host
resource data pointer, the already allocated ata_host structure is not
freed before returning from the function. This results in a potential
memory leak.
Call kfree(host) before jumping to the error handling path to ensure
that the ata_host structure is properly freed if devres_alloc() fails.
>
>
> Zheng Qixing
>
>
>>> ---
>>> Changes in v2:
>>> - error path is wrong in v1
>>>
>>> drivers/ata/libata-core.c | 4 +++-
>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
>>> index e4023fc288ac..f27a18990c38 100644
>>> --- a/drivers/ata/libata-core.c
>>> +++ b/drivers/ata/libata-core.c
>>> @@ -5663,8 +5663,10 @@ struct ata_host *ata_host_alloc(struct device *dev,
>>> int n_ports)
>>> }
>>> dr = devres_alloc(ata_devres_release, 0, GFP_KERNEL);
>>> - if (!dr)
>>> + if (!dr) {
>>> + kfree(host);
>>> goto err_out;
>>> + }
>>> devres_add(dev, dr);
>>> dev_set_drvdata(dev, host);
>
>
--
Damien Le Moal
Western Digital Research
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH v2] ata: libata: Fix memory leak for error path in ata_host_alloc()
2024-08-26 4:02 ` Damien Le Moal
@ 2024-08-27 1:46 ` Zheng Qixing
0 siblings, 0 replies; 7+ messages in thread
From: Zheng Qixing @ 2024-08-27 1:46 UTC (permalink / raw)
To: Damien Le Moal, cassel
Cc: linux-ide, linux-kernel, yukuai3, yi.zhang, yangerkun
在 2024/8/26 12:02, Damien Le Moal 写道:
> On 8/26/24 11:49 AM, Zheng Qixing wrote:
>> 在 2024/8/23 9:10, Damien Le Moal 写道:
>>> On 8/22/24 12:30 PM, Zheng Qixing wrote:
>>>> From: Zheng Qixing <zhengqixing@huawei.com>
>>>>
>>>> In ata_host_alloc(), if ata_port_alloc(host) fails to allocate memory
>>>> for a port, the allocated 'host' structure is not freed before returning
>>>> from the function. This results in a potential memory leak.
>>>>
>>>> This patch adds a kfree(host) before the error handling code is executed
>>>> to ensure that the 'host' structure is properly freed in case of an
>>>> allocation failure.
>>>>
>>>> Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
>>> This needs a Fixes tag. So I added:
>>>
>>> Fixes: 2623c7a5f279 ("libata: add refcounting to ata_host")
>>> Cc: stable@vger.kernel.org>
>>>
>>> and applied to for-6.11-fixes. Thanks.
>>
>> Based on Niklas Cassel's suggestion, the commit message and the actual
>> content of the patch do not match.
>>
>> It should state "if devres_alloc(ata_devres_release, 0, GFP_KERNEL)
>> fails to allocate memory" instead of "if ata_port_alloc(host) fails to allocate
>> memory for a port".
>>
>> Should I modify the commit message and submit a new version of the patch?
> No need. I fixed it up. The commit message now is:
>
> ata: libata: Fix memory leak for error path in ata_host_alloc()
>
> In ata_host_alloc(), if devres_alloc() fails to allocate the device host
> resource data pointer, the already allocated ata_host structure is not
> freed before returning from the function. This results in a potential
> memory leak.
>
> Call kfree(host) before jumping to the error handling path to ensure
> that the ata_host structure is properly freed if devres_alloc() fails.
Thanks. :)
Zheng Qixing
>
>>
>> Zheng Qixing
>>
>>
>>>> ---
>>>> Changes in v2:
>>>> - error path is wrong in v1
>>>>
>>>> drivers/ata/libata-core.c | 4 +++-
>>>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
>>>> index e4023fc288ac..f27a18990c38 100644
>>>> --- a/drivers/ata/libata-core.c
>>>> +++ b/drivers/ata/libata-core.c
>>>> @@ -5663,8 +5663,10 @@ struct ata_host *ata_host_alloc(struct device *dev,
>>>> int n_ports)
>>>> }
>>>> dr = devres_alloc(ata_devres_release, 0, GFP_KERNEL);
>>>> - if (!dr)
>>>> + if (!dr) {
>>>> + kfree(host);
>>>> goto err_out;
>>>> + }
>>>> devres_add(dev, dr);
>>>> dev_set_drvdata(dev, host);
>>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v2] ata: libata: Fix memory leak for error path in ata_host_alloc()
2024-08-22 3:30 [PATCH v2] ata: libata: Fix memory leak for error path in ata_host_alloc() Zheng Qixing
2024-08-22 3:37 ` Yu Kuai
2024-08-23 1:10 ` Damien Le Moal
@ 2024-08-23 10:12 ` Niklas Cassel
2 siblings, 0 replies; 7+ messages in thread
From: Niklas Cassel @ 2024-08-23 10:12 UTC (permalink / raw)
To: Zheng Qixing
Cc: dlemoal, linux-ide, linux-kernel, yukuai3, yi.zhang, yangerkun,
zhengqixing
On Thu, Aug 22, 2024 at 11:30:50AM +0800, Zheng Qixing wrote:
> From: Zheng Qixing <zhengqixing@huawei.com>
>
> In ata_host_alloc(), if ata_port_alloc(host) fails to allocate memory
> for a port, the allocated 'host' structure is not freed before returning
> from the function. This results in a potential memory leak.
This sentence is wrong.
If ata_port_alloc() fails, we must have already called
devres_alloc(ata_devres_release, ...);
which means that when:
ap = ata_port_alloc(host);
if (!ap)
goto err_out;
...
err_out:
devres_release_group(dev, NULL);
return NULL;
devres_release_group() will trigger a call to ata_host_release().
ata_host_release() calls kfree(host).
So we will not leak "host" if ata_port_alloc() fails.
>
> This patch adds a kfree(host) before the error handling code is executed
> to ensure that the 'host' structure is properly freed in case of an
> allocation failure.
>
> Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
> ---
> Changes in v2:
> - error path is wrong in v1
>
> drivers/ata/libata-core.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
> index e4023fc288ac..f27a18990c38 100644
> --- a/drivers/ata/libata-core.c
> +++ b/drivers/ata/libata-core.c
> @@ -5663,8 +5663,10 @@ struct ata_host *ata_host_alloc(struct device *dev, int n_ports)
> }
>
> dr = devres_alloc(ata_devres_release, 0, GFP_KERNEL);
> - if (!dr)
> + if (!dr) {
> + kfree(host);
> goto err_out;
This code does free "host" if devres_alloc() fails, which looks correct,
as "host" will currently be leaked if devres_alloc() fails.
However, that is not what the commit log above claims :P
Please update the commit message to reflect reality.
Kind regards,
Niklas
^ permalink raw reply [flat|nested] 7+ messages in thread