[PATCH] Input: edt-ft5x06 - fix memleak when rmmod edt_ft5x06

[PATCH] Input: edt-ft5x06 - fix memleak when rmmod edt_ft5x06

[Li Zetao]

When insmod and rmmod the edt_ft5x06 driver, kmemleak reported a
memory leak issue:
  $ modprobe edt-ft5x06
    edt_ft5x06 0-0004: touchscreen probe failed
  $ modprobe -r edt-ft5x06

  unreferenced object 0xffff88810b38c8a0 (size 8):
    comm "modprobe", pid 23672, jiffies 4295355205
    hex dump (first 8 bytes):
      93 00 00 00 00 00 00 00                          ........
    backtrace (crc a10fb312):
      [<ffffffff81e12f70>] __kmalloc_noprof+0x2f0/0x3d0
      [<ffffffff8368c3b6>] __regmap_init+0x2d26/0x4810
      [<ffffffffc06b4875>] __regmap_init_i2c+0x65/0x80 [regmap_i2c]
      [<ffffffffc07108a6>] edt_ft5x06_ts_probe+0xd6/0x3410 [edt_ft5x06]
      [<ffffffff83bd85d1>] i2c_device_probe+0x3c1/0x8b0
	...

This is caused by not releasing the tsdata->regmap resource in time on
the probe failure path. By adding the err_regmap_exit label, execute
regmap_exit on the error path to release map resources. However, it
should be noted that during the ts identify stage, regmap_exit may be
performed first and then regmap may be reinitialized, so when
edt_ft5x06_ts_identify() returns an error, it need to check whether the
regmap initialization failed.

Fixes: 9dfd9708ffba ("Input: edt-ft5x06 - convert to use regmap API")
Signed-off-by: Li Zetao <lizetao1@huawei.com>
---
 drivers/input/touchscreen/edt-ft5x06.c | 40 ++++++++++++++++----------
 1 file changed, 25 insertions(+), 15 deletions(-)

diff --git a/drivers/input/touchscreen/edt-ft5x06.c b/drivers/input/touchscreen/edt-ft5x06.c
index fda49b2fe088..c2004f6e2317 100644
--- a/drivers/input/touchscreen/edt-ft5x06.c
+++ b/drivers/input/touchscreen/edt-ft5x06.c
@@ -1159,15 +1159,18 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client)
 		chip_data = (const struct edt_i2c_chip_data *)id->driver_data;
 	if (!chip_data || !chip_data->max_support_points) {
 		dev_err(&client->dev, "invalid or missing chip data\n");
-		return -EINVAL;
+		error = -EINVAL;
+		goto err_regmap_exit;
 	}
 
 	tsdata->max_support_points = chip_data->max_support_points;
 
 	tsdata->vcc = devm_regulator_get(&client->dev, "vcc");
-	if (IS_ERR(tsdata->vcc))
-		return dev_err_probe(&client->dev, PTR_ERR(tsdata->vcc),
-				     "failed to request regulator\n");
+	if (IS_ERR(tsdata->vcc)) {
+		error = dev_err_probe(&client->dev, PTR_ERR(tsdata->vcc),
+				      "failed to request regulator\n");
+		goto err_regmap_exit;
+	}
 
 	tsdata->iovcc = devm_regulator_get(&client->dev, "iovcc");
 	if (IS_ERR(tsdata->iovcc)) {
@@ -1175,13 +1178,13 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client)
 		if (error != -EPROBE_DEFER)
 			dev_err(&client->dev,
 				"failed to request iovcc regulator: %d\n", error);
-		return error;
+		goto err_regmap_exit;
 	}
 
 	error = regulator_enable(tsdata->iovcc);
 	if (error < 0) {
 		dev_err(&client->dev, "failed to enable iovcc: %d\n", error);
-		return error;
+		goto err_regmap_exit;
 	}
 
 	/* Delay enabling VCC for > 10us (T_ivd) after IOVCC */
@@ -1191,14 +1194,14 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client)
 	if (error < 0) {
 		dev_err(&client->dev, "failed to enable vcc: %d\n", error);
 		regulator_disable(tsdata->iovcc);
-		return error;
+		goto err_regmap_exit;
 	}
 
 	error = devm_add_action_or_reset(&client->dev,
 					 edt_ft5x06_disable_regulators,
 					 tsdata);
 	if (error)
-		return error;
+		goto err_regmap_exit;
 
 	tsdata->reset_gpio = devm_gpiod_get_optional(&client->dev,
 						     "reset", GPIOD_OUT_HIGH);
@@ -1206,7 +1209,7 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client)
 		error = PTR_ERR(tsdata->reset_gpio);
 		dev_err(&client->dev,
 			"Failed to request GPIO reset pin, error %d\n", error);
-		return error;
+		goto err_regmap_exit;
 	}
 
 	tsdata->wake_gpio = devm_gpiod_get_optional(&client->dev,
@@ -1215,7 +1218,7 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client)
 		error = PTR_ERR(tsdata->wake_gpio);
 		dev_err(&client->dev,
 			"Failed to request GPIO wake pin, error %d\n", error);
-		return error;
+		goto err_regmap_exit;
 	}
 
 	/*
@@ -1246,7 +1249,8 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client)
 	input = devm_input_allocate_device(&client->dev);
 	if (!input) {
 		dev_err(&client->dev, "failed to allocate input device.\n");
-		return -ENOMEM;
+		error = -ENOMEM;
+		goto err_regmap_exit;
 	}
 
 	mutex_init(&tsdata->mutex);
@@ -1258,7 +1262,9 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client)
 	error = edt_ft5x06_ts_identify(client, tsdata);
 	if (error) {
 		dev_err(&client->dev, "touchscreen probe failed\n");
-		return error;
+		if (IS_ERR(tsdata->regmap))
+			return error;
+		goto err_regmap_exit;
 	}
 
 	/*
@@ -1311,7 +1317,7 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client)
 				    INPUT_MT_DIRECT);
 	if (error) {
 		dev_err(&client->dev, "Unable to init MT slots.\n");
-		return error;
+		goto err_regmap_exit;
 	}
 
 	irq_flags = irq_get_trigger_type(client->irq);
@@ -1324,12 +1330,12 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client)
 					  client->name, tsdata);
 	if (error) {
 		dev_err(&client->dev, "Unable to request touchscreen IRQ.\n");
-		return error;
+		goto err_regmap_exit;
 	}
 
 	error = input_register_device(input);
 	if (error)
-		return error;
+		goto err_regmap_exit;
 
 	edt_ft5x06_ts_prepare_debugfs(tsdata, dev_driver_string(&client->dev));
 
@@ -1340,6 +1346,10 @@ static int edt_ft5x06_ts_probe(struct i2c_client *client)
 		tsdata->reset_gpio ? desc_to_gpio(tsdata->reset_gpio) : -1);
 
 	return 0;
+
+err_regmap_exit:
+	regmap_exit(tsdata->regmap);
+	return error;
 }
 
 static void edt_ft5x06_ts_remove(struct i2c_client *client)
-- 
2.34.1

Re: [PATCH] Input: edt-ft5x06 - fix memleak when rmmod edt_ft5x06

[Oliver Graute]

On 10/10/24, Li Zetao wrote:
> When insmod and rmmod the edt_ft5x06 driver, kmemleak reported a
> memory leak issue:
>   $ modprobe edt-ft5x06
>     edt_ft5x06 0-0004: touchscreen probe failed
>   $ modprobe -r edt-ft5x06
> 
>   unreferenced object 0xffff88810b38c8a0 (size 8):
>     comm "modprobe", pid 23672, jiffies 4295355205
>     hex dump (first 8 bytes):
>       93 00 00 00 00 00 00 00                          ........
>     backtrace (crc a10fb312):
>       [<ffffffff81e12f70>] __kmalloc_noprof+0x2f0/0x3d0
>       [<ffffffff8368c3b6>] __regmap_init+0x2d26/0x4810
>       [<ffffffffc06b4875>] __regmap_init_i2c+0x65/0x80 [regmap_i2c]
>       [<ffffffffc07108a6>] edt_ft5x06_ts_probe+0xd6/0x3410 [edt_ft5x06]
>       [<ffffffff83bd85d1>] i2c_device_probe+0x3c1/0x8b0
> 	...
> 
> This is caused by not releasing the tsdata->regmap resource in time on
> the probe failure path. By adding the err_regmap_exit label, execute
> regmap_exit on the error path to release map resources. However, it
> should be noted that during the ts identify stage, regmap_exit may be
> performed first and then regmap may be reinitialized, so when
> edt_ft5x06_ts_identify() returns an error, it need to check whether the
> regmap initialization failed.
> 
> Fixes: 9dfd9708ffba ("Input: edt-ft5x06 - convert to use regmap API")
> Signed-off-by: Li Zetao <lizetao1@huawei.com>

Reviewed-by: Oliver Graute <oliver.graute@kococonnector.com>

Re: [PATCH] Input: edt-ft5x06 - fix memleak when rmmod edt_ft5x06

[Dmitry Torokhov]

On Fri, Oct 11, 2024 at 03:08:06PM +0200, Oliver Graute wrote:
> On 10/10/24, Li Zetao wrote:
> > When insmod and rmmod the edt_ft5x06 driver, kmemleak reported a
> > memory leak issue:
> >   $ modprobe edt-ft5x06
> >     edt_ft5x06 0-0004: touchscreen probe failed
> >   $ modprobe -r edt-ft5x06
> > 
> >   unreferenced object 0xffff88810b38c8a0 (size 8):
> >     comm "modprobe", pid 23672, jiffies 4295355205
> >     hex dump (first 8 bytes):
> >       93 00 00 00 00 00 00 00                          ........
> >     backtrace (crc a10fb312):
> >       [<ffffffff81e12f70>] __kmalloc_noprof+0x2f0/0x3d0
> >       [<ffffffff8368c3b6>] __regmap_init+0x2d26/0x4810
> >       [<ffffffffc06b4875>] __regmap_init_i2c+0x65/0x80 [regmap_i2c]
> >       [<ffffffffc07108a6>] edt_ft5x06_ts_probe+0xd6/0x3410 [edt_ft5x06]
> >       [<ffffffff83bd85d1>] i2c_device_probe+0x3c1/0x8b0
> > 	...
> > 
> > This is caused by not releasing the tsdata->regmap resource in time on
> > the probe failure path. By adding the err_regmap_exit label, execute
> > regmap_exit on the error path to release map resources. However, it
> > should be noted that during the ts identify stage, regmap_exit may be
> > performed first and then regmap may be reinitialized, so when
> > edt_ft5x06_ts_identify() returns an error, it need to check whether the
> > regmap initialization failed.
> > 
> > Fixes: 9dfd9708ffba ("Input: edt-ft5x06 - convert to use regmap API")
> > Signed-off-by: Li Zetao <lizetao1@huawei.com>
> 
> Reviewed-by: Oliver Graute <oliver.graute@kococonnector.com>

No, this is not the right way to fix the issue. The rest of the driver
uses managed resources, which means that regmap in error path will be
freed too early, which may cause issues.

We have same issue in driver's remove() path as well.

I CCed you on a patch that uses devm to release regmap which will make
sure all resources are released in the right order.

Thanks.

-- 
Dmitry