Re: [PATVH] media, dvb, IX2505V: Remember to free allocated memory in failure path (ix2505v_attach()).

public inbox for linux-media@vger.kernel.org
 help / color / mirror / Atom feed

From: Malcolm Priestley <tvboxspy@gmail.com>
To: Jesper Juhl <jj@chaosbits.net>
Cc: linux-media@vger.kernel.org, linux-kernel@vger.kernel.org,
	Mauro Carvalho Chehab <mchehab@infradead.org>
Subject: Re: [PATVH] media, dvb, IX2505V: Remember to free allocated memory in failure path (ix2505v_attach()).
Date: Fri, 31 Dec 2010 18:33:55 +0000	[thread overview]
Message-ID: <1293820435.29966.59.camel@tvboxspy> (raw)
In-Reply-To: <alpine.LNX.2.00.1012311541430.16655@swampdragon.chaosbits.net>

On Fri, 2010-12-31 at 15:51 +0100, Jesper Juhl wrote:
> On Fri, 31 Dec 2010, Malcolm Priestley wrote:
> 
> > On Fri, 2010-12-31 at 00:11 +0100, Jesper Juhl wrote:
> > > Hi,
> > > 
> > > We may leak the storage allocated to 'state' in 
> > > drivers/media/dvb/frontends/ix2505v.c::ix2505v_attach() on error.
> > > This patch makes sure we free the allocated memory in the failure case.
> > > 
> > > 
> > > Signed-off-by: Jesper Juhl <jj@chaosbits.net>
> > > ---
> > >  ix2505v.c |    1 +
> > >  1 file changed, 1 insertion(+)
> > > 
> > >   Compile tested only.
> > > 
> > > diff --git a/drivers/media/dvb/frontends/ix2505v.c b/drivers/media/dvb/frontends/ix2505v.c
> > > index 55f2eba..fcb173d 100644
> > > --- a/drivers/media/dvb/frontends/ix2505v.c
> > > +++ b/drivers/media/dvb/frontends/ix2505v.c
> > > @@ -293,6 +293,7 @@ struct dvb_frontend *ix2505v_attach(struct dvb_frontend *fe,
> > >  		ret = ix2505v_read_status_reg(state);
> > >  
> > >  		if (ret & 0x80) {
> > > +			kfree(state);
> > >  			deb_i2c("%s: No IX2505V found\n", __func__);
> > >  			goto error;
> > >  		}
> > > 
> > Memory is freed in... 
> > 
> > error:
> > 	ix2505v_release(fe);
> > 	return NULL;
> > 
> > via...
> > 
> > static int ix2505v_release(struct dvb_frontend *fe)
> > {
> > 	struct ix2505v_state *state = fe->tuner_priv;
> > 
> > 	fe->tuner_priv = NULL;
> > 	kfree(state);
> > 
> > 	return 0;
> > }
> > 
> 
> Except that 'state' has not been assigned to fe->tuner_priv at this 
> point, so ix2505v_release() cannot free the memory that was just 
> allocated with kzalloc().
> 
> 
>   state is a local variable:
>   		struct ix2505v_state *state = NULL;
> 		...
> 
>   we allocate memory and assign it to 'state' here:
>   		state = kzalloc(sizeof(struct ix2505v_state), GFP_KERNEL);
>   		if (NULL == state)
>   			return NULL;
>   	
>   		state->config = config;
>   		state->i2c = i2c;
>   	
>   here 'state' is used, but not in a way that saves it anywhere:
>   		if (state->config->tuner_write_only) {
>   			if (fe->ops.i2c_gate_ctrl)
>   				fe->ops.i2c_gate_ctrl(fe, 1);
>   	
>   this function call involves 'state' but it does not save it anywhere
>   either:
>   			ret = ix2505v_read_status_reg(state);
>   	
>   			if (ret & 0x80) {
>   				deb_i2c("%s: No IX2505V found\n", __func__);
>   so when we jump to error here 'state' still exists only as the local
>   variable, it has not been assigned to anything else.
>   				goto error;
>   			}
>   		...
>   	error:
>   there is no way this function call can free 'state' on this path since
>   it has not been assigned to fe->tuner_priv. 
>   		ix2505v_release(fe);
>   The local variable state goes out of scope here and leaks the memory it
>   points to:
>   		return NULL;
>   	}
> 
> Am I missing something?

Oh, Sorry, I see it now.

Now there is two options.

Either;

1) Move fe->tuner_priv = state to below line 287, so it can be released
by ix2505v_release and fe->tuner_priv returned to NULL;

2) or not calling ix2505v_release changing line 314 to kfree(state).
fe->tuner_priv will remain NULL through out.

Currently, tuner_write_only is not implemented in the dvb-usb-lmedm04
driver, as sometimes it returned unpredictable results, and wrongly
failed to attach the tuner. Although, I will test it again.

Regards


Malcolm

next prev parent reply	other threads:[~2010-12-31 18:34 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-12-30 23:11 [PATVH] media, dvb, IX2505V: Remember to free allocated memory in failure path (ix2505v_attach()) Jesper Juhl
2010-12-31 10:30 ` Mauro Carvalho Chehab
2010-12-31 12:21   ` Malcolm Priestley
     [not found] ` <1293758374.10326.7.camel@tvboxspy>
     [not found]   ` <alpine.LNX.2.00.1012311541430.16655@swampdragon.chaosbits.net>
2010-12-31 18:33     ` Malcolm Priestley [this message]
2011-01-02 18:49       ` Jesper Juhl
2011-01-02 19:14         ` Jesper Juhl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1293820435.29966.59.camel@tvboxspy \
    --to=tvboxspy@gmail.com \
    --cc=jj@chaosbits.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=mchehab@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox