* [PATVH] media, dvb, IX2505V: Remember to free allocated memory in failure path (ix2505v_attach()).
@ 2010-12-30 23:11 Jesper Juhl
2010-12-31 10:30 ` Mauro Carvalho Chehab
[not found] ` <1293758374.10326.7.camel@tvboxspy>
0 siblings, 2 replies; 6+ messages in thread
From: Jesper Juhl @ 2010-12-30 23:11 UTC (permalink / raw)
To: linux-media; +Cc: linux-kernel, Mauro Carvalho Chehab, Malcolm Priestley
Hi,
We may leak the storage allocated to 'state' in
drivers/media/dvb/frontends/ix2505v.c::ix2505v_attach() on error.
This patch makes sure we free the allocated memory in the failure case.
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
---
ix2505v.c | 1 +
1 file changed, 1 insertion(+)
Compile tested only.
diff --git a/drivers/media/dvb/frontends/ix2505v.c b/drivers/media/dvb/frontends/ix2505v.c
index 55f2eba..fcb173d 100644
--- a/drivers/media/dvb/frontends/ix2505v.c
+++ b/drivers/media/dvb/frontends/ix2505v.c
@@ -293,6 +293,7 @@ struct dvb_frontend *ix2505v_attach(struct dvb_frontend *fe,
ret = ix2505v_read_status_reg(state);
if (ret & 0x80) {
+ kfree(state);
deb_i2c("%s: No IX2505V found\n", __func__);
goto error;
}
--
Jesper Juhl <jj@chaosbits.net> http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATVH] media, dvb, IX2505V: Remember to free allocated memory in failure path (ix2505v_attach()). 2010-12-30 23:11 [PATVH] media, dvb, IX2505V: Remember to free allocated memory in failure path (ix2505v_attach()) Jesper Juhl @ 2010-12-31 10:30 ` Mauro Carvalho Chehab 2010-12-31 12:21 ` Malcolm Priestley [not found] ` <1293758374.10326.7.camel@tvboxspy> 1 sibling, 1 reply; 6+ messages in thread From: Mauro Carvalho Chehab @ 2010-12-31 10:30 UTC (permalink / raw) To: Jesper Juhl; +Cc: linux-media, linux-kernel, Malcolm Priestley Em 30-12-2010 21:11, Jesper Juhl escreveu: > Hi, > > We may leak the storage allocated to 'state' in > drivers/media/dvb/frontends/ix2505v.c::ix2505v_attach() on error. > This patch makes sure we free the allocated memory in the failure case. > > > Signed-off-by: Jesper Juhl <jj@chaosbits.net> > --- > ix2505v.c | 1 + > 1 file changed, 1 insertion(+) > > Compile tested only. > > diff --git a/drivers/media/dvb/frontends/ix2505v.c b/drivers/media/dvb/frontends/ix2505v.c > index 55f2eba..fcb173d 100644 > --- a/drivers/media/dvb/frontends/ix2505v.c > +++ b/drivers/media/dvb/frontends/ix2505v.c > @@ -293,6 +293,7 @@ struct dvb_frontend *ix2505v_attach(struct dvb_frontend *fe, > ret = ix2505v_read_status_reg(state); > > if (ret & 0x80) { > + kfree(state); Instead of doing the free here, please move it to happen at the error: logic. Currently, there's just one error condition, but having part of the release/kfree logic here and there is not a good idea. > deb_i2c("%s: No IX2505V found\n", __func__); > goto error; > } > > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATVH] media, dvb, IX2505V: Remember to free allocated memory in failure path (ix2505v_attach()). 2010-12-31 10:30 ` Mauro Carvalho Chehab @ 2010-12-31 12:21 ` Malcolm Priestley 0 siblings, 0 replies; 6+ messages in thread From: Malcolm Priestley @ 2010-12-31 12:21 UTC (permalink / raw) To: Mauro Carvalho Chehab; +Cc: Jesper Juhl, linux-media, linux-kernel On Fri, 2010-12-31 at 08:30 -0200, Mauro Carvalho Chehab wrote: > Em 30-12-2010 21:11, Jesper Juhl escreveu: > > Hi, > > > > We may leak the storage allocated to 'state' in > > drivers/media/dvb/frontends/ix2505v.c::ix2505v_attach() on error. > > This patch makes sure we free the allocated memory in the failure case. > > > > > > Signed-off-by: Jesper Juhl <jj@chaosbits.net> > > --- > > ix2505v.c | 1 + > > 1 file changed, 1 insertion(+) > > > > Compile tested only. > > > > diff --git a/drivers/media/dvb/frontends/ix2505v.c b/drivers/media/dvb/frontends/ix2505v.c > > index 55f2eba..fcb173d 100644 > > --- a/drivers/media/dvb/frontends/ix2505v.c > > +++ b/drivers/media/dvb/frontends/ix2505v.c > > @@ -293,6 +293,7 @@ struct dvb_frontend *ix2505v_attach(struct dvb_frontend *fe, > > ret = ix2505v_read_status_reg(state); > > > > if (ret & 0x80) { > > + kfree(state); > > Instead of doing the free here, please move it to happen at the error: logic. > Currently, there's just one error condition, but having part of the release/kfree > logic here and there is not a good idea. > > > deb_i2c("%s: No IX2505V found\n", __func__); > > goto error; > > } The state is already freed in ix2505v_release on error. ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <1293758374.10326.7.camel@tvboxspy>]
[parent not found: <alpine.LNX.2.00.1012311541430.16655@swampdragon.chaosbits.net>]
* Re: [PATVH] media, dvb, IX2505V: Remember to free allocated memory in failure path (ix2505v_attach()). [not found] ` <alpine.LNX.2.00.1012311541430.16655@swampdragon.chaosbits.net> @ 2010-12-31 18:33 ` Malcolm Priestley 2011-01-02 18:49 ` Jesper Juhl 0 siblings, 1 reply; 6+ messages in thread From: Malcolm Priestley @ 2010-12-31 18:33 UTC (permalink / raw) To: Jesper Juhl; +Cc: linux-media, linux-kernel, Mauro Carvalho Chehab On Fri, 2010-12-31 at 15:51 +0100, Jesper Juhl wrote: > On Fri, 31 Dec 2010, Malcolm Priestley wrote: > > > On Fri, 2010-12-31 at 00:11 +0100, Jesper Juhl wrote: > > > Hi, > > > > > > We may leak the storage allocated to 'state' in > > > drivers/media/dvb/frontends/ix2505v.c::ix2505v_attach() on error. > > > This patch makes sure we free the allocated memory in the failure case. > > > > > > > > > Signed-off-by: Jesper Juhl <jj@chaosbits.net> > > > --- > > > ix2505v.c | 1 + > > > 1 file changed, 1 insertion(+) > > > > > > Compile tested only. > > > > > > diff --git a/drivers/media/dvb/frontends/ix2505v.c b/drivers/media/dvb/frontends/ix2505v.c > > > index 55f2eba..fcb173d 100644 > > > --- a/drivers/media/dvb/frontends/ix2505v.c > > > +++ b/drivers/media/dvb/frontends/ix2505v.c > > > @@ -293,6 +293,7 @@ struct dvb_frontend *ix2505v_attach(struct dvb_frontend *fe, > > > ret = ix2505v_read_status_reg(state); > > > > > > if (ret & 0x80) { > > > + kfree(state); > > > deb_i2c("%s: No IX2505V found\n", __func__); > > > goto error; > > > } > > > > > Memory is freed in... > > > > error: > > ix2505v_release(fe); > > return NULL; > > > > via... > > > > static int ix2505v_release(struct dvb_frontend *fe) > > { > > struct ix2505v_state *state = fe->tuner_priv; > > > > fe->tuner_priv = NULL; > > kfree(state); > > > > return 0; > > } > > > > Except that 'state' has not been assigned to fe->tuner_priv at this > point, so ix2505v_release() cannot free the memory that was just > allocated with kzalloc(). > > > state is a local variable: > struct ix2505v_state *state = NULL; > ... > > we allocate memory and assign it to 'state' here: > state = kzalloc(sizeof(struct ix2505v_state), GFP_KERNEL); > if (NULL == state) > return NULL; > > state->config = config; > state->i2c = i2c; > > here 'state' is used, but not in a way that saves it anywhere: > if (state->config->tuner_write_only) { > if (fe->ops.i2c_gate_ctrl) > fe->ops.i2c_gate_ctrl(fe, 1); > > this function call involves 'state' but it does not save it anywhere > either: > ret = ix2505v_read_status_reg(state); > > if (ret & 0x80) { > deb_i2c("%s: No IX2505V found\n", __func__); > so when we jump to error here 'state' still exists only as the local > variable, it has not been assigned to anything else. > goto error; > } > ... > error: > there is no way this function call can free 'state' on this path since > it has not been assigned to fe->tuner_priv. > ix2505v_release(fe); > The local variable state goes out of scope here and leaks the memory it > points to: > return NULL; > } > > Am I missing something? Oh, Sorry, I see it now. Now there is two options. Either; 1) Move fe->tuner_priv = state to below line 287, so it can be released by ix2505v_release and fe->tuner_priv returned to NULL; 2) or not calling ix2505v_release changing line 314 to kfree(state). fe->tuner_priv will remain NULL through out. Currently, tuner_write_only is not implemented in the dvb-usb-lmedm04 driver, as sometimes it returned unpredictable results, and wrongly failed to attach the tuner. Although, I will test it again. Regards Malcolm ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATVH] media, dvb, IX2505V: Remember to free allocated memory in failure path (ix2505v_attach()). 2010-12-31 18:33 ` Malcolm Priestley @ 2011-01-02 18:49 ` Jesper Juhl 2011-01-02 19:14 ` Jesper Juhl 0 siblings, 1 reply; 6+ messages in thread From: Jesper Juhl @ 2011-01-02 18:49 UTC (permalink / raw) To: Malcolm Priestley; +Cc: linux-media, linux-kernel, Mauro Carvalho Chehab On Fri, 31 Dec 2010, Malcolm Priestley wrote: > On Fri, 2010-12-31 at 15:51 +0100, Jesper Juhl wrote: > > On Fri, 31 Dec 2010, Malcolm Priestley wrote: > > > > > On Fri, 2010-12-31 at 00:11 +0100, Jesper Juhl wrote: > > > > Hi, > > > > > > > > We may leak the storage allocated to 'state' in > > > > drivers/media/dvb/frontends/ix2505v.c::ix2505v_attach() on error. > > > > This patch makes sure we free the allocated memory in the failure case. > > > > > > > > > > > > Signed-off-by: Jesper Juhl <jj@chaosbits.net> > > > > --- > > > > ix2505v.c | 1 + > > > > 1 file changed, 1 insertion(+) > > > > > > > > Compile tested only. > > > > > > > > diff --git a/drivers/media/dvb/frontends/ix2505v.c b/drivers/media/dvb/frontends/ix2505v.c > > > > index 55f2eba..fcb173d 100644 > > > > --- a/drivers/media/dvb/frontends/ix2505v.c > > > > +++ b/drivers/media/dvb/frontends/ix2505v.c > > > > @@ -293,6 +293,7 @@ struct dvb_frontend *ix2505v_attach(struct dvb_frontend *fe, > > > > ret = ix2505v_read_status_reg(state); > > > > > > > > if (ret & 0x80) { > > > > + kfree(state); > > > > deb_i2c("%s: No IX2505V found\n", __func__); > > > > goto error; > > > > } > > > > > > > Memory is freed in... > > > > > > error: > > > ix2505v_release(fe); > > > return NULL; > > > > > > via... > > > > > > static int ix2505v_release(struct dvb_frontend *fe) > > > { > > > struct ix2505v_state *state = fe->tuner_priv; > > > > > > fe->tuner_priv = NULL; > > > kfree(state); > > > > > > return 0; > > > } > > > > > > > Except that 'state' has not been assigned to fe->tuner_priv at this > > point, so ix2505v_release() cannot free the memory that was just > > allocated with kzalloc(). > > > > > > state is a local variable: > > struct ix2505v_state *state = NULL; > > ... > > > > we allocate memory and assign it to 'state' here: > > state = kzalloc(sizeof(struct ix2505v_state), GFP_KERNEL); > > if (NULL == state) > > return NULL; > > > > state->config = config; > > state->i2c = i2c; > > > > here 'state' is used, but not in a way that saves it anywhere: > > if (state->config->tuner_write_only) { > > if (fe->ops.i2c_gate_ctrl) > > fe->ops.i2c_gate_ctrl(fe, 1); > > > > this function call involves 'state' but it does not save it anywhere > > either: > > ret = ix2505v_read_status_reg(state); > > > > if (ret & 0x80) { > > deb_i2c("%s: No IX2505V found\n", __func__); > > so when we jump to error here 'state' still exists only as the local > > variable, it has not been assigned to anything else. > > goto error; > > } > > ... > > error: > > there is no way this function call can free 'state' on this path since > > it has not been assigned to fe->tuner_priv. > > ix2505v_release(fe); > > The local variable state goes out of scope here and leaks the memory it > > points to: > > return NULL; > > } > > > > Am I missing something? > > Oh, Sorry, I see it now. > > Now there is two options. > > Either; > > 1) Move fe->tuner_priv = state to below line 287, so it can be released > by ix2505v_release and fe->tuner_priv returned to NULL; > > 2) or not calling ix2505v_release changing line 314 to kfree(state). > fe->tuner_priv will remain NULL through out. > [...] How about this? Signed-off-by: Jesper Juhl <jj@chaosbits.net> --- ix2505v.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/media/dvb/frontends/ix2505v.c b/drivers/media/dvb/frontends/ix2505v.c index 55f2eba..15806e5 100644 --- a/drivers/media/dvb/frontends/ix2505v.c +++ b/drivers/media/dvb/frontends/ix2505v.c @@ -271,7 +271,7 @@ struct dvb_frontend *ix2505v_attach(struct dvb_frontend *fe, const struct ix2505v_config *config, struct i2c_adapter *i2c) { - struct ix2505v_state *state = NULL; + struct ix2505v_state *state; int ret; if (NULL == config) { @@ -285,6 +285,7 @@ struct dvb_frontend *ix2505v_attach(struct dvb_frontend *fe, state->config = config; state->i2c = i2c; + fe->tuner_priv = state; if (state->config->tuner_write_only) { if (fe->ops.i2c_gate_ctrl) @@ -301,8 +302,6 @@ struct dvb_frontend *ix2505v_attach(struct dvb_frontend *fe, fe->ops.i2c_gate_ctrl(fe, 0); } - fe->tuner_priv = state; - memcpy(&fe->ops.tuner_ops, &ix2505v_tuner_ops, sizeof(struct dvb_tuner_ops)); deb_i2c("%s: initialization (%s addr=0x%02x) ok\n", -- Jesper Juhl <jj@chaosbits.net> http://www.chaosbits.net/ Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html Plain text mails only, please. ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATVH] media, dvb, IX2505V: Remember to free allocated memory in failure path (ix2505v_attach()). 2011-01-02 18:49 ` Jesper Juhl @ 2011-01-02 19:14 ` Jesper Juhl 0 siblings, 0 replies; 6+ messages in thread From: Jesper Juhl @ 2011-01-02 19:14 UTC (permalink / raw) To: Malcolm Priestley; +Cc: linux-media, linux-kernel, Mauro Carvalho Chehab On Sun, 2 Jan 2011, Jesper Juhl wrote: > On Fri, 31 Dec 2010, Malcolm Priestley wrote: > > > On Fri, 2010-12-31 at 15:51 +0100, Jesper Juhl wrote: > > > On Fri, 31 Dec 2010, Malcolm Priestley wrote: > > > > > > > On Fri, 2010-12-31 at 00:11 +0100, Jesper Juhl wrote: > > > > > Hi, > > > > > > > > > > We may leak the storage allocated to 'state' in > > > > > drivers/media/dvb/frontends/ix2505v.c::ix2505v_attach() on error. > > > > > This patch makes sure we free the allocated memory in the failure case. > > > > > > > > > > > > > > > Signed-off-by: Jesper Juhl <jj@chaosbits.net> > > > > > --- > > > > > ix2505v.c | 1 + > > > > > 1 file changed, 1 insertion(+) > > > > > > > > > > Compile tested only. > > > > > > > > > > diff --git a/drivers/media/dvb/frontends/ix2505v.c b/drivers/media/dvb/frontends/ix2505v.c > > > > > index 55f2eba..fcb173d 100644 > > > > > --- a/drivers/media/dvb/frontends/ix2505v.c > > > > > +++ b/drivers/media/dvb/frontends/ix2505v.c > > > > > @@ -293,6 +293,7 @@ struct dvb_frontend *ix2505v_attach(struct dvb_frontend *fe, > > > > > ret = ix2505v_read_status_reg(state); > > > > > > > > > > if (ret & 0x80) { > > > > > + kfree(state); > > > > > deb_i2c("%s: No IX2505V found\n", __func__); > > > > > goto error; > > > > > } > > > > > > > > > Memory is freed in... > > > > > > > > error: > > > > ix2505v_release(fe); > > > > return NULL; > > > > > > > > via... > > > > > > > > static int ix2505v_release(struct dvb_frontend *fe) > > > > { > > > > struct ix2505v_state *state = fe->tuner_priv; > > > > > > > > fe->tuner_priv = NULL; > > > > kfree(state); > > > > > > > > return 0; > > > > } > > > > > > > > > > Except that 'state' has not been assigned to fe->tuner_priv at this > > > point, so ix2505v_release() cannot free the memory that was just > > > allocated with kzalloc(). > > > > > > > > > state is a local variable: > > > struct ix2505v_state *state = NULL; > > > ... > > > > > > we allocate memory and assign it to 'state' here: > > > state = kzalloc(sizeof(struct ix2505v_state), GFP_KERNEL); > > > if (NULL == state) > > > return NULL; > > > > > > state->config = config; > > > state->i2c = i2c; > > > > > > here 'state' is used, but not in a way that saves it anywhere: > > > if (state->config->tuner_write_only) { > > > if (fe->ops.i2c_gate_ctrl) > > > fe->ops.i2c_gate_ctrl(fe, 1); > > > > > > this function call involves 'state' but it does not save it anywhere > > > either: > > > ret = ix2505v_read_status_reg(state); > > > > > > if (ret & 0x80) { > > > deb_i2c("%s: No IX2505V found\n", __func__); > > > so when we jump to error here 'state' still exists only as the local > > > variable, it has not been assigned to anything else. > > > goto error; > > > } > > > ... > > > error: > > > there is no way this function call can free 'state' on this path since > > > it has not been assigned to fe->tuner_priv. > > > ix2505v_release(fe); > > > The local variable state goes out of scope here and leaks the memory it > > > points to: > > > return NULL; > > > } > > > > > > Am I missing something? > > > > Oh, Sorry, I see it now. > > > > Now there is two options. > > > > Either; > > > > 1) Move fe->tuner_priv = state to below line 287, so it can be released > > by ix2505v_release and fe->tuner_priv returned to NULL; > > > > 2) or not calling ix2505v_release changing line 314 to kfree(state). > > fe->tuner_priv will remain NULL through out. > > > [...] > > How about this? > Or actually, I think this is better: Signed-off-by: Jesper Juhl <jj@chaosbits.net> --- ix2505v.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/dvb/frontends/ix2505v.c b/drivers/media/dvb/frontends/ix2505v.c index 55f2eba..846ffd3 100644 --- a/drivers/media/dvb/frontends/ix2505v.c +++ b/drivers/media/dvb/frontends/ix2505v.c @@ -311,7 +311,7 @@ struct dvb_frontend *ix2505v_attach(struct dvb_frontend *fe, return fe; error: - ix2505v_release(fe); + kfree(state); return NULL; } EXPORT_SYMBOL(ix2505v_attach); -- Jesper Juhl <jj@chaosbits.net> http://www.chaosbits.net/ Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html Plain text mails only, please. ^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2011-01-02 19:14 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-12-30 23:11 [PATVH] media, dvb, IX2505V: Remember to free allocated memory in failure path (ix2505v_attach()) Jesper Juhl
2010-12-31 10:30 ` Mauro Carvalho Chehab
2010-12-31 12:21 ` Malcolm Priestley
[not found] ` <1293758374.10326.7.camel@tvboxspy>
[not found] ` <alpine.LNX.2.00.1012311541430.16655@swampdragon.chaosbits.net>
2010-12-31 18:33 ` Malcolm Priestley
2011-01-02 18:49 ` Jesper Juhl
2011-01-02 19:14 ` Jesper Juhl
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox