From: Hongling Zeng <zhongling0719@126.com>
To: "Dominik Karol Piątkowski"
<dominik.karol.piatkowski@protonmail.com>,
"Hongling Zeng" <zenghongling@kylinos.cn>
Cc: dpenkler@gmail.com, gregkh@linuxfoundation.org, kees@kernel.org,
dan.carpenter@linaro.org, lukeyang.dev@gmail.com,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH v2] gpib: fmh_gpib: Fix resource leaks in fmh_gpib_attach_impl
Date: Fri, 29 May 2026 13:57:16 +0800 [thread overview]
Message-ID: <6A192ABC.6010500@126.com> (raw)
In-Reply-To: <LpJShJPaUZ8iZoWRA7Sy9TPz_7ZPHNvoU0lHOBrVEXvQGqlz493ShbF6ZKQ2zcRqPHVuxOkjzR0KCdS6OngnflPYa0gsqaRTpRWFbxuqQ4A=@protonmail.com>
Hi Dominik Karol,
Thanks for the analysis. You're right about the double-free issue.
However, there's still a real leak : when dma_fifos resource
lookup fails, the previously allocated gpib_iomem_res leaks because
dma_port_res isn't assigned yet, so detach() won't clean it up.
Minimal fix: cleanup only before field assignment:
```c
if (!res) {
dev_err(board->dev, "Unable to locate mmio resource for gpib dma
port\n");
release_mem_region(e_priv->gpib_iomem_res->start,
resource_size(e_priv->gpib_iomem_res));
return -ENODEV;
}
This fixes the leak while avoiding double-free. Acceptable approach?
Best regards,
Hongling Zeng
在 2026年05月29日 00:46, Dominik Karol Piątkowski 写道:
> Hi Hongling Zeng,
>
> On Thursday, May 28th, 2026 at 03:50, Hongling Zeng <zenghongling@kylinos.cn> wrote:
>
>> The fmh_gpib_attach_impl() function has multiple resource leaks in its
>> error handling paths. When any initialization step fails, the function
>> returns early without properly releasing previously acquired resources.
>>
>> Fix by adding proper error handling labels and cleanup code that releases
>> resources in the reverse order they were acquired.
>>
>> Fixes: 8e4841a0888c7 ("staging: gpib: Add Frank Mori Hess FPGA PCI GPIB driver")
>> Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>
>> Cc: stable@vger.kernel.org
>> Suggested-by: Dominik Karol Piątkowski <dominik.karol.piatkowski@protonmail.com>
>>
>> ---
>> Changes in v2:
>> - Fixed unnecessary retval assignments in early error returns
>> - Removed extra newline
>> - Kept e_priv->irq assignment after request_irq() succeeds,as suggested by Dominik Karol
>> ---
>> drivers/gpib/fmh_gpib/fmh_gpib.c | 37 +++++++++++++++++++++++++-------
>> 1 file changed, 29 insertions(+), 8 deletions(-)
>>
>> diff --git a/drivers/gpib/fmh_gpib/fmh_gpib.c b/drivers/gpib/fmh_gpib/fmh_gpib.c
>> index fcafdc02ea2e..404379cd1565 100644
>> --- a/drivers/gpib/fmh_gpib/fmh_gpib.c
>> +++ b/drivers/gpib/fmh_gpib/fmh_gpib.c
>> @@ -1418,7 +1418,8 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar
>> resource_size(e_priv->gpib_iomem_res));
>> if (!nec_priv->mmiobase) {
>> dev_err(board->dev, "Could not map I/O memory\n");
>> - return -ENOMEM;
>> + retval = -ENOMEM;
>> + goto err_release_gpib_region;
>> }
>> dev_dbg(board->dev, "iobase %pr remapped to %p\n",
>> e_priv->gpib_iomem_res, nec_priv->mmiobase);
>> @@ -1426,34 +1427,39 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar
>> res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "dma_fifos");
>> if (!res) {
>> dev_err(board->dev, "Unable to locate mmio resource for gpib dma port\n");
>> - return -ENODEV;
>> + retval = -ENODEV;
>> + goto err_iounmap_gpib;
>> }
>> if (request_mem_region(res->start,
>> resource_size(res),
>> pdev->name) == NULL) {
>> dev_err(board->dev, "cannot claim registers\n");
>> - return -ENXIO;
>> + retval = -ENXIO;
>> + goto err_iounmap_gpib;
>> }
>> e_priv->dma_port_res = res;
>> e_priv->fifo_base = ioremap(e_priv->dma_port_res->start,
>> resource_size(e_priv->dma_port_res));
>> if (!e_priv->fifo_base) {
>> dev_err(board->dev, "Could not map I/O memory for fifos\n");
>> - return -ENOMEM;
>> + retval = -ENOMEM;
>> + goto err_release_dma_region;
>> }
>> dev_dbg(board->dev, "dma fifos 0x%lx remapped to %p, length=%ld\n",
>> (unsigned long)e_priv->dma_port_res->start, e_priv->fifo_base,
>> (unsigned long)resource_size(e_priv->dma_port_res));
>>
>> irq = platform_get_irq(pdev, 0);
>> - if (irq < 0)
>> - return -EBUSY;
>> + if (irq < 0) {
>> + retval = -EBUSY;
>> + goto err_iounmap_fifo;
>> + }
>> retval = request_irq(irq, fmh_gpib_interrupt, IRQF_SHARED, pdev->name, board);
>> if (retval) {
>> dev_err(board->dev,
>> "cannot register interrupt handler err=%d\n",
>> retval);
>> - return retval;
>> + goto err_iounmap_fifo;
>> }
>> e_priv->irq = irq;
>>
>> @@ -1461,7 +1467,8 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar
>> e_priv->dma_channel = dma_request_slave_channel(board->dev, "rxtx");
>> if (!e_priv->dma_channel) {
>> dev_err(board->dev, "failed to acquire dma channel \"rxtx\".\n");
>> - return -EIO;
>> + retval = -EIO;
>> + goto err_free_irq;
>> }
>> }
>> /*
>> @@ -1473,6 +1480,20 @@ static int fmh_gpib_attach_impl(struct gpib_board *board, const struct gpib_boar
>> fifo_max_burst_length_mask;
>>
>> return fmh_gpib_init(e_priv, board, handshake_mode);
>> +
>> +err_free_irq:
>> + free_irq(e_priv->irq, board);
>> +err_iounmap_fifo:
>> + iounmap(e_priv->fifo_base);
>> +err_release_dma_region:
>> + release_mem_region(e_priv->dma_port_res->start,
>> + resource_size(e_priv->dma_port_res));
>> +err_iounmap_gpib:
>> + iounmap(nec_priv->mmiobase);
>> +err_release_gpib_region:
>> + release_mem_region(e_priv->gpib_iomem_res->start,
>> + resource_size(e_priv->gpib_iomem_res));
>> + return retval;
> I see a problem with this patch.
>
> fmh_gpib_attach_impl is called from fmh_gpib_attach_holdoff_(all|end), and these
> are passed as attach through fmh_gpib_(unaccel_)interface. The only place where
> I see attach is called, is in common/iblib.c, in ibonline function. If attach
> fails (that is, returns with -errno), detach is called (fmh_gpib_detach for
> this case), where a proper cleanup is performed.
>
> If we release the resources in attach and not clear corresponding e_priv fields,
> we will fail badly in detach, as we do double free/unmap and use after free.
> Clearing e_priv fields will result in having two competing cleanup routines,
> and I don't like that idea - let's have one proper cleanup in one place. The
> only way to keep this approach would be to rewrite the core gpib logic for
> attach/detach, and I don't know if it's worth the effort - probably not.
>
> Thanks,
> Dominik Karol
>
>> }
>>
>> int fmh_gpib_attach_holdoff_all(struct gpib_board *board, const struct gpib_board_config *config)
>> --
>> 2.25.1
>>
>>
next prev parent reply other threads:[~2026-05-29 5:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-28 1:50 [PATCH v2] gpib: fmh_gpib: Fix resource leaks in fmh_gpib_attach_impl Hongling Zeng
2026-05-28 16:46 ` Dominik Karol Piątkowski
2026-05-29 5:57 ` Hongling Zeng [this message]
2026-05-29 15:35 ` Dominik Karol Piątkowski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6A192ABC.6010500@126.com \
--to=zhongling0719@126.com \
--cc=dan.carpenter@linaro.org \
--cc=dominik.karol.piatkowski@protonmail.com \
--cc=dpenkler@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lukeyang.dev@gmail.com \
--cc=stable@vger.kernel.org \
--cc=zenghongling@kylinos.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox