Re: [PATCH v2 2/7] nvmem: fix another memory leak in error path

18 Feb 2020

On 18/02/2020 09:42, Bartosz Golaszewski wrote:
...
From: Bartosz Golaszewski bgolaszewski@baylibre.com
The nvmem struct is only freed on the first error check after its
allocation and leaked after that. Fix it with a new label.
Cc: stable@vger.kernel.org
Signed-off-by: Bartosz Golaszewski bgolaszewski@baylibre.com

drivers/nvmem/core.c | 8 ++++----
  1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c
index b0be03d5f240..c9b3f4047154 100644
--- a/drivers/nvmem/core.c
+++ b/drivers/nvmem/core.c
@@ -343,10 +343,8 @@ struct nvmem_device *nvmem_register(const struct nvmem_config *config)
   	return ERR_PTR(-ENOMEM);
  
   rval  = ida_simple_get(&nvmem_ida, 0, 0, GFP_KERNEL);

if (rval < 0) {
kfree(nvmem);


return ERR_PTR(rval);


}


if (rval < 0)
goto err_free_nvmem;

if (config->wp_gpio)
nvmem->wp_gpio = config->wp_gpio;
else

@@ -432,6 +430,8 @@ struct nvmem_device *nvmem_register(const struct nvmem_config *config)
   put_device(&nvmem->dev);
  err_ida_remove:
   ida_simple_remove(&nvmem_ida, nvmem->id);
+err_free_nvmem:

kfree(nvmem);

This is not correct fix to start with, if the device has already been 
intialized before jumping here then nvmem would be freed as part of 
nvmem_release().
So the bug was actually introduced by adding err_ida_remove label.
You can free nvmem at that point but not at any point after that as 
device core would be holding a reference to it.
--srini
...
return ERR_PTR(rval);
  }

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

Re: [PATCH v2 2/7] nvmem: fix another memory leak in error path