wt., 18 lut 2020 o 10:56 Srinivas Kandagatla srinivas.kandagatla@linaro.org napisaĆ(a):
On 18/02/2020 09:42, Bartosz Golaszewski wrote:
From: Bartosz Golaszewski bgolaszewski@baylibre.com
The nvmem struct is only freed on the first error check after its allocation and leaked after that. Fix it with a new label.
Cc: stable@vger.kernel.org Signed-off-by: Bartosz Golaszewski bgolaszewski@baylibre.com
drivers/nvmem/core.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c index b0be03d5f240..c9b3f4047154 100644 --- a/drivers/nvmem/core.c +++ b/drivers/nvmem/core.c @@ -343,10 +343,8 @@ struct nvmem_device *nvmem_register(const struct nvmem_config *config) return ERR_PTR(-ENOMEM);
rval = ida_simple_get(&nvmem_ida, 0, 0, GFP_KERNEL);
if (rval < 0) {kfree(nvmem);return ERR_PTR(rval);}
if (rval < 0)goto err_free_nvmem; if (config->wp_gpio) nvmem->wp_gpio = config->wp_gpio; else@@ -432,6 +430,8 @@ struct nvmem_device *nvmem_register(const struct nvmem_config *config) put_device(&nvmem->dev); err_ida_remove: ida_simple_remove(&nvmem_ida, nvmem->id); +err_free_nvmem:
kfree(nvmem);This is not correct fix to start with, if the device has already been intialized before jumping here then nvmem would be freed as part of nvmem_release().
So the bug was actually introduced by adding err_ida_remove label.
You can free nvmem at that point but not at any point after that as device core would be holding a reference to it.
OK I see - I missed the release() callback assignment. Frankly: I find this split of resource management responsibility confusing. Since the users are expected to call nvmem_unregister() anyway - wouldn't it be more clear to just free all resources there? What is the advantage of defining the release() callback for device type here?
Bartosz