tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: ef5f68cc1f829b492b19cd4df5af4454aa816b93
commit: 72f2b0b2185099dce354c805009f591dda3ab73d drivers/block: Move PARIDE protocol modules to drivers/ata/pata_parport
config: ia64-randconfig-m041-20230308 (https://download.01.org/0day-ci/archive/20230311/[email protected]/config)
compiler: ia64-linux-gcc (GCC) 12.1.0
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <[email protected]>
| Reported-by: Dan Carpenter <[email protected]>
| Link: https://lore.kernel.org/r/[email protected]/
New smatch warnings:
drivers/ata/pata_parport/pata_parport.c:446 pi_init_one() warn: possible memory leak of 'pi'
drivers/ata/pata_parport/comm.c:64 comm_read_regr() warn: inconsistent indenting
drivers/ata/pata_parport/comm.c:164 comm_write_block() warn: inconsistent indenting
Old smatch warnings:
drivers/ata/pata_parport/pata_parport.c:445 pi_init_one() warn: unsigned 'pi->dev.id' is never less than zero.
drivers/ata/pata_parport/comm.c:168 comm_write_block() warn: inconsistent indenting
drivers/ata/pata_parport/comm.c:172 comm_write_block() warn: inconsistent indenting
vim +/pi +446 drivers/ata/pata_parport/pata_parport.c
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 418 static struct pi_adapter *pi_init_one(struct parport *parport,
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 419 struct pi_protocol *pr, int mode, int unit, int delay)
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 420 {
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 421 struct pardev_cb par_cb = { };
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 422 char scratch[512];
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 423 const struct ata_port_info *ppi[] = { &pata_parport_port_info };
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 424 struct ata_host *host;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 425 struct pi_adapter *pi;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 426 struct pi_device_match match = { .parport = parport, .proto = pr };
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 427
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 428 /*
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 429 * Abort if there's a device already registered on the same parport
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 430 * using the same protocol.
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 431 */
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 432 if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 433 return NULL;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 434
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 435 pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 436 if (!pi)
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 437 return NULL;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 438
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 439 /* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 440 pi->dev.parent = &pata_parport_bus;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 441 pi->dev.bus = &pata_parport_bus_type;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 442 pi->dev.driver = &pr->driver;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 443 pi->dev.release = pata_parport_dev_release;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 444 pi->dev.id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 445 if (pi->dev.id < 0)
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 @446 return NULL; /* pata_parport_dev_release will do kfree(pi) */
The comment says that pata_parport_dev_release() will free "pi" but
that's impossible because pi is a local variable and we haven't called
device_register().
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 447 dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 448 if (device_register(&pi->dev)) {
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 449 put_device(&pi->dev);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 450 goto out_ida_free;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 451 }
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 452
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 453 pi->proto = pr;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 454
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 455 if (!try_module_get(pi->proto->owner))
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 456 goto out_unreg_dev;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 457 if (pi->proto->init_proto && pi->proto->init_proto(pi) < 0)
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 458 goto out_module_put;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 459
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 460 pi->delay = (delay == -1) ? pi->proto->default_delay : delay;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 461 pi->mode = mode;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 462 pi->port = parport->base;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 463
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 464 par_cb.private = pi;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 465 pi->pardev = parport_register_dev_model(parport, DRV_NAME, &par_cb,
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 466 pi->dev.id);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 467 if (!pi->pardev)
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 468 goto out_module_put;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 469
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 470 if (!pi_probe_unit(pi, unit, scratch)) {
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 471 dev_info(&pi->dev, "Adapter not found\n");
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 472 goto out_unreg_parport;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 473 }
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 474
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 475 pi->proto->log_adapter(pi, scratch, 1);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 476
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 477 host = ata_host_alloc_pinfo(&pi->pardev->dev, ppi, 1);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 478 if (!host)
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 479 goto out_unreg_parport;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 480 dev_set_drvdata(&pi->dev, host);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 481 host->private_data = pi;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 482
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 483 ata_port_desc(host->ports[0], "port %s", pi->pardev->port->name);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 484 ata_port_desc(host->ports[0], "protocol %s", pi->proto->name);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 485
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 486 pi_connect(pi);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 487 if (ata_host_activate(host, 0, NULL, 0, &pata_parport_sht))
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 488 goto out_unreg_parport;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 489
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 490 return pi;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 491
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 492 out_unreg_parport:
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 493 pi_disconnect(pi);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 494 parport_unregister_device(pi->pardev);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 495 if (pi->proto->release_proto)
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 496 pi->proto->release_proto(pi);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 497 out_module_put:
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 498 module_put(pi->proto->owner);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 499 out_unreg_dev:
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 500 device_unregister(&pi->dev);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 501 out_ida_free:
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 502 ida_free(&pata_parport_bus_dev_ids, pi->dev.id);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 503 return NULL;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 504 }
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests
When ida_alloc() fails, "pi" is not freed although the misleading
comment says otherwise.
Move the ida_alloc() call up so we really don't have to free it.
Reported-by: kernel test robot <[email protected]>
Reported-by: Dan Carpenter <[email protected]>
Link: https://lore.kernel.org/r/[email protected]/
Signed-off-by: Ondrej Zary <[email protected]>
---
drivers/ata/pata_parport/pata_parport.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c
index 6165ee9aa7da..fb1f10afa722 100644
--- a/drivers/ata/pata_parport/pata_parport.c
+++ b/drivers/ata/pata_parport/pata_parport.c
@@ -503,18 +503,19 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
return NULL;
+ id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
+ if (id < 0)
+ return NULL;
+
pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
if (!pi)
- return NULL;
+ goto out_ida_free;
/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
pi->dev.parent = &pata_parport_bus;
pi->dev.bus = &pata_parport_bus_type;
pi->dev.driver = &pr->driver;
pi->dev.release = pata_parport_dev_release;
- id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
- if (id < 0)
- return NULL; /* pata_parport_dev_release will do kfree(pi) */
pi->dev.id = id;
dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
if (device_register(&pi->dev)) {
--
Ondrej Zary
On 3/11/23 9:51 PM, Ondrej Zary wrote:
> When ida_alloc() fails, "pi" is not freed although the misleading
> comment says otherwise.
> Move the ida_alloc() call up so we really don't have to free it.
>
> Reported-by: kernel test robot <[email protected]>
> Reported-by: Dan Carpenter <[email protected]>
> Link: https://lore.kernel.org/r/[email protected]/
> Signed-off-by: Ondrej Zary <[email protected]>
Reviewed-by: Sergey Shtylyov <[email protected]>
[...]
MBR, Sergey
On 3/11/23 11:19 PM, Sergei Shtylyov wrote:
>> When ida_alloc() fails, "pi" is not freed although the misleading
>> comment says otherwise.
>> Move the ida_alloc() call up so we really don't have to free it.
Wait, but don't we still need to call kfree() in pi_init_one()?
>> Reported-by: kernel test robot <[email protected]>
>> Reported-by: Dan Carpenter <[email protected]>
>> Link: https://lore.kernel.org/r/[email protected]/
>> Signed-off-by: Ondrej Zary <[email protected]>
>
> Reviewed-by: Sergey Shtylyov <[email protected]>
>
> [...]
MBR, Sergey
On Saturday 11 March 2023 21:23:25 Sergey Shtylyov wrote:
> On 3/11/23 11:19 PM, Sergei Shtylyov wrote:
>
> >> When ida_alloc() fails, "pi" is not freed although the misleading
> >> comment says otherwise.
> >> Move the ida_alloc() call up so we really don't have to free it.
>
> Wait, but don't we still need to call kfree() in pi_init_one()?
If it fails at device_register, the dev.release is already set to pata_parport_dev_release which does the kfree(). put_device() should call it. If it fails later, device_unregister() should do it.
> >> Reported-by: kernel test robot <[email protected]>
> >> Reported-by: Dan Carpenter <[email protected]>
> >> Link: https://lore.kernel.org/r/[email protected]/
> >> Signed-off-by: Ondrej Zary <[email protected]>
> >
> > Reviewed-by: Sergey Shtylyov <[email protected]>
> >
> > [...]
>
> MBR, Sergey
>
--
Ondrej Zary
On Saturday 11 March 2023 22:11:57 Ondrej Zary wrote:
> On Saturday 11 March 2023 21:23:25 Sergey Shtylyov wrote:
> > On 3/11/23 11:19 PM, Sergei Shtylyov wrote:
> >
> > >> When ida_alloc() fails, "pi" is not freed although the misleading
> > >> comment says otherwise.
> > >> Move the ida_alloc() call up so we really don't have to free it.
> >
> > Wait, but don't we still need to call kfree() in pi_init_one()?
>
> If it fails at device_register, the dev.release is already set to
> pata_parport_dev_release which does the kfree(). put_device() should call
> it. If it fails later, device_unregister() should do it.
But I see that the ida_free() at the end of pi_init_one() is wrong. It uses pi->dev.id but pi is either uninitialized or already freed.
--
Ondrej Zary
When ida_alloc() fails, "pi" is not freed although the misleading
comment says otherwise.
Move the ida_alloc() call up so we really don't have to free it.
Reported-by: kernel test robot <[email protected]>
Reported-by: Dan Carpenter <[email protected]>
Link: https://lore.kernel.org/r/[email protected]/
Signed-off-by: Ondrej Zary <[email protected]>
---
drivers/ata/pata_parport/pata_parport.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c
index 6165ee9aa7da..a9eff6003098 100644
--- a/drivers/ata/pata_parport/pata_parport.c
+++ b/drivers/ata/pata_parport/pata_parport.c
@@ -503,18 +503,19 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
return NULL;
+ id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
+ if (id < 0)
+ return NULL;
+
pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
if (!pi)
- return NULL;
+ goto out_ida_free;
/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
pi->dev.parent = &pata_parport_bus;
pi->dev.bus = &pata_parport_bus_type;
pi->dev.driver = &pr->driver;
pi->dev.release = pata_parport_dev_release;
- id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
- if (id < 0)
- return NULL; /* pata_parport_dev_release will do kfree(pi) */
pi->dev.id = id;
dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
if (device_register(&pi->dev)) {
@@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
out_unreg_dev:
device_unregister(&pi->dev);
out_ida_free:
- ida_free(&pata_parport_bus_dev_ids, pi->dev.id);
+ ida_free(&pata_parport_bus_dev_ids, id);
return NULL;
}
--
Ondrej Zary
On 3/12/23 06:44, Ondrej Zary wrote:
> When ida_alloc() fails, "pi" is not freed although the misleading
> comment says otherwise.
> Move the ida_alloc() call up so we really don't have to free it.
Certainly you meant: "so we really do free it in case of error.", no ?
>
> Reported-by: kernel test robot <[email protected]>
> Reported-by: Dan Carpenter <[email protected]>
> Link: https://lore.kernel.org/r/[email protected]/
> Signed-off-by: Ondrej Zary <[email protected]>
> ---
> drivers/ata/pata_parport/pata_parport.c | 11 ++++++-----
> 1 file changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c
> index 6165ee9aa7da..a9eff6003098 100644
> --- a/drivers/ata/pata_parport/pata_parport.c
> +++ b/drivers/ata/pata_parport/pata_parport.c
> @@ -503,18 +503,19 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
> if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
> return NULL;
>
> + id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
> + if (id < 0)
> + return NULL;
> +
> pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
> if (!pi)
> - return NULL;
> + goto out_ida_free;
>
> /* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
> pi->dev.parent = &pata_parport_bus;
> pi->dev.bus = &pata_parport_bus_type;
> pi->dev.driver = &pr->driver;
> pi->dev.release = pata_parport_dev_release;
> - id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
> - if (id < 0)
> - return NULL; /* pata_parport_dev_release will do kfree(pi) */
> pi->dev.id = id;
> dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
> if (device_register(&pi->dev)) {
> @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
> out_unreg_dev:
> device_unregister(&pi->dev);
Same comment as Sergey: isn't this going to do the ida free ? So shouldn't you
return here ?
> out_ida_free:
> - ida_free(&pata_parport_bus_dev_ids, pi->dev.id);
> + ida_free(&pata_parport_bus_dev_ids, id);
> return NULL;
> }
>
--
Damien Le Moal
Western Digital Research
On Sunday 12 March 2023 01:56:25 Damien Le Moal wrote:
> On 3/12/23 06:44, Ondrej Zary wrote:
> > When ida_alloc() fails, "pi" is not freed although the misleading
> > comment says otherwise.
> > Move the ida_alloc() call up so we really don't have to free it.
>
> Certainly you meant: "so we really do free it in case of error.", no ?
I meant "so we don't have to free pi in case of ida_alloc failure".
> >
> > Reported-by: kernel test robot <[email protected]>
> > Reported-by: Dan Carpenter <[email protected]>
> > Link: https://lore.kernel.org/r/[email protected]/
> > Signed-off-by: Ondrej Zary <[email protected]>
> > ---
> > drivers/ata/pata_parport/pata_parport.c | 11 ++++++-----
> > 1 file changed, 6 insertions(+), 5 deletions(-)
> >
> > diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c
> > index 6165ee9aa7da..a9eff6003098 100644
> > --- a/drivers/ata/pata_parport/pata_parport.c
> > +++ b/drivers/ata/pata_parport/pata_parport.c
> > @@ -503,18 +503,19 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
> > if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
> > return NULL;
> >
> > + id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
> > + if (id < 0)
> > + return NULL;
> > +
> > pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
> > if (!pi)
> > - return NULL;
> > + goto out_ida_free;
> >
> > /* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
> > pi->dev.parent = &pata_parport_bus;
> > pi->dev.bus = &pata_parport_bus_type;
> > pi->dev.driver = &pr->driver;
> > pi->dev.release = pata_parport_dev_release;
> > - id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
> > - if (id < 0)
> > - return NULL; /* pata_parport_dev_release will do kfree(pi) */
> > pi->dev.id = id;
> > dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
> > if (device_register(&pi->dev)) {
> > @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
> > out_unreg_dev:
> > device_unregister(&pi->dev);
>
> Same comment as Sergey: isn't this going to do the ida free ? So shouldn't you
> return here ?
No. device_unregister() calls pata_parport_dev_release() which does only kfree(pi), not ida_free(). But it probably should do ida_free() too.
>
> > out_ida_free:
> > - ida_free(&pata_parport_bus_dev_ids, pi->dev.id);
> > + ida_free(&pata_parport_bus_dev_ids, id);
> > return NULL;
> > }
> >
>
--
Ondrej Zary
On 3/13/23 06:24, Ondrej Zary wrote:
> On Sunday 12 March 2023 01:56:25 Damien Le Moal wrote:
>> On 3/12/23 06:44, Ondrej Zary wrote:
>>> When ida_alloc() fails, "pi" is not freed although the misleading
>>> comment says otherwise.
>>> Move the ida_alloc() call up so we really don't have to free it.
>>
>> Certainly you meant: "so we really do free it in case of error.", no ?
>
> I meant "so we don't have to free pi in case of ida_alloc failure".
That is better. Please rephrase the commit message to this.
>>> /* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
>>> pi->dev.parent = &pata_parport_bus;
>>> pi->dev.bus = &pata_parport_bus_type;
>>> pi->dev.driver = &pr->driver;
>>> pi->dev.release = pata_parport_dev_release;
>>> - id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
>>> - if (id < 0)
>>> - return NULL; /* pata_parport_dev_release will do kfree(pi) */
>>> pi->dev.id = id;
>>> dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
>>> if (device_register(&pi->dev)) {
>>> @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
>>> out_unreg_dev:
>>> device_unregister(&pi->dev);
>>
>> Same comment as Sergey: isn't this going to do the ida free ? So shouldn't you
>> return here ?
>
> No. device_unregister() calls pata_parport_dev_release() which does only kfree(pi), not ida_free(). But it probably should do ida_free() too.
Yes, it should, otherwise you are leaking the ida with the normal (no errors)
case. Care to send a fix for that too ?
--
Damien Le Moal
Western Digital Research
On Monday 13 March 2023, Damien Le Moal wrote:
> On 3/13/23 06:24, Ondrej Zary wrote:
> > On Sunday 12 March 2023 01:56:25 Damien Le Moal wrote:
> >> On 3/12/23 06:44, Ondrej Zary wrote:
> >>> When ida_alloc() fails, "pi" is not freed although the misleading
> >>> comment says otherwise.
> >>> Move the ida_alloc() call up so we really don't have to free it.
> >>
> >> Certainly you meant: "so we really do free it in case of error.", no ?
> >
> > I meant "so we don't have to free pi in case of ida_alloc failure".
>
> That is better. Please rephrase the commit message to this.
>
> >>> /* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
> >>> pi->dev.parent = &pata_parport_bus;
> >>> pi->dev.bus = &pata_parport_bus_type;
> >>> pi->dev.driver = &pr->driver;
> >>> pi->dev.release = pata_parport_dev_release;
> >>> - id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
> >>> - if (id < 0)
> >>> - return NULL; /* pata_parport_dev_release will do kfree(pi) */
> >>> pi->dev.id = id;
> >>> dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
> >>> if (device_register(&pi->dev)) {
> >>> @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
> >>> out_unreg_dev:
> >>> device_unregister(&pi->dev);
> >>
> >> Same comment as Sergey: isn't this going to do the ida free ? So shouldn't you
> >> return here ?
> >
> > No. device_unregister() calls pata_parport_dev_release() which does only kfree(pi), not ida_free(). But it probably should do ida_free() too.
>
> Yes, it should, otherwise you are leaking the ida with the normal (no errors)
> case. Care to send a fix for that too ?
Yes, I'll send it as soon as I fix a problem that I noticed during testing. The ida is never freed with this fix. And neither "pi" because pata_parport_dev_release is never called (confirmed by adding printk).
--
Ondrej Zary
When ida_alloc() fails, "pi" is not freed although the misleading
comment says otherwise.
Move the ida_alloc() call up so we really don't have to free "pi" in
case of ida_alloc() failure.
Also move ida_free() call from pi_remove_one() to
pata_parport_dev_release(). It was dereferencing already freed dev
pointer.
Testing revealed leak even in non-failure case which was tracked down
to missing put_device() call after bus_find_device_by_name(). As a
result, pata_parport_dev_release() was never called.
Reported-by: kernel test robot <[email protected]>
Reported-by: Dan Carpenter <[email protected]>
Link: https://lore.kernel.org/r/[email protected]/
Signed-off-by: Ondrej Zary <[email protected]>
---
drivers/ata/pata_parport/pata_parport.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c
index 6165ee9aa7da..dc77b4c6fcef 100644
--- a/drivers/ata/pata_parport/pata_parport.c
+++ b/drivers/ata/pata_parport/pata_parport.c
@@ -452,6 +452,7 @@ static void pata_parport_dev_release(struct device *dev)
{
struct pi_adapter *pi = container_of(dev, struct pi_adapter, dev);
+ ida_free(&pata_parport_bus_dev_ids, dev->id);
kfree(pi);
}
@@ -503,23 +504,27 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
return NULL;
+ id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
+ if (id < 0)
+ return NULL;
+
pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
- if (!pi)
+ if (!pi) {
+ ida_free(&pata_parport_bus_dev_ids, id);
return NULL;
+ }
/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
pi->dev.parent = &pata_parport_bus;
pi->dev.bus = &pata_parport_bus_type;
pi->dev.driver = &pr->driver;
pi->dev.release = pata_parport_dev_release;
- id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
- if (id < 0)
- return NULL; /* pata_parport_dev_release will do kfree(pi) */
pi->dev.id = id;
dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
if (device_register(&pi->dev)) {
put_device(&pi->dev);
- goto out_ida_free;
+ /* pata_parport_dev_release will do ida_free(dev->id) and kfree(pi) */
+ return NULL;
}
pi->proto = pr;
@@ -534,8 +539,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
pi->port = parport->base;
par_cb.private = pi;
- pi->pardev = parport_register_dev_model(parport, DRV_NAME, &par_cb,
- pi->dev.id);
+ pi->pardev = parport_register_dev_model(parport, DRV_NAME, &par_cb, id);
if (!pi->pardev)
goto out_module_put;
@@ -570,8 +574,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
module_put(pi->proto->owner);
out_unreg_dev:
device_unregister(&pi->dev);
-out_ida_free:
- ida_free(&pata_parport_bus_dev_ids, pi->dev.id);
+ /* pata_parport_dev_release will do ida_free(dev->id) and kfree(pi) */
return NULL;
}
@@ -696,8 +699,7 @@ static void pi_remove_one(struct device *dev)
pi_disconnect(pi);
pi_release(pi);
device_unregister(dev);
- ida_free(&pata_parport_bus_dev_ids, dev->id);
- /* pata_parport_dev_release will do kfree(pi) */
+ /* pata_parport_dev_release will do ida_free(dev->id) and kfree(pi) */
}
static ssize_t delete_device_store(struct bus_type *bus, const char *buf,
@@ -713,6 +715,7 @@ static ssize_t delete_device_store(struct bus_type *bus, const char *buf,
}
pi_remove_one(dev);
+ put_device(dev);
mutex_unlock(&pi_mutex);
return count;
--
Ondrej Zary
On 3/15/23 07:58, Ondrej Zary wrote:
> When ida_alloc() fails, "pi" is not freed although the misleading
> comment says otherwise.
> Move the ida_alloc() call up so we really don't have to free "pi" in
> case of ida_alloc() failure.
>
> Also move ida_free() call from pi_remove_one() to
> pata_parport_dev_release(). It was dereferencing already freed dev
> pointer.
>
> Testing revealed leak even in non-failure case which was tracked down
> to missing put_device() call after bus_find_device_by_name(). As a
> result, pata_parport_dev_release() was never called.
>
> Reported-by: kernel test robot <[email protected]>
> Reported-by: Dan Carpenter <[email protected]>
> Link: https://lore.kernel.org/r/[email protected]/
> Signed-off-by: Ondrej Zary <[email protected]>
Applied to for-6.3-fixes. Thanks !
--
Damien Le Moal
Western Digital Research