In function device_init_td0_ring, memory is allocated for member
td_info of priv->apTD0Rings[i], with i increasing from 0. In case of
allocation failure, the memory is freed in reversed order, with i
decreasing to 0. However, the case i=0 is left out and thus memory is
leaked.
Modify the memory freeing loop to include the case i=0.
Signed-off-by: Nam Cao <[email protected]>
---
drivers/staging/vt6655/device_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c
index 3397c78b975a..a65014195fdc 100644
--- a/drivers/staging/vt6655/device_main.c
+++ b/drivers/staging/vt6655/device_main.c
@@ -743,7 +743,7 @@ static int device_init_td0_ring(struct vnt_private *priv)
return 0;
err_free_desc:
- while (--i) {
+ while (i--) {
desc = &priv->apTD0Rings[i];
kfree(desc->td_info);
}
--
2.25.1
I did not realize this initially, but this bug can cause more serious problem
than just a memory leak. In the case that kzalloc fails right from the
beginning with i=0; then in the while loop, "i" will wrap around and the code
will access priv->apTD0Rings[4294967295] which is obviously not good.
Best regards,
Nam
On 9/9/22 16:13, Nam Cao wrote:
> In function device_init_td0_ring, memory is allocated for member
> td_info of priv->apTD0Rings[i], with i increasing from 0. In case of
> allocation failure, the memory is freed in reversed order, with i
> decreasing to 0. However, the case i=0 is left out and thus memory is
> leaked.
>
> Modify the memory freeing loop to include the case i=0.
>
> Signed-off-by: Nam Cao <[email protected]>
> ---
> drivers/staging/vt6655/device_main.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c
> index 3397c78b975a..a65014195fdc 100644
> --- a/drivers/staging/vt6655/device_main.c
> +++ b/drivers/staging/vt6655/device_main.c
> @@ -743,7 +743,7 @@ static int device_init_td0_ring(struct vnt_private *priv)
> return 0;
>
> err_free_desc:
> - while (--i) {
> + while (i--) {
> desc = &priv->apTD0Rings[i];
> kfree(desc->td_info);
> }
Tested-by: Philipp Hortmann <[email protected]>
On Fri, Sep 09, 2022 at 04:13:39PM +0200, Nam Cao wrote:
> In function device_init_td0_ring, memory is allocated for member
> td_info of priv->apTD0Rings[i], with i increasing from 0. In case of
> allocation failure, the memory is freed in reversed order, with i
> decreasing to 0. However, the case i=0 is left out and thus memory is
> leaked.
>
> Modify the memory freeing loop to include the case i=0.
>
> Signed-off-by: Nam Cao <[email protected]>
Looks good. Please add a Fixes tag, and CC all the people who were
involved with the original patch so they can review it.
Fixes: 5341ee0adb17 ("staging: vt6655: check for memory allocation failures")
I actually wrote that buggy code and Ji-Hun copied it from me, so my
bad. Sorry!
regards,
dan carpenter
On Fri, Sep 09, 2022 at 04:42:05PM +0200, Nam Cao wrote:
> I did not realize this initially, but this bug can cause more serious problem
> than just a memory leak. In the case that kzalloc fails right from the
> beginning with i=0; then in the while loop, "i" will wrap around and the code
> will access priv->apTD0Rings[4294967295] which is obviously not good.
>
True. You probably want to resend with that added to the commit
message. I will create a Smatch check to prevent these in the future.
regards,
dan carpenter
On Mon, Sep 12, 2022 at 05:17:28PM +0300, Dan Carpenter wrote:
> On Fri, Sep 09, 2022 at 04:42:05PM +0200, Nam Cao wrote:
> > I did not realize this initially, but this bug can cause more serious problem
> > than just a memory leak. In the case that kzalloc fails right from the
> > beginning with i=0; then in the while loop, "i" will wrap around and the code
> > will access priv->apTD0Rings[4294967295] which is obviously not good.
> >
>
> True. You probably want to resend with that added to the commit
> message. I will create a Smatch check to prevent these in the future.
>
I created a static checker warning for these and it found a bunch more
bugs in the same file.
drivers/staging/vt6655/device_main.c:635 device_init_rd0_ring() warn: potential decrement underflow 'i' rl='s32min-(-1)' (iterator)
drivers/staging/vt6655/device_main.c:636 device_init_rd0_ring() warn: using underflowed offset 'i'
drivers/staging/vt6655/device_main.c:681 device_init_rd1_ring() warn: potential decrement underflow 'i' rl='s32min-(-1)' (iterator)
drivers/staging/vt6655/device_main.c:682 device_init_rd1_ring() warn: using underflowed offset 'i'
drivers/staging/vt6655/device_main.c:746 device_init_td0_ring() warn: potential decrement underflow 'i' rl='s32min-(-1)' (iterator)
drivers/staging/vt6655/device_main.c:747 device_init_td0_ring() warn: using underflowed offset 'i'
drivers/staging/vt6655/device_main.c:786 device_init_td1_ring() warn: potential decrement underflow 'i' rl='s32min-(-1)' (iterator)
drivers/staging/vt6655/device_main.c:787 device_init_td1_ring() warn: using underflowed offset 'i'
Could you fix those as well? They're all the same bug and the same file
so I would do it all at once. They were introduced in the same patch
as well so only one Fixes tag required.
regards,
dan carpenter