This driver is fine if memory allocation never fails. However it does not
handle allocation failure well. This can either lead to memory leak, or
unallocated buffers being used.
v2: Add a missing if statement, as noticed by Dan Carpenter
Nam Cao (4):
Revert "staging: r8712u: Tracking kmemleak false positives."
staging: rtl8712: check for alloc fail in _r8712_init_recv_priv()
staging: rtl8712: check for return value of _r8712_init_xmit_priv()
staging: rtl8712: fix potential memory leak
drivers/staging/rtl8712/os_intfs.c | 27 +++++++++++++++++++++-----
drivers/staging/rtl8712/recv_osdep.h | 8 ++++----
drivers/staging/rtl8712/rtl8712_recv.c | 7 ++++---
drivers/staging/rtl8712/rtl871x_recv.c | 16 ++++++++-------
4 files changed, 39 insertions(+), 19 deletions(-)
--
2.25.1
In r8712_init_drv_sw(), whenever any function call returns error, it is
returned immediately without properly cleaning up the other successfully
executed functions. This can cause memory leak.
Instead of return immediately, free all the allocated buffers first.
Signed-off-by: Nam Cao <[email protected]>
---
drivers/staging/rtl8712/os_intfs.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/rtl8712/os_intfs.c b/drivers/staging/rtl8712/os_intfs.c
index 205b7d66a40a..a2f3645be0cc 100644
--- a/drivers/staging/rtl8712/os_intfs.c
+++ b/drivers/staging/rtl8712/os_intfs.c
@@ -304,29 +304,42 @@ int r8712_init_drv_sw(struct _adapter *padapter)
padapter->cmdpriv.padapter = padapter;
ret = r8712_init_evt_priv(&padapter->evtpriv);
if (ret)
- return ret;
+ goto free_cmd;
ret = r8712_init_mlme_priv(padapter);
if (ret)
- return ret;
+ goto free_evt;
ret = _r8712_init_xmit_priv(&padapter->xmitpriv, padapter);
if (ret)
- return ret;
+ goto free_mlme;
ret = _r8712_init_recv_priv(&padapter->recvpriv, padapter);
if (ret)
- return ret;
+ goto free_xmit;
memset((unsigned char *)&padapter->securitypriv, 0,
sizeof(struct security_priv));
timer_setup(&padapter->securitypriv.tkip_timer,
r8712_use_tkipkey_handler, 0);
ret = _r8712_init_sta_priv(&padapter->stapriv);
if (ret)
- return ret;
+ goto free_recv;
padapter->stapriv.padapter = padapter;
r8712_init_bcmc_stainfo(padapter);
r8712_init_pwrctrl_priv(padapter);
mp871xinit(padapter);
init_default_value(padapter);
r8712_InitSwLeds(padapter);
+
+ return 0;
+
+free_recv:
+ _r8712_free_recv_priv(&padapter->recvpriv);
+free_xmit:
+ _free_xmit_priv(&padapter->xmitpriv);
+free_mlme:
+ r8712_free_mlme_priv(&padapter->mlmepriv);
+free_evt:
+ r8712_free_evt_priv(&padapter->evtpriv);
+free_cmd:
+ r8712_free_cmd_priv(&padapter->cmdpriv);
return ret;
}
--
2.25.1
The return value of _r8712_init_xmit_priv() is never checked and the driver
always continue execution as if all is well. This will cause problems
if, for example, buffers cannot be allocated and the driver continue and
use those buffers.
Check for return value of _r8712_init_xmit_priv() and return error (if any)
during probing.
Signed-off-by: Nam Cao <[email protected]>
---
drivers/staging/rtl8712/os_intfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8712/os_intfs.c b/drivers/staging/rtl8712/os_intfs.c
index 12adb470d216..205b7d66a40a 100644
--- a/drivers/staging/rtl8712/os_intfs.c
+++ b/drivers/staging/rtl8712/os_intfs.c
@@ -308,7 +308,9 @@ int r8712_init_drv_sw(struct _adapter *padapter)
ret = r8712_init_mlme_priv(padapter);
if (ret)
return ret;
- _r8712_init_xmit_priv(&padapter->xmitpriv, padapter);
+ ret = _r8712_init_xmit_priv(&padapter->xmitpriv, padapter);
+ if (ret)
+ return ret;
ret = _r8712_init_recv_priv(&padapter->recvpriv, padapter);
if (ret)
return ret;
--
2.25.1
This reverts commit 5d3da4a20a271e3cf5496a50cbb8118aa019374f.
This commit annotated false positive for kmemleak. The reasoning is that
the buffers are freed when the driver is unloaded. However, there is
actually potential memory leak when probe fails.
Signed-off-by: Nam Cao <[email protected]>
---
drivers/staging/rtl8712/rtl871x_recv.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/staging/rtl8712/rtl871x_recv.c b/drivers/staging/rtl8712/rtl871x_recv.c
index de9a568eaffa..4db7eed64a03 100644
--- a/drivers/staging/rtl8712/rtl871x_recv.c
+++ b/drivers/staging/rtl8712/rtl871x_recv.c
@@ -17,9 +17,7 @@
#define _RTL871X_RECV_C_
#include <linux/ip.h>
-#include <linux/slab.h>
#include <linux/if_ether.h>
-#include <linux/kmemleak.h>
#include <linux/etherdevice.h>
#include <linux/ieee80211.h>
#include <net/cfg80211.h>
@@ -61,7 +59,6 @@ void _r8712_init_recv_priv(struct recv_priv *precvpriv,
GFP_ATOMIC);
if (!precvpriv->pallocated_frame_buf)
return;
- kmemleak_not_leak(precvpriv->pallocated_frame_buf);
precvpriv->precv_frame_buf = precvpriv->pallocated_frame_buf +
RXFRAME_ALIGN_SZ -
((addr_t)(precvpriv->pallocated_frame_buf) &
--
2.25.1
The function _r8712_init_recv_priv() and also r8712_init_recv_priv()
just returns silently if they fail to allocate memory. Change their
return type to int and add necessary checks and handling if they return
-ENOMEM
Signed-off-by: Nam Cao <[email protected]>
---
drivers/staging/rtl8712/os_intfs.c | 4 +++-
drivers/staging/rtl8712/recv_osdep.h | 8 ++++----
drivers/staging/rtl8712/rtl8712_recv.c | 7 ++++---
drivers/staging/rtl8712/rtl871x_recv.c | 13 +++++++++----
4 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/drivers/staging/rtl8712/os_intfs.c b/drivers/staging/rtl8712/os_intfs.c
index 003e97205124..12adb470d216 100644
--- a/drivers/staging/rtl8712/os_intfs.c
+++ b/drivers/staging/rtl8712/os_intfs.c
@@ -309,7 +309,9 @@ int r8712_init_drv_sw(struct _adapter *padapter)
if (ret)
return ret;
_r8712_init_xmit_priv(&padapter->xmitpriv, padapter);
- _r8712_init_recv_priv(&padapter->recvpriv, padapter);
+ ret = _r8712_init_recv_priv(&padapter->recvpriv, padapter);
+ if (ret)
+ return ret;
memset((unsigned char *)&padapter->securitypriv, 0,
sizeof(struct security_priv));
timer_setup(&padapter->securitypriv.tkip_timer,
diff --git a/drivers/staging/rtl8712/recv_osdep.h b/drivers/staging/rtl8712/recv_osdep.h
index d8c1fa74f544..fbe3f2868506 100644
--- a/drivers/staging/rtl8712/recv_osdep.h
+++ b/drivers/staging/rtl8712/recv_osdep.h
@@ -18,15 +18,15 @@
#include "drv_types.h"
#include <linux/skbuff.h>
-void _r8712_init_recv_priv(struct recv_priv *precvpriv,
- struct _adapter *padapter);
+int _r8712_init_recv_priv(struct recv_priv *precvpriv,
+ struct _adapter *padapter);
void _r8712_free_recv_priv(struct recv_priv *precvpriv);
void r8712_recv_entry(union recv_frame *precv_frame);
void r8712_recv_indicatepkt(struct _adapter *adapter,
union recv_frame *precv_frame);
void r8712_handle_tkip_mic_err(struct _adapter *padapter, u8 bgroup);
-void r8712_init_recv_priv(struct recv_priv *precvpriv,
- struct _adapter *padapter);
+int r8712_init_recv_priv(struct recv_priv *precvpriv,
+ struct _adapter *padapter);
void r8712_free_recv_priv(struct recv_priv *precvpriv);
void r8712_os_recv_resource_alloc(struct _adapter *padapter,
union recv_frame *precvframe);
diff --git a/drivers/staging/rtl8712/rtl8712_recv.c b/drivers/staging/rtl8712/rtl8712_recv.c
index 7f1fdd058551..7da014ab0723 100644
--- a/drivers/staging/rtl8712/rtl8712_recv.c
+++ b/drivers/staging/rtl8712/rtl8712_recv.c
@@ -30,8 +30,8 @@
static void recv_tasklet(struct tasklet_struct *t);
-void r8712_init_recv_priv(struct recv_priv *precvpriv,
- struct _adapter *padapter)
+int r8712_init_recv_priv(struct recv_priv *precvpriv,
+ struct _adapter *padapter)
{
int i;
struct recv_buf *precvbuf;
@@ -44,7 +44,7 @@ void r8712_init_recv_priv(struct recv_priv *precvpriv,
precvpriv->pallocated_recv_buf =
kzalloc(NR_RECVBUFF * sizeof(struct recv_buf) + 4, GFP_ATOMIC);
if (!precvpriv->pallocated_recv_buf)
- return;
+ return -ENOMEM;
precvpriv->precv_buf = precvpriv->pallocated_recv_buf + 4 -
((addr_t)(precvpriv->pallocated_recv_buf) & 3);
precvbuf = (struct recv_buf *)precvpriv->precv_buf;
@@ -75,6 +75,7 @@ void r8712_init_recv_priv(struct recv_priv *precvpriv,
}
pskb = NULL;
}
+ return 0;
}
void r8712_free_recv_priv(struct recv_priv *precvpriv)
diff --git a/drivers/staging/rtl8712/rtl871x_recv.c b/drivers/staging/rtl8712/rtl871x_recv.c
index 4db7eed64a03..8a3566214af7 100644
--- a/drivers/staging/rtl8712/rtl871x_recv.c
+++ b/drivers/staging/rtl8712/rtl871x_recv.c
@@ -42,9 +42,10 @@ void _r8712_init_sta_recv_priv(struct sta_recv_priv *psta_recvpriv)
_init_queue(&psta_recvpriv->defrag_q);
}
-void _r8712_init_recv_priv(struct recv_priv *precvpriv,
- struct _adapter *padapter)
+int _r8712_init_recv_priv(struct recv_priv *precvpriv,
+ struct _adapter *padapter)
{
+ int ret;
sint i;
union recv_frame *precvframe;
@@ -58,7 +59,7 @@ void _r8712_init_recv_priv(struct recv_priv *precvpriv,
sizeof(union recv_frame) + RXFRAME_ALIGN_SZ,
GFP_ATOMIC);
if (!precvpriv->pallocated_frame_buf)
- return;
+ return -ENOMEM;
precvpriv->precv_frame_buf = precvpriv->pallocated_frame_buf +
RXFRAME_ALIGN_SZ -
((addr_t)(precvpriv->pallocated_frame_buf) &
@@ -73,7 +74,11 @@ void _r8712_init_recv_priv(struct recv_priv *precvpriv,
precvframe++;
}
precvpriv->rx_pending_cnt = 1;
- r8712_init_recv_priv(precvpriv, padapter);
+ ret = r8712_init_recv_priv(precvpriv, padapter);
+ if (ret)
+ kfree(precvpriv->pallocated_frame_buf);
+
+ return ret;
}
void _r8712_free_recv_priv(struct recv_priv *precvpriv)
--
2.25.1
On 10/25/22 11:12, Nam Cao wrote:
> This driver is fine if memory allocation never fails. However it does not
> handle allocation failure well. This can either lead to memory leak, or
> unallocated buffers being used.
>
> v2: Add a missing if statement, as noticed by Dan Carpenter
>
> Nam Cao (4):
> Revert "staging: r8712u: Tracking kmemleak false positives."
> staging: rtl8712: check for alloc fail in _r8712_init_recv_priv()
> staging: rtl8712: check for return value of _r8712_init_xmit_priv()
> staging: rtl8712: fix potential memory leak
>
> drivers/staging/rtl8712/os_intfs.c | 27 +++++++++++++++++++++-----
> drivers/staging/rtl8712/recv_osdep.h | 8 ++++----
> drivers/staging/rtl8712/rtl8712_recv.c | 7 ++++---
> drivers/staging/rtl8712/rtl871x_recv.c | 16 ++++++++-------
> 4 files changed, 39 insertions(+), 19 deletions(-)
>
Tested-by: Philipp Hortmann <[email protected]>