From: Xiaoke Wang <[email protected]>
This is a collection about some memory-related bugs fixing.
In brief, there are two types about them.
First is some memory allocation functions are called without proper
checking, which may result in wrong memory access in the subsequent
running or some else.
Second is lacking proper error handling that does not release some
allocated resources, which may result in memory leak problems.
These issuses are similar, so they are put in this series together.
Note that most of them are sent as each separate patch before, this series
rebased them to the lasted version. While there are some inherent logical
relationships between 03~05/11~12.
Xiaoke Wang (12):
staging: rtl8712: fix potential memory leak in
r8712_xmit_resource_alloc()
staging: rtl8712: fix potential memory leak in _r8712_init_xmit_priv()
staging: rtl8712: fix potential memory leak in r8712_init_drv_sw()
staging: rtl8712: change the type of _r8712_init_recv_priv()
staging: rtl8712: add two validation check in r8712_init_drv_sw()
staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv()
staging: rtl8723bs: fix potential memory leak in _rtw_init_xmit_priv()
staging: rtl8723bs: fix potential memory leak in rtw_init_drv_sw()
staging: r8188eu: fix a potential memory leak in _rtw_init_cmd_priv()
staging: r8188eu: fix potential memory leak in
rtw_os_xmit_resource_alloc()
staging: r8188eu: fix potential memory leak in _rtw_init_xmit_priv()
staging: r8188eu: check the return of kzalloc()
drivers/staging/r8188eu/core/rtw_cmd.c | 16 +++---
drivers/staging/r8188eu/core/rtw_xmit.c | 42 +++++++++++----
drivers/staging/r8188eu/include/rtw_xmit.h | 2 +-
drivers/staging/r8188eu/os_dep/xmit_linux.c | 4 +-
drivers/staging/rtl8712/os_intfs.c | 26 +++++++--
drivers/staging/rtl8712/recv_osdep.h | 2 +-
drivers/staging/rtl8712/rtl871x_recv.c | 6 +--
drivers/staging/rtl8712/rtl871x_xmit.c | 27 +++++++---
drivers/staging/rtl8712/xmit_linux.c | 3 +-
drivers/staging/rtl8723bs/core/rtw_cmd.c | 17 +++---
drivers/staging/rtl8723bs/core/rtw_xmit.c | 50 ++++++++++++-----
drivers/staging/rtl8723bs/os_dep/os_intfs.c | 60 +++++++++++----------
12 files changed, 163 insertions(+), 92 deletions(-)
--
From: Xiaoke Wang <[email protected]>
In r8712_xmit_resource_alloc(), if usb_alloc_urb() fails, there can be
some explored items are not released before this function returns.
Therefore, this patch re-explores the allocated items and uses
usb_free_urb() to release them.
Signed-off-by: Xiaoke Wang <[email protected]>
---
drivers/staging/rtl8712/xmit_linux.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8712/xmit_linux.c b/drivers/staging/rtl8712/xmit_linux.c
index 4a93839..034de02 100644
--- a/drivers/staging/rtl8712/xmit_linux.c
+++ b/drivers/staging/rtl8712/xmit_linux.c
@@ -113,9 +113,10 @@ int r8712_xmit_resource_alloc(struct _adapter *padapter,
pxmitbuf->pxmit_urb[i] = usb_alloc_urb(0, GFP_KERNEL);
if (!pxmitbuf->pxmit_urb[i]) {
netdev_err(padapter->pnetdev, "pxmitbuf->pxmit_urb[i] == NULL\n");
+ while (i-- > 0)
+ usb_free_urb(pxmitbuf->pxmit_urb[i]);
return -ENOMEM;
}
- kmemleak_not_leak(pxmitbuf->pxmit_urb[i]);
}
return 0;
}
--
From: Xiaoke Wang <[email protected]>
kzalloc() is a memory allocation function which can return NULL when
some internal memory errors happen. So it is better to handle the return
of it to prevent potential wrong memory access.
Besides, to propagate the error to the caller, the type of
rtw_alloc_hwxmits() is changed to `int` and another check is added to
its caller.
Then if kzalloc() fails, the caller will properly jump to the
corresponding error hanlding code.
Signed-off-by: Xiaoke Wang <[email protected]>
---
drivers/staging/r8188eu/core/rtw_xmit.c | 10 ++++++++--
drivers/staging/r8188eu/include/rtw_xmit.h | 2 +-
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/r8188eu/core/rtw_xmit.c b/drivers/staging/r8188eu/core/rtw_xmit.c
index 4c54647..7d1fa52 100644
--- a/drivers/staging/r8188eu/core/rtw_xmit.c
+++ b/drivers/staging/r8188eu/core/rtw_xmit.c
@@ -176,7 +176,9 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
pxmitpriv->free_xmit_extbuf_cnt = num_xmit_extbuf;
- rtw_alloc_hwxmits(padapter);
+ res = rtw_alloc_hwxmits(padapter);
+ if (res == _FAIL)
+ goto free_xmit_extbuf;
rtw_init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry);
for (i = 0; i < 4; i++)
@@ -1487,7 +1489,7 @@ s32 rtw_xmit_classifier(struct adapter *padapter, struct xmit_frame *pxmitframe)
return res;
}
-void rtw_alloc_hwxmits(struct adapter *padapter)
+int rtw_alloc_hwxmits(struct adapter *padapter)
{
struct hw_xmit *hwxmits;
struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
@@ -1495,6 +1497,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
pxmitpriv->hwxmit_entry = HWXMIT_ENTRY;
pxmitpriv->hwxmits = kzalloc(sizeof(struct hw_xmit) * pxmitpriv->hwxmit_entry, GFP_KERNEL);
+ if (!pxmitpriv->hwxmits)
+ return _FAIL;
hwxmits = pxmitpriv->hwxmits;
@@ -1511,6 +1515,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
hwxmits[3] .sta_queue = &pxmitpriv->bk_pending;
} else {
}
+
+ return _SUCCESS;
}
void rtw_free_hwxmits(struct adapter *padapter)
diff --git a/drivers/staging/r8188eu/include/rtw_xmit.h b/drivers/staging/r8188eu/include/rtw_xmit.h
index 54c2bdf..034a9f8 100644
--- a/drivers/staging/r8188eu/include/rtw_xmit.h
+++ b/drivers/staging/r8188eu/include/rtw_xmit.h
@@ -341,7 +341,7 @@ s32 rtw_txframes_sta_ac_pending(struct adapter *padapter,
void rtw_init_hwxmits(struct hw_xmit *phwxmit, int entry);
s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter);
void _rtw_free_xmit_priv(struct xmit_priv *pxmitpriv);
-void rtw_alloc_hwxmits(struct adapter *padapter);
+int rtw_alloc_hwxmits(struct adapter *padapter);
void rtw_free_hwxmits(struct adapter *padapter);
s32 rtw_xmit(struct adapter *padapter, struct sk_buff **pkt);
--
From: Xiaoke Wang <[email protected]>
In rtw_os_xmit_resource_alloc(), if usb_alloc_urb() fails, then the
memory `pxmitbuf_pallocated_buf` which is allocated by kzalloc() is
not properly released before returning.
So this patch add kfree() on the above error path to release it.
Signed-off-by: Xiaoke Wang <[email protected]>
---
drivers/staging/r8188eu/os_dep/xmit_linux.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/r8188eu/os_dep/xmit_linux.c b/drivers/staging/r8188eu/os_dep/xmit_linux.c
index e430c64..0c448e0 100644
--- a/drivers/staging/r8188eu/os_dep/xmit_linux.c
+++ b/drivers/staging/r8188eu/os_dep/xmit_linux.c
@@ -75,8 +75,10 @@ int rtw_os_xmit_resource_alloc(struct adapter *padapter, struct xmit_buf *pxmitb
pxmitbuf->dma_transfer_addr = 0;
pxmitbuf->pxmit_urb = usb_alloc_urb(0, GFP_KERNEL);
- if (!pxmitbuf->pxmit_urb)
+ if (!pxmitbuf->pxmit_urb) {
+ kfree(pxmitbuf->pallocated_buf);
return _FAIL;
+ }
return _SUCCESS;
}
--
On Tue, 2022-05-03 at 15:02 +0800, [email protected] wrote:
> From: Xiaoke Wang <[email protected]>
>
> kzalloc() is a memory allocation function which can return NULL when
> some internal memory errors happen. So it is better to handle the return
> of it to prevent potential wrong memory access.
>
> Besides, to propagate the error to the caller, the type of
> rtw_alloc_hwxmits() is changed to `int` and another check is added to
> its caller.
> Then if kzalloc() fails, the caller will properly jump to the
> corresponding error hanlding code.
It'd be better to use the typical error returns
> diff --git a/drivers/staging/r8188eu/core/rtw_xmit.c b/drivers/staging/r8188eu/core/rtw_xmit.c
[]
> @@ -176,7 +176,9 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
> ?
> ? pxmitpriv->free_xmit_extbuf_cnt = num_xmit_extbuf;
> ?
> - rtw_alloc_hwxmits(padapter);
> + res = rtw_alloc_hwxmits(padapter);
> + if (res == _FAIL)
> + goto free_xmit_extbuf;
if (res)
goto free_xmit_extbuf;
[]
> -void rtw_alloc_hwxmits(struct adapter *padapter)
> +int rtw_alloc_hwxmits(struct adapter *padapter)
> ?{
> ? struct hw_xmit *hwxmits;
> ? struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
> @@ -1495,6 +1497,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
> ? pxmitpriv->hwxmit_entry = HWXMIT_ENTRY;
> ?
> ? pxmitpriv->hwxmits = kzalloc(sizeof(struct hw_xmit) * pxmitpriv->hwxmit_entry, GFP_KERNEL);
> + if (!pxmitpriv->hwxmits)
return -ENOMEM;
From: Xiaoke Wang <[email protected]>
In rtw_init_cmd_priv(), if `pcmdpriv->rsp_allocated_buf` is allocated
in failure, then `pcmdpriv->cmd_allocated_buf` will be not properly
released. Besides, considering there are only two error paths and the
first one can directly return, so we do not need implicitly jump to the
`exit` tag to execute the error handler.
So this patch added `kfree(pcmdpriv->cmd_allocated_buf);` on the error
path to release the resource and simplified the return logic of
rtw_init_cmd_priv().
Signed-off-by: Xiaoke Wang <[email protected]>
---
drivers/staging/rtl8723bs/core/rtw_cmd.c | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_cmd.c b/drivers/staging/rtl8723bs/core/rtw_cmd.c
index b4170f6..0a35142 100644
--- a/drivers/staging/rtl8723bs/core/rtw_cmd.c
+++ b/drivers/staging/rtl8723bs/core/rtw_cmd.c
@@ -161,8 +161,6 @@ static struct cmd_hdl wlancmds[] = {
int rtw_init_cmd_priv(struct cmd_priv *pcmdpriv)
{
- int res = 0;
-
init_completion(&pcmdpriv->cmd_queue_comp);
init_completion(&pcmdpriv->terminate_cmdthread_comp);
@@ -175,18 +173,17 @@ int rtw_init_cmd_priv(struct cmd_priv *pcmdpriv)
pcmdpriv->cmd_allocated_buf = rtw_zmalloc(MAX_CMDSZ + CMDBUFF_ALIGN_SZ);
- if (!pcmdpriv->cmd_allocated_buf) {
- res = -ENOMEM;
- goto exit;
- }
+ if (!pcmdpriv->cmd_allocated_buf)
+ return -ENOMEM;
pcmdpriv->cmd_buf = pcmdpriv->cmd_allocated_buf + CMDBUFF_ALIGN_SZ - ((SIZE_PTR)(pcmdpriv->cmd_allocated_buf) & (CMDBUFF_ALIGN_SZ-1));
pcmdpriv->rsp_allocated_buf = rtw_zmalloc(MAX_RSPSZ + 4);
if (!pcmdpriv->rsp_allocated_buf) {
- res = -ENOMEM;
- goto exit;
+ kfree(pcmdpriv->cmd_allocated_buf);
+ pcmdpriv->cmd_allocated_buf = NULL;
+ return -ENOMEM;
}
pcmdpriv->rsp_buf = pcmdpriv->rsp_allocated_buf + 4 - ((SIZE_PTR)(pcmdpriv->rsp_allocated_buf) & 3);
@@ -196,8 +193,8 @@ int rtw_init_cmd_priv(struct cmd_priv *pcmdpriv)
pcmdpriv->rsp_cnt = 0;
mutex_init(&pcmdpriv->sctx_mutex);
-exit:
- return res;
+
+ return 0;
}
static void c2h_wk_callback(struct work_struct *work);
--
From: Xiaoke Wang <[email protected]>
_r8712_init_xmit_priv() or _r8712_init_recv_priv() returns -ENOMEM
when some allocations inside it failed.
However, the caller, i.e., r8712_init_drv_sw(), does not properly
validate their return status, which may lead to potential wrong memory
access in the future.
Therefore, this patch adds two validation check for their return status
and properly jump to the corresponding error hanlding code if failures
happen.
Signed-off-by: Xiaoke Wang <[email protected]>
---
drivers/staging/rtl8712/os_intfs.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/rtl8712/os_intfs.c b/drivers/staging/rtl8712/os_intfs.c
index 43a7953..3d79d24 100644
--- a/drivers/staging/rtl8712/os_intfs.c
+++ b/drivers/staging/rtl8712/os_intfs.c
@@ -308,8 +308,12 @@ int r8712_init_drv_sw(struct _adapter *padapter)
ret = r8712_init_mlme_priv(padapter);
if (ret)
goto free_evt_priv;
- _r8712_init_xmit_priv(&padapter->xmitpriv, padapter);
- _r8712_init_recv_priv(&padapter->recvpriv, padapter);
+ ret = _r8712_init_xmit_priv(&padapter->xmitpriv, padapter);
+ if (ret)
+ goto free_mlme_priv;
+ ret = _r8712_init_recv_priv(&padapter->recvpriv, padapter);
+ if (ret)
+ goto free_xmit_priv;
memset((unsigned char *)&padapter->securitypriv, 0,
sizeof(struct security_priv));
timer_setup(&padapter->securitypriv.tkip_timer,
--
From: Xiaoke Wang <[email protected]>
In r8712_init_drv_sw(), there are various error paths do not properly
release the previous allocated resources but directly return the error
status, which leads to various memory leaks.
To properly release the resources, this patch unifies the error handler
of r8712_init_drv_sw().
According to the allocation sequence, if the init function returns
failure, it will jump to the corresponding error tag.
Signed-off-by: Xiaoke Wang <[email protected]>
---
drivers/staging/rtl8712/os_intfs.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/rtl8712/os_intfs.c b/drivers/staging/rtl8712/os_intfs.c
index 003e972..43a7953 100644
--- a/drivers/staging/rtl8712/os_intfs.c
+++ b/drivers/staging/rtl8712/os_intfs.c
@@ -304,10 +304,10 @@ int r8712_init_drv_sw(struct _adapter *padapter)
padapter->cmdpriv.padapter = padapter;
ret = r8712_init_evt_priv(&padapter->evtpriv);
if (ret)
- return ret;
+ goto free_cmd_priv;
ret = r8712_init_mlme_priv(padapter);
if (ret)
- return ret;
+ goto free_evt_priv;
_r8712_init_xmit_priv(&padapter->xmitpriv, padapter);
_r8712_init_recv_priv(&padapter->recvpriv, padapter);
memset((unsigned char *)&padapter->securitypriv, 0,
@@ -316,13 +316,25 @@ int r8712_init_drv_sw(struct _adapter *padapter)
r8712_use_tkipkey_handler, 0);
ret = _r8712_init_sta_priv(&padapter->stapriv);
if (ret)
- return ret;
+ goto free_recv_priv;
padapter->stapriv.padapter = padapter;
r8712_init_bcmc_stainfo(padapter);
r8712_init_pwrctrl_priv(padapter);
mp871xinit(padapter);
init_default_value(padapter);
r8712_InitSwLeds(padapter);
+ return 0;
+
+free_recv_priv:
+ _r8712_free_recv_priv(&padapter->recvpriv);
+free_xmit_priv:
+ _free_xmit_priv(&padapter->xmitpriv);
+free_mlme_priv:
+ r8712_free_mlme_priv(&padapter->mlmepriv);
+free_evt_priv:
+ r8712_free_evt_priv(&padapter->evtpriv);
+free_cmd_priv:
+ r8712_free_cmd_priv(&padapter->cmdpriv);
return ret;
}
--
From: Xiaoke Wang <[email protected]>
There is a memory allocation in _r8712_init_recv_priv().
However, since the original type of this function is `void`, its error
status can not be feedbacked to its caller.
Therefore, to make the error of allocation failures propagate to its
caller easily, this patch changes the type of this function to `int`.
Signed-off-by: Xiaoke Wang <[email protected]>
---
drivers/staging/rtl8712/recv_osdep.h | 2 +-
drivers/staging/rtl8712/rtl871x_recv.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/staging/rtl8712/recv_osdep.h b/drivers/staging/rtl8712/recv_osdep.h
index d8c1fa7..f5b97c5 100644
--- a/drivers/staging/rtl8712/recv_osdep.h
+++ b/drivers/staging/rtl8712/recv_osdep.h
@@ -18,7 +18,7 @@
#include "drv_types.h"
#include <linux/skbuff.h>
-void _r8712_init_recv_priv(struct recv_priv *precvpriv,
+int _r8712_init_recv_priv(struct recv_priv *precvpriv,
struct _adapter *padapter);
void _r8712_free_recv_priv(struct recv_priv *precvpriv);
void r8712_recv_entry(union recv_frame *precv_frame);
diff --git a/drivers/staging/rtl8712/rtl871x_recv.c b/drivers/staging/rtl8712/rtl871x_recv.c
index de9a568..e814c07 100644
--- a/drivers/staging/rtl8712/rtl871x_recv.c
+++ b/drivers/staging/rtl8712/rtl871x_recv.c
@@ -44,7 +44,7 @@ void _r8712_init_sta_recv_priv(struct sta_recv_priv *psta_recvpriv)
_init_queue(&psta_recvpriv->defrag_q);
}
-void _r8712_init_recv_priv(struct recv_priv *precvpriv,
+int _r8712_init_recv_priv(struct recv_priv *precvpriv,
struct _adapter *padapter)
{
sint i;
@@ -60,8 +60,7 @@ void _r8712_init_recv_priv(struct recv_priv *precvpriv,
sizeof(union recv_frame) + RXFRAME_ALIGN_SZ,
GFP_ATOMIC);
if (!precvpriv->pallocated_frame_buf)
- return;
- kmemleak_not_leak(precvpriv->pallocated_frame_buf);
+ return -ENOMEM;
precvpriv->precv_frame_buf = precvpriv->pallocated_frame_buf +
RXFRAME_ALIGN_SZ -
((addr_t)(precvpriv->pallocated_frame_buf) &
@@ -77,6 +76,7 @@ void _r8712_init_recv_priv(struct recv_priv *precvpriv,
}
precvpriv->rx_pending_cnt = 1;
r8712_init_recv_priv(precvpriv, padapter);
+ return 0;
}
void _r8712_free_recv_priv(struct recv_priv *precvpriv)
--
From: Xiaoke Wang <[email protected]>
In _rtw_init_xmit_priv(), there are several error paths for allocation
failures just jump to the `exit` section. However, there is no action
will be performed, so the allocated resources are not properly released,
which leads to various memory leaks.
To properly release them, this patch unifies the error handling code and
several error handling paths are added.
According to the allocation sequence, if the validation fails, it will
jump to its corresponding error tag to release the resources.
Signed-off-by: Xiaoke Wang <[email protected]>
---
drivers/staging/r8188eu/core/rtw_xmit.c | 32 ++++++++++++++++++-------
1 file changed, 24 insertions(+), 8 deletions(-)
diff --git a/drivers/staging/r8188eu/core/rtw_xmit.c b/drivers/staging/r8188eu/core/rtw_xmit.c
index d086812..4c54647 100644
--- a/drivers/staging/r8188eu/core/rtw_xmit.c
+++ b/drivers/staging/r8188eu/core/rtw_xmit.c
@@ -112,7 +112,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
if (!pxmitpriv->pallocated_xmitbuf) {
res = _FAIL;
- goto exit;
+ goto free_frame_buf;
}
pxmitpriv->pxmitbuf = (u8 *)N_BYTE_ALIGMENT((size_t)(pxmitpriv->pallocated_xmitbuf), 4);
@@ -134,7 +134,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
msleep(10);
res = rtw_os_xmit_resource_alloc(padapter, pxmitbuf, (MAX_XMITBUF_SZ + XMITBUF_ALIGN_SZ));
if (res == _FAIL)
- goto exit;
+ goto free_xmitbuf;
}
pxmitbuf->flags = XMIT_VO_QUEUE;
@@ -152,7 +152,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
if (!pxmitpriv->pallocated_xmit_extbuf) {
res = _FAIL;
- goto exit;
+ goto free_xmitbuf;
}
pxmitpriv->pxmit_extbuf = (u8 *)N_BYTE_ALIGMENT((size_t)(pxmitpriv->pallocated_xmit_extbuf), 4);
@@ -167,10 +167,8 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
pxmitbuf->ext_tag = true;
res = rtw_os_xmit_resource_alloc(padapter, pxmitbuf, max_xmit_extbuf_size + XMITBUF_ALIGN_SZ);
- if (res == _FAIL) {
- res = _FAIL;
- goto exit;
- }
+ if (res == _FAIL)
+ goto free_xmit_extbuf;
list_add_tail(&pxmitbuf->list, &pxmitpriv->free_xmit_extbuf_queue.queue);
pxmitbuf++;
@@ -200,8 +198,26 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
rtl8188eu_init_xmit_priv(padapter);
-exit:
+ return _SUCCESS;
+free_xmit_extbuf:
+ pxmitbuf = (struct xmit_buf *)pxmitpriv->pxmit_extbuf;
+ while (i-- > 0) {
+ rtw_os_xmit_resource_free(padapter, pxmitbuf, (max_xmit_extbuf_size + XMITBUF_ALIGN_SZ));
+ pxmitbuf++;
+ }
+ vfree(pxmitpriv->pallocated_xmit_extbuf);
+ i = NR_XMITBUFF;
+free_xmitbuf:
+ pxmitbuf = (struct xmit_buf *)pxmitpriv->pxmitbuf;
+ while (i-- > 0) {
+ rtw_os_xmit_resource_free(padapter, pxmitbuf, (MAX_XMITBUF_SZ + XMITBUF_ALIGN_SZ));
+ pxmitbuf++;
+ }
+ vfree(pxmitpriv->pallocated_xmitbuf);
+free_frame_buf:
+ vfree(pxmitpriv->pallocated_frame_buf);
+exit:
return res;
}
--
From: Xiaoke Wang <[email protected]>
In _rtw_init_xmit_priv(), there are seven error paths for allocation
failures without releasing the resources but directly goto `exit`, while
the exit section only executes `return res;`, which leads to various
memory leaks.
To properly release them, this patch unifies the error handlers of
_rtw_init_xmit_priv() and several error handling paths are added.
According to the allocation sequence, each error will jump to its
corresponding error handling tag.
Signed-off-by: Xiaoke Wang <[email protected]>
---
drivers/staging/rtl8723bs/core/rtw_xmit.c | 50 +++++++++++++++++------
1 file changed, 37 insertions(+), 13 deletions(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_xmit.c b/drivers/staging/rtl8723bs/core/rtw_xmit.c
index a225126..2d10fa9 100644
--- a/drivers/staging/rtl8723bs/core/rtw_xmit.c
+++ b/drivers/staging/rtl8723bs/core/rtw_xmit.c
@@ -112,7 +112,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
if (!pxmitpriv->pallocated_xmitbuf) {
res = _FAIL;
- goto exit;
+ goto free_frame_buf;
}
pxmitpriv->pxmitbuf = (u8 *)N_BYTE_ALIGMENT((SIZE_PTR)(pxmitpriv->pallocated_xmitbuf), 4);
@@ -132,7 +132,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
msleep(10);
res = rtw_os_xmit_resource_alloc(padapter, pxmitbuf, (MAX_XMITBUF_SZ + XMITBUF_ALIGN_SZ), true);
if (res == _FAIL)
- goto exit;
+ goto free_xmitbuf;
}
pxmitbuf->phead = pxmitbuf->pbuf;
@@ -162,7 +162,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
if (!pxmitpriv->xframe_ext_alloc_addr) {
pxmitpriv->xframe_ext = NULL;
res = _FAIL;
- goto exit;
+ goto free_xmitbuf;
}
pxmitpriv->xframe_ext = (u8 *)N_BYTE_ALIGMENT((SIZE_PTR)(pxmitpriv->xframe_ext_alloc_addr), 4);
pxframe = (struct xmit_frame *)pxmitpriv->xframe_ext;
@@ -195,7 +195,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
if (!pxmitpriv->pallocated_xmit_extbuf) {
res = _FAIL;
- goto exit;
+ goto free_xframe_ext;
}
pxmitpriv->pxmit_extbuf = (u8 *)N_BYTE_ALIGMENT((SIZE_PTR)(pxmitpriv->pallocated_xmit_extbuf), 4);
@@ -210,10 +210,8 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
pxmitbuf->buf_tag = XMITBUF_MGNT;
res = rtw_os_xmit_resource_alloc(padapter, pxmitbuf, MAX_XMIT_EXTBUF_SZ + XMITBUF_ALIGN_SZ, true);
- if (res == _FAIL) {
- res = _FAIL;
- goto exit;
- }
+ if (res == _FAIL)
+ goto free_xmit_extbuf;
pxmitbuf->phead = pxmitbuf->pbuf;
pxmitbuf->pend = pxmitbuf->pbuf + MAX_XMIT_EXTBUF_SZ;
@@ -240,10 +238,8 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
pxmitbuf->buf_tag = XMITBUF_CMD;
res = rtw_os_xmit_resource_alloc(padapter, pxmitbuf, MAX_CMDBUF_SZ+XMITBUF_ALIGN_SZ, true);
- if (res == _FAIL) {
- res = _FAIL;
- goto exit;
- }
+ if (res == _FAIL)
+ goto free_cmd_xmitbuf;
pxmitbuf->phead = pxmitbuf->pbuf;
pxmitbuf->pend = pxmitbuf->pbuf + MAX_CMDBUF_SZ;
@@ -255,7 +251,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
res = rtw_alloc_hwxmits(padapter);
if (res == _FAIL)
- goto exit;
+ goto free_cmd_xmitbuf;
rtw_init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry);
for (i = 0; i < 4; i++)
@@ -267,6 +263,34 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
rtw_hal_init_xmit_priv(padapter);
+ return res;
+
+free_cmd_xmitbuf:
+ while (i-- > 0) {
+ pxmitbuf = &pxmitpriv->pcmd_xmitbuf[i];
+ if (pxmitbuf)
+ rtw_os_xmit_resource_free(padapter, pxmitbuf, MAX_CMDBUF_SZ + XMITBUF_ALIGN_SZ, true);
+ }
+ i = NR_XMIT_EXTBUFF;
+free_xmit_extbuf:
+ pxmitbuf = (struct xmit_buf *)pxmitpriv->pxmit_extbuf;
+ while (i-- > 0) {
+ rtw_os_xmit_resource_free(padapter, pxmitbuf, (MAX_XMIT_EXTBUF_SZ + XMITBUF_ALIGN_SZ), true);
+ pxmitbuf++;
+ }
+ vfree(pxmitpriv->pallocated_xmit_extbuf);
+free_xframe_ext:
+ vfree(pxmitpriv->xframe_ext_alloc_addr);
+ i = NR_XMITBUFF;
+free_xmitbuf:
+ pxmitbuf = (struct xmit_buf *)pxmitpriv->pxmitbuf;
+ while (i-- > 0) {
+ rtw_os_xmit_resource_free(padapter, pxmitbuf, (MAX_XMITBUF_SZ + XMITBUF_ALIGN_SZ), true);
+ pxmitbuf++;
+ }
+ vfree(pxmitpriv->pallocated_xmitbuf);
+free_frame_buf:
+ vfree(pxmitpriv->pallocated_frame_buf);
exit:
return res;
}
--
From: Xiaoke Wang <[email protected]>
In _rtw_init_cmd_priv(), if `pcmdpriv->rsp_allocated_buf` is allocated
in failure, then `pcmdpriv->cmd_allocated_buf` will not be properly
released. Besides, considering there are only two error paths and the
first one can directly return, we do not need to implicitly jump to the
`exit` tag to execute the error handling code.
So this patch added `kfree(pcmdpriv->cmd_allocated_buf);` on the error
path to release the resource and simplified the return logic of
_rtw_init_cmd_priv().
Signed-off-by: Xiaoke Wang <[email protected]>
---
drivers/staging/r8188eu/core/rtw_cmd.c | 16 ++++++----------
1 file changed, 6 insertions(+), 10 deletions(-)
diff --git a/drivers/staging/r8188eu/core/rtw_cmd.c b/drivers/staging/r8188eu/core/rtw_cmd.c
index 06523d9..37b68a9 100644
--- a/drivers/staging/r8188eu/core/rtw_cmd.c
+++ b/drivers/staging/r8188eu/core/rtw_cmd.c
@@ -58,8 +58,6 @@ static int _rtw_enqueue_cmd(struct __queue *queue, struct cmd_obj *obj)
u32 rtw_init_cmd_priv(struct cmd_priv *pcmdpriv)
{
- u32 res = _SUCCESS;
-
init_completion(&pcmdpriv->enqueue_cmd);
/* sema_init(&(pcmdpriv->cmd_done_sema), 0); */
init_completion(&pcmdpriv->start_cmd_thread);
@@ -74,27 +72,25 @@ u32 rtw_init_cmd_priv(struct cmd_priv *pcmdpriv)
pcmdpriv->cmd_allocated_buf = kzalloc(MAX_CMDSZ + CMDBUFF_ALIGN_SZ,
GFP_KERNEL);
- if (!pcmdpriv->cmd_allocated_buf) {
- res = _FAIL;
- goto exit;
- }
+ if (!pcmdpriv->cmd_allocated_buf)
+ return _FAIL;
pcmdpriv->cmd_buf = pcmdpriv->cmd_allocated_buf + CMDBUFF_ALIGN_SZ - ((size_t)(pcmdpriv->cmd_allocated_buf) & (CMDBUFF_ALIGN_SZ - 1));
pcmdpriv->rsp_allocated_buf = kzalloc(MAX_RSPSZ + 4, GFP_KERNEL);
if (!pcmdpriv->rsp_allocated_buf) {
- res = _FAIL;
- goto exit;
+ kfree(pcmdpriv->cmd_allocated_buf);
+ pcmdpriv->cmd_allocated_buf = NULL;
+ return _FAIL;
}
pcmdpriv->rsp_buf = pcmdpriv->rsp_allocated_buf + 4 - ((size_t)(pcmdpriv->rsp_allocated_buf) & 3);
pcmdpriv->cmd_done_cnt = 0;
pcmdpriv->rsp_cnt = 0;
-exit:
- return res;
+ return _SUCCESS;
}
u32 rtw_init_evt_priv(struct evt_priv *pevtpriv)
--
From: Xiaoke Wang <[email protected]>
In _r8712_init_xmit_priv(), if `pxmitbuf->pallocated_buf` is allocated in
failure or `r8712_xmit_resource_alloc(padapter, pxmitbuf)` fails, then it
just returns -ENOMEM but not releases the previous allocated resources,
which leads to various memory leaks.
To fix the memory leaks, this patch unifies the error handler in
_r8712_init_xmit_priv().
Note that if `r8712_xmit_resource_alloc(padapter, pxmitbuf)` fails, we
should call `kfree(pxmitbuf->pallocated_buf);` before goto the error
section so that we do not need to concern the failed item.
Signed-off-by: Xiaoke Wang <[email protected]>
---
drivers/staging/rtl8712/rtl871x_xmit.c | 27 ++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/drivers/staging/rtl8712/rtl871x_xmit.c b/drivers/staging/rtl8712/rtl871x_xmit.c
index 090345b..dcf3f76 100644
--- a/drivers/staging/rtl8712/rtl871x_xmit.c
+++ b/drivers/staging/rtl8712/rtl871x_xmit.c
@@ -117,11 +117,8 @@ int _r8712_init_xmit_priv(struct xmit_priv *pxmitpriv,
_init_queue(&pxmitpriv->pending_xmitbuf_queue);
pxmitpriv->pallocated_xmitbuf =
kmalloc(NR_XMITBUFF * sizeof(struct xmit_buf) + 4, GFP_ATOMIC);
- if (!pxmitpriv->pallocated_xmitbuf) {
- kfree(pxmitpriv->pallocated_frame_buf);
- pxmitpriv->pallocated_frame_buf = NULL;
- return -ENOMEM;
- }
+ if (!pxmitpriv->pallocated_xmitbuf)
+ goto free_frame_buf;
pxmitpriv->pxmitbuf = pxmitpriv->pallocated_xmitbuf + 4 -
((addr_t)(pxmitpriv->pallocated_xmitbuf) & 3);
pxmitbuf = (struct xmit_buf *)pxmitpriv->pxmitbuf;
@@ -130,12 +127,14 @@ int _r8712_init_xmit_priv(struct xmit_priv *pxmitpriv,
pxmitbuf->pallocated_buf =
kmalloc(MAX_XMITBUF_SZ + XMITBUF_ALIGN_SZ, GFP_ATOMIC);
if (!pxmitbuf->pallocated_buf)
- return -ENOMEM;
+ goto free_xmitbuf;
pxmitbuf->pbuf = pxmitbuf->pallocated_buf + XMITBUF_ALIGN_SZ -
((addr_t) (pxmitbuf->pallocated_buf) &
(XMITBUF_ALIGN_SZ - 1));
- if (r8712_xmit_resource_alloc(padapter, pxmitbuf))
- return -ENOMEM;
+ if (r8712_xmit_resource_alloc(padapter, pxmitbuf)) {
+ kfree(pxmitbuf->pallocated_buf);
+ goto free_xmitbuf;
+ }
list_add_tail(&pxmitbuf->list,
&(pxmitpriv->free_xmitbuf_queue.queue));
pxmitbuf++;
@@ -146,6 +145,18 @@ int _r8712_init_xmit_priv(struct xmit_priv *pxmitpriv,
init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry);
tasklet_setup(&pxmitpriv->xmit_tasklet, r8712_xmit_bh);
return 0;
+
+free_xmitbuf:
+ pxmitbuf = (struct xmit_buf *)pxmitpriv->pxmitbuf;
+ while (i-- > 0) {
+ r8712_xmit_resource_free(padapter, pxmitbuf);
+ kfree(pxmitbuf->pallocated_buf);
+ pxmitbuf++;
+ }
+ kfree(pxmitpriv->pallocated_xmitbuf);
+free_frame_buf:
+ kfree(pxmitpriv->pallocated_frame_buf);
+ return -ENOMEM;
}
void _free_xmit_priv(struct xmit_priv *pxmitpriv)
--
On Tuesday, May 3, 2022 3:09 PM +0800, [email protected] wrote:
> It'd be better to use the typical error returns
Hi Joe,
Thank you for your suggestion. The typical error returns will make these
codes unified with the code in other places.
But now we can not directly do that in this patch, otherwise, the original
functionality will be affected:
Apart from the returns of the error paths in _rtw_init_xmit_priv itself,
the functions on its call chain such as rtw_init_drv_sw() in
staging/r8188eu/os_dep/os_intfs.c are also sensitive to _SUCCESS or _FAIL.
If we want to unify all of them, there are a lot of changes need to do
which I think is at least beyond the purpose of this patch.
So I just keeps the form of error returns consistent with the original
logic.
Regards,
Xiaoke Wang
On Tue, May 03, 2022 at 02:56:47PM +0800, [email protected] wrote:
> From: Xiaoke Wang <[email protected]>
>
> This is a collection about some memory-related bugs fixing.
> In brief, there are two types about them.
> First is some memory allocation functions are called without proper
> checking, which may result in wrong memory access in the subsequent
> running or some else.
> Second is lacking proper error handling that does not release some
> allocated resources, which may result in memory leak problems.
>
> These issuses are similar, so they are put in this series together.
> Note that most of them are sent as each separate patch before, this series
> rebased them to the lasted version. While there are some inherent logical
> relationships between 03~05/11~12.
Can you please look at Documentation/process/researcher-guidelines.rst
and update the changelog texts of these commits to provide the extra
information that this document requires of changes like this?
thanks,
greg k-h
On Monday, June 6, 2022 2:12 PM +0800, Greg KH <[email protected]> wrote:
> Can you please look at Documentation/process/researcher-guidelines.rst
> and update the changelog texts of these commits to provide the extra
> information that this document requires of changes like this?
Hi Greg,
Ok, I'll see what's missing.
In fact, I originally used my developing tool to find the lacking checks
for kzalloc(patch 12 in this series) and the other bugs are found manually
by myself for the purpose of improving code quality.
Now I am happy to find the bug for checking the return of kzalloc() is
fixed now, however, the patch to fix it didn't even consider potential
memory leaks. So I'm a little confused about why these patches from me are
suspended again and again.
Anyway, when I have time, I will rebase them and send new patches if they
are still there.
Regards,
Xiaoke Wang