Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3764988pxj; Tue, 11 May 2021 11:20:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyfk2xqB7mOsUHWy44yFrqclsMs0VUqw8IQmCwJoGvA8OLDQl+9zeAkjVoC93V+zXnmcxSC X-Received: by 2002:a17:906:6b96:: with SMTP id l22mr32808292ejr.364.1620757213396; Tue, 11 May 2021 11:20:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620757213; cv=none; d=google.com; s=arc-20160816; b=aBlW3CRYRmsD7gB5lXgS7cSNuogEb5PDXqT5dGcpbUoH+v32NtzM+FKjAZcwxm0++h rbdZopkRBduMCTI1xsVzq6FdwL2B07aDWlF5wR7/yREUjGP+bbmIvn8aMPRqRddd5bFK cLkX3wD6XYrwkyj1ihgWKTtijj+PxqNhBnpKajtpYwgXF/kT06KshyH5R5TBJztjAB+E IxMHZzmAz+4+Fg+xZ3LDR2koMfZt/DNRl3vFQQ7jM/l7BVZIyagLI/zarKRn9/7/tuyb QALUTFypexJ6LXJoS8+6CaG7ox8s0B8TbRepiw5Xqjm60VBF8FxRQFcbtQIIKmNXTvv1 P8+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=/rOpmXv8nW5gBdb0wuhkb7nLo268PpPp0wawKbajzLA=; b=qi4R9qOW3TJ26jxmxhga5v+LPcBm6sdFiZpBg5Q0JlxDt7szQaIcISpb1rbTqCU/PM xfxQRREIT8BC5ItpJwyl1ZvVX8u43qjAuYp7dJKwazS/YnvkYRfIfKZ4bVx0BqeEpuCg ZYU0o0pzsWSG9btavmYyUPJ3EtSLkof0GlXUFSIJoGmhiz9400jYcAx9HoUdgWbdyM+u ETQDyK5kmzmjoyOFfYvqUkm0O2wG8i4IKhttblMf3BGTMJtYcde5cF+jlqa48/xyMkFf BOc6+k0wMsmO+k2yddxyBFbmqKtmM1wgS0sA1BEogK7S2ER8fSHpvZg7ILaW1L91Xc4p pONw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qc21si17378421ejb.190.2021.05.11.11.19.48; Tue, 11 May 2021 11:20:13 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231868AbhEKSTe (ORCPT + 99 others); Tue, 11 May 2021 14:19:34 -0400 Received: from smtp08.smtpout.orange.fr ([80.12.242.130]:32073 "EHLO smtp.smtpout.orange.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231793AbhEKSTe (ORCPT ); Tue, 11 May 2021 14:19:34 -0400 Received: from [192.168.1.18] ([86.243.172.93]) by mwinf5d16 with ME id 3WJP2500n21Fzsu03WJQuW; Tue, 11 May 2021 20:18:25 +0200 X-ME-Helo: [192.168.1.18] X-ME-Auth: Y2hyaXN0b3BoZS5qYWlsbGV0QHdhbmFkb28uZnI= X-ME-Date: Tue, 11 May 2021 20:18:25 +0200 X-ME-IP: 86.243.172.93 Subject: Re: [PATCH 1/2] uio_hv_generic: Fix a memory leak in error handling paths To: Wei Liu Cc: kys@microsoft.com, haiyangz@microsoft.com, sthemmin@microsoft.com, decui@microsoft.com, gregkh@linuxfoundation.org, linux-hyperv@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org References: <4fdaff557deef6f0475d02ba7922ddbaa1ab08a6.1620544055.git.christophe.jaillet@wanadoo.fr> <20210511095227.ggrl3z6otjanwffz@liuwe-devbox-debian-v2> From: Christophe JAILLET Message-ID: Date: Tue, 11 May 2021 20:18:23 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1 MIME-Version: 1.0 In-Reply-To: <20210511095227.ggrl3z6otjanwffz@liuwe-devbox-debian-v2> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Le 11/05/2021 à 11:52, Wei Liu a écrit : >> Before commit cdfa835c6e5e, the 'vfree' were done unconditionally >> in 'hv_uio_cleanup()'. >> So, another way for fixing the potential leak is to modify >> 'hv_uio_cleanup()' and revert to the previous behavior. >> > > I think this is cleaner. Agreed > > Stephen, you authored cdfa835c6e5e. What do you think? > > Christophe, OOI how did you discover these issues? I use an ugly coccinelle script which tries to spot functions called in the .remove function of a driver, but which is not in the error handling path of the .probe It is way to verbose and gives too much false positive, but I manage to spot a few things with it. Here it is, should it be useful for someone, or if anyone want to improve it. The idea is: - find the probe and remove function - find a function (f1) which is not the first of the remove function (the first is likely the last in the probe that doesn't need to be undone in the probe error handling path) - try to filter with likely false positive pattern - search in the probe if this function is also called - if not, then it is a candidate. CJ --------------------------------- // Find the probe and remove functions @platform@ identifier type, p, probefn, removefn; @@ struct type p = { .probe = probefn, .remove = removefn, }; // In the remove function, find a function that is called @rem depends on platform@ identifier platform.removefn, firstFct, lastFct; identifier f1 !~ "(pr_.*|dev_.*|cancel_work.*|cancel_delayed_work.*|tasklet_kill|list_del|.*unregister.*|.*deregister.*|spin_.*|flush_.*|pm_runtime_.*)"; @@ removefn(...) { ( <+... firstFct(...); f1(...); ...+> | <+... fXXX1(...); lastFct(...); ...+> ) } // Check if this function is also called in the probe error path @prb depends on rem@ identifier platform.probefn, platform.removefn, rem.f1; @@ probefn(...) { ( <+... f1(...); ...+> | <+... removefn(...); ...+> ) } // If not, this function is likely missing from the probe error path @prb3 depends on !prb@ identifier platform.removefn, rem.f1; @@ *removefn(...) { <+... * f1(...); ...+> }