Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750973AbZGWADz (ORCPT ); Wed, 22 Jul 2009 20:03:55 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1750847AbZGWADy (ORCPT ); Wed, 22 Jul 2009 20:03:54 -0400 Received: from smtp1.linux-foundation.org ([140.211.169.13]:55534 "EHLO smtp1.linux-foundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750804AbZGWADy (ORCPT ); Wed, 22 Jul 2009 20:03:54 -0400 Date: Wed, 22 Jul 2009 17:02:26 -0700 From: Andrew Morton To: Jaswinder Singh Rajput Cc: airlied@redhat.com, catalin.marinas@arm.com, airlied@gmail.com, linux-kernel@vger.kernel.org, eric@anholt.net Subject: Re: Memory leak issues in drm Message-Id: <20090722170226.c5becf38.akpm@linux-foundation.org> In-Reply-To: <1247728158.2543.4.camel@ht.satnam> References: <1247720877.2532.4.camel@ht.satnam> <1247728158.2543.4.camel@ht.satnam> X-Mailer: Sylpheed version 2.2.4 (GTK+ 2.8.20; i486-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 5295 Lines: 179 On Thu, 16 Jul 2009 12:39:18 +0530 Jaswinder Singh Rajput wrote: > On Thu, 2009-07-16 at 10:37 +0530, Jaswinder Singh Rajput wrote: > > On linus tree, while investigating kmemleak issues in drm : > > > > unreferenced object 0xf571dea0 (size 32): > > comm "Xorg", pid 1992, jiffies 4294703188 > > backtrace: > > [] create_object+0x140/0x210 > > [] kmemleak_alloc+0x25/0x4b > > [] __kmalloc+0xcb/0x153 > > [] drm_setversion+0x154/0x1f6 > > [] drm_ioctl+0x211/0x296 > > [] vfs_ioctl+0x50/0x69 > > [] do_vfs_ioctl+0x49b/0x4d5 > > [] sys_ioctl+0x2c/0x45 > > [] sysenter_do_call+0x12/0x36 > > [] 0xffffffff > > > > This fixes above memory leak in drm because it was allocating again on > dev->devname without freeing previous instance and more memory related > issues, hope this will be helpful: > > diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c > index 9b9ff46..b39ab86 100644 > --- a/drivers/gpu/drm/drm_ioctl.c > +++ b/drivers/gpu/drm/drm_ioctl.c > @@ -96,25 +96,36 @@ int drm_setunique(struct drm_device *dev, void *data, drm_setunique() is pretty crappy. It has a number of places where it does some resource freeing and then a `return' and other places where it does the usual `goto out_free' thing. I do think that converting this function to the usual single-return-statement model would simplify it and would reduce the chances of additional resource leaks being added in the future. The basic pattern (which is applicable here) is: foo() { if (!simple test) return -EFOO; if (!simple_test_2) return -EBAR; foo = allocate_something(); if (test3) goto fail_foo; bar = allocate_something_else(); if (test4) goto fail_bar; ... return 0; /* success */ fail_bar: deallocate(bar); fail_foo: deallocate(foo); return err; } > master->unique = kmalloc(master->unique_size, GFP_KERNEL); > if (!master->unique) > return -ENOMEM; > - if (copy_from_user(master->unique, u->unique, master->unique_len)) > + if (copy_from_user(master->unique, u->unique, master->unique_len)) { > + kfree(master->unique); > + master->unique_len = 0; > return -EFAULT; > + } > > master->unique[master->unique_len] = '\0'; > > + /* Free previous dev->devname, if exists */ > + if (dev->devname) > + kfree(dev->devname); kfree(NULL) is legal and will simplify and shorten the code here. > dev->devname = kmalloc(strlen(dev->driver->pci_driver.name) + > strlen(master->unique) + 2, GFP_KERNEL); > - if (!dev->devname) > + if (!dev->devname) { > + kfree(master->unique); > + master->unique_len = 0; > return -ENOMEM; > + } > > sprintf(dev->devname, "%s@%s", dev->driver->pci_driver.name, > master->unique); > > - /* Return error if the busid submitted doesn't match the device's actual > + /* > + * Return error if the busid submitted doesn't match the device's actual > * busid. > */ > ret = sscanf(master->unique, "PCI:%d:%d:%d", &bus, &slot, &func); > if (ret != 3) > - return -EINVAL; > + goto error; > + > domain = bus >> 8; > bus &= 0xff; > > @@ -122,9 +133,15 @@ int drm_setunique(struct drm_device *dev, void *data, > (bus != dev->pdev->bus->number) || > (slot != PCI_SLOT(dev->pdev->devfn)) || > (func != PCI_FUNC(dev->pdev->devfn))) > - return -EINVAL; > + goto error; > > return 0; > + > +error: > + kfree(dev->devname); > + kfree(master->unique); > + > + return -EINVAL; > } > > static int drm_set_busid(struct drm_device *dev, struct drm_file *file_priv) > @@ -136,25 +153,35 @@ static int drm_set_busid(struct drm_device *dev, struct drm_file *file_priv) > return -EBUSY; > > master->unique_len = 40; > - master->unique_size = master->unique_len; > + master->unique_size = master->unique_len + 1; > master->unique = kmalloc(master->unique_size, GFP_KERNEL); > if (master->unique == NULL) > return -ENOMEM; > > - len = snprintf(master->unique, master->unique_len, "pci:%04x:%02x:%02x.%d", > + /* > + * Using sprintf as it will return number of characters > + * (not including the trailing '\0') > + */ > + len = sprintf(master->unique, "pci:%04x:%02x:%02x.%d", > drm_get_pci_domain(dev), > dev->pdev->bus->number, > PCI_SLOT(dev->pdev->devfn), > PCI_FUNC(dev->pdev->devfn)); > - if (len >= master->unique_len) > + if (len > master->unique_len) > DRM_ERROR("buffer overflow"); > else > master->unique_len = len; > > + /* Free previous dev->devname, if exists */ > + if (dev->devname) > + kfree(dev->devname); and here. > dev->devname = kmalloc(strlen(dev->driver->pci_driver.name) + > master->unique_len + 2, GFP_KERNEL); > - if (dev->devname == NULL) > + if (dev->devname == NULL) { > + kfree(master->unique); > + master->unique_len = 0; > return -ENOMEM; > + } > > sprintf(dev->devname, "%s@%s", dev->driver->pci_driver.name, > master->unique); > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/