[alsa-devel] [PATCH] tegra_wm9712: Fix a memory leaking bug in tegra_wm9712_driver_probe()
In tegra_wm9712_driver_probe(), 'machine->codec' is allocated by platform_device_alloc(). When it is NULL, function returns ENOMEM. However, 'machine' is allocated by devm_kzalloc() before this site. Thus we should free 'machine' before function ends to prevent memory leaking.
Further, we should free 'machine->util_data', 'machine->codec' and 'machine' before this function normally ends to prevent memory leaking.
Signed-off-by: Gen Zhang blackgod016574@gmail.com --- diff --git a/sound/soc/tegra/tegra_wm9712.c b/sound/soc/tegra/tegra_wm9712.c index 864a334..295c41d 100644 --- a/sound/soc/tegra/tegra_wm9712.c +++ b/sound/soc/tegra/tegra_wm9712.c @@ -86,7 +86,8 @@ static int tegra_wm9712_driver_probe(struct platform_device *pdev) machine->codec = platform_device_alloc("wm9712-codec", -1); if (!machine->codec) { dev_err(&pdev->dev, "Can't allocate wm9712 platform device\n"); - return -ENOMEM; + ret = -ENOMEM; + goto codec_free; }
ret = platform_device_add(machine->codec); @@ -127,6 +128,10 @@ static int tegra_wm9712_driver_probe(struct platform_device *pdev) goto asoc_utils_fini; }
+ tegra_asoc_utils_fini(&machine->util_data); + platform_device_del(machine->codec); + platform_device_put(machine->codec); + devm_kfree(&pdev->dev, machine); return 0;
asoc_utils_fini: @@ -135,6 +140,8 @@ static int tegra_wm9712_driver_probe(struct platform_device *pdev) platform_device_del(machine->codec); codec_put: platform_device_put(machine->codec); +codec_free: + devm_kfree(&pdev->dev, machine); return ret; }
---
On 24/05/2019 01:50, Gen Zhang wrote:
In tegra_wm9712_driver_probe(), 'machine->codec' is allocated by platform_device_alloc(). When it is NULL, function returns ENOMEM. However, 'machine' is allocated by devm_kzalloc() before this site. Thus we should free 'machine' before function ends to prevent memory leaking.
Memory allocated by devm_xxx() is automatically freed on failure so this is not correct.
Further, we should free 'machine->util_data', 'machine->codec' and 'machine' before this function normally ends to prevent memory leaking.
This is also incorrect. Why would we free all resources after successfully initialising the driver?
Signed-off-by: Gen Zhang blackgod016574@gmail.com
diff --git a/sound/soc/tegra/tegra_wm9712.c b/sound/soc/tegra/tegra_wm9712.c index 864a334..295c41d 100644 --- a/sound/soc/tegra/tegra_wm9712.c +++ b/sound/soc/tegra/tegra_wm9712.c @@ -86,7 +86,8 @@ static int tegra_wm9712_driver_probe(struct platform_device *pdev) machine->codec = platform_device_alloc("wm9712-codec", -1); if (!machine->codec) { dev_err(&pdev->dev, "Can't allocate wm9712 platform device\n");
return -ENOMEM;
ret = -ENOMEM;goto codec_free;}
ret = platform_device_add(machine->codec);
@@ -127,6 +128,10 @@ static int tegra_wm9712_driver_probe(struct platform_device *pdev) goto asoc_utils_fini; }
- tegra_asoc_utils_fini(&machine->util_data);
- platform_device_del(machine->codec);
- platform_device_put(machine->codec);
- devm_kfree(&pdev->dev, machine); return 0;
As stated above, this is incorrect.
Did you actually test this? I think you would find this would break the driver.
Jon
On Fri, May 24, 2019 at 09:33:13AM +0100, Jon Hunter wrote:
On 24/05/2019 01:50, Gen Zhang wrote:
In tegra_wm9712_driver_probe(), 'machine->codec' is allocated by platform_device_alloc(). When it is NULL, function returns ENOMEM. However, 'machine' is allocated by devm_kzalloc() before this site. Thus we should free 'machine' before function ends to prevent memory leaking.
Memory allocated by devm_xxx() is automatically freed on failure so this is not correct.
Thanks for your comments, Jon. But after I examined the code, I am still confused about the usage of devm_kmalloc(). You can kindly refer to hisi_sas_debugfs_init() in drivers/scsi/hisi_sas/hisi_sas_main.c. And devm_kfree() is used to free a memory allocated by devm_kmalloc(). And I found other situations similar to this in other files.
So, I hope you can give me some guidance on this. Thanks!
Further, we should free 'machine->util_data', 'machine->codec' and 'machine' before this function normally ends to prevent memory leaking.
This is also incorrect. Why would we free all resources after successfully initialising the driver?
I re-checked this part, and it is totally incorrect. It should be deleted.
Thanks Gen
On 24/05/2019 15:33, Gen Zhang wrote:
On Fri, May 24, 2019 at 09:33:13AM +0100, Jon Hunter wrote:
On 24/05/2019 01:50, Gen Zhang wrote:
In tegra_wm9712_driver_probe(), 'machine->codec' is allocated by platform_device_alloc(). When it is NULL, function returns ENOMEM. However, 'machine' is allocated by devm_kzalloc() before this site. Thus we should free 'machine' before function ends to prevent memory leaking.
Memory allocated by devm_xxx() is automatically freed on failure so this is not correct.
Thanks for your comments, Jon. But after I examined the code, I am still confused about the usage of devm_kmalloc(). You can kindly refer to hisi_sas_debugfs_init() in drivers/scsi/hisi_sas/hisi_sas_main.c. And devm_kfree() is used to free a memory allocated by devm_kmalloc(). And I found other situations similar to this in other files.
So, I hope you can give me some guidance on this. Thanks!
Please refer to the devres documentation [0].
Cheers, Jon
[0] https://www.kernel.org/doc/Documentation/driver-model/devres.txt
On Fri, May 24, 2019 at 03:47:34PM +0100, Jon Hunter wrote:
On 24/05/2019 15:33, Gen Zhang wrote:
On Fri, May 24, 2019 at 09:33:13AM +0100, Jon Hunter wrote:
On 24/05/2019 01:50, Gen Zhang wrote:
In tegra_wm9712_driver_probe(), 'machine->codec' is allocated by platform_device_alloc(). When it is NULL, function returns ENOMEM. However, 'machine' is allocated by devm_kzalloc() before this site. Thus we should free 'machine' before function ends to prevent memory leaking.
Memory allocated by devm_xxx() is automatically freed on failure so this is not correct.
Thanks for your comments, Jon. But after I examined the code, I am still confused about the usage of devm_kmalloc(). You can kindly refer to hisi_sas_debugfs_init() in drivers/scsi/hisi_sas/hisi_sas_main.c. And devm_kfree() is used to free a memory allocated by devm_kmalloc(). And I found other situations similar to this in other files.
So, I hope you can give me some guidance on this. Thanks!
Please refer to the devres documentation [0].
Cheers, Jon
[0] https://www.kernel.org/doc/Documentation/driver-model/devres.txt
-- nvpublic
Thanks for your reply. I figured out that devm_kmalloc will free the memory no matter fail or not. But I still want to ask why other codes as I above mentioned use devm_kfree() to free memory allocated by devm_kmalloc(). If the memory is automatically freed, is this devm_kfee() redundant codes that should be removed? Am I misunderstanding this again or it is something else?
Thanks Gen
On 24/05/2019 16:00, Gen Zhang wrote:
On Fri, May 24, 2019 at 03:47:34PM +0100, Jon Hunter wrote:
On 24/05/2019 15:33, Gen Zhang wrote:
On Fri, May 24, 2019 at 09:33:13AM +0100, Jon Hunter wrote:
On 24/05/2019 01:50, Gen Zhang wrote:
In tegra_wm9712_driver_probe(), 'machine->codec' is allocated by platform_device_alloc(). When it is NULL, function returns ENOMEM. However, 'machine' is allocated by devm_kzalloc() before this site. Thus we should free 'machine' before function ends to prevent memory leaking.
Memory allocated by devm_xxx() is automatically freed on failure so this is not correct.
Thanks for your comments, Jon. But after I examined the code, I am still confused about the usage of devm_kmalloc(). You can kindly refer to hisi_sas_debugfs_init() in drivers/scsi/hisi_sas/hisi_sas_main.c. And devm_kfree() is used to free a memory allocated by devm_kmalloc(). And I found other situations similar to this in other files.
So, I hope you can give me some guidance on this. Thanks!
Please refer to the devres documentation [0].
Cheers, Jon
[0] https://www.kernel.org/doc/Documentation/driver-model/devres.txt
-- nvpublic
Thanks for your reply. I figured out that devm_kmalloc will free the memory no matter fail or not. But I still want to ask why other codes as I above mentioned use devm_kfree() to free memory allocated by devm_kmalloc(). If the memory is automatically freed, is this devm_kfee() redundant codes that should be removed? Am I misunderstanding this again or it is something else?
There could well be cases where you need to explicitly call devm_kfree(), but having a quick glance at the example above, I don't see why you would call devm_kfree() here and yes looks like that code could be simplified significantly. Notice that hisi_sas_debugfs_exit() does not free any memory as it is not necessary to explicitly do so.
Cheers Jon
On Fri, May 24, 2019 at 04:36:54PM +0100, Jon Hunter wrote:
There could well be cases where you need to explicitly call devm_kfree(), but having a quick glance at the example above, I don't see why you would call devm_kfree() here and yes looks like that code could be simplified significantly. Notice that hisi_sas_debugfs_exit() does not free any memory as it is not necessary to explicitly do so.
Cheers Jon
-- nvpublic
Thanks for your suggestions, Jon! I think I need to e-mail to those maintainers about this issue.
Thanks Gen
participants (2)
-
Gen Zhang -
Jon Hunter