[2.4] Multiple memleaks in IBM Hot Plug Controller Driver

From: Oleg Drokin (green@linuxhacker.ru)
Date: Thu Mar 13 2003 - 15:45:56 EST

Hello!

   There seem to be memleak convert_2digits_to_char() function that is triggered
   during normal operations.
   Also I think there are some memleaks on error exit paths
   ebda_rsrc_controller()
   All of this is addressed by below patch.
   2.5 seems to have totally different version of this code (and no
   convert_2digits_to_char() function at all for example).
   Found with help of smatch + enhanced unfree script.

Bye,
    Oleg

===== drivers/hotplug/ibmphp_ebda.c 1.6 vs edited =====
--- 1.6/drivers/hotplug/ibmphp_ebda.c Fri Sep 13 21:56:25 2002
+++ edited/drivers/hotplug/ibmphp_ebda.c Thu Mar 13 23:40:29 2003
@@ -597,8 +597,8 @@
         char *str1;
 
         str = (char *) kmalloc (3, GFP_KERNEL);
- memset (str, 0, 3);
- str1 = (char *) kmalloc (2, GFP_KERNEL);
+ if (!str)
+ return NULL;
         memset (str, 0, 3);
         bit = (int)(var / 10);
         switch (bit) {
@@ -608,13 +608,20 @@
                 return str;
         default:
                 //2 digits number
+ str1 = (char *) kmalloc (2, GFP_KERNEL);
+ if (!str1) {
+ break;
+ }
+ memset (str, 0, 3);
                 *str1 = (char)(bit + 48);
                 strncpy (str, str1, 1);
                 memset (str1, 0, 3);
                 *str1 = (char)((var % 10) + 48);
                 strcat (str, str1);
+ kfree(str1);
                 return str;
- }
+ }
+ kfree(str);
         return NULL;
 }
 
@@ -1022,6 +1029,10 @@
                         bus_info_ptr1 = ibmphp_find_same_bus_num (hpc_ptr->slots[index].slot_bus_num);
                         if (!bus_info_ptr1) {
                                 iounmap (io_mem);
+ kfree (hp_slot_ptr->name);
+ kfree (hp_slot_ptr->info);
+ kfree (hp_slot_ptr->private);
+ kfree (hp_slot_ptr);
                                 return -ENODEV;
                         }
                         ((struct slot *) hp_slot_ptr->private)->bus_on = bus_info_ptr1;
@@ -1036,12 +1047,20 @@
                         rc = ibmphp_hpc_fillhpslotinfo (hp_slot_ptr);
                         if (rc) {
                                 iounmap (io_mem);
+ kfree (hp_slot_ptr->name);
+ kfree (hp_slot_ptr->info);
+ kfree (hp_slot_ptr->private);
+ kfree (hp_slot_ptr);
                                 return rc;
                         }
 
                         rc = ibmphp_init_devno ((struct slot **) &hp_slot_ptr->private);
                         if (rc) {
                                 iounmap (io_mem);
+ kfree (hp_slot_ptr->name);
+ kfree (hp_slot_ptr->info);
+ kfree (hp_slot_ptr->private);
+ kfree (hp_slot_ptr);
                                 return rc;
                         }
                         hp_slot_ptr->ops = &ibmphp_hotplug_slot_ops;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

This archive was generated by hypermail 2b29 : Sat Mar 15 2003 - 22:00:36 EST