Re: [PATCH] staging: comedi: drivers: prevent memory leak

From: Ian Abbott
Date: Tue Sep 17 2019 - 06:13:20 EST


On 17/09/2019 07:33, Dan Carpenter wrote:
On Mon, Sep 16, 2019 at 09:41:43PM -0500, Navid Emamdoost wrote:
In das1800_attach, the buffer allocated via kmalloc_array needs to be
released if an error happens.

Signed-off-by: Navid Emamdoost <navid.emamdoost@xxxxxxxxx>

Commedit calls ->detach() if the ->attach() fails so this patch would
lead to a double free. See comedi_device_attach():

drivers/staging/comedi/drivers.c
983 }
984 if (!driv->attach) {
985 /* driver does not support manual configuration */
986 dev_warn(dev->class_dev,
987 "driver '%s' does not support attach using comedi_config\n",
988 driv->driver_name);
989 module_put(driv->module);
990 ret = -EIO;
991 goto out;
992 }
993 dev->driver = driv;
994 dev->board_name = dev->board_ptr ? *(const char **)dev->board_ptr
995 : dev->driver->driver_name;
996 ret = driv->attach(dev, it);
^^^^^^^^^^^^^^^^^^^^^
997 if (ret >= 0)
998 ret = comedi_device_postconfig(dev);
999 if (ret < 0) {
1000 comedi_device_detach(dev);
^^^^^^^^^^^^^^^^^^^^^^^^^

1001 module_put(driv->module);
1002 }
1003 /* On success, the driver module count has been incremented. */

Yes, everything should be freed properly by comedi_device_detach(). From comedi_device_detach(), some of the stuff is freed by dev->driver->detach(), and the remainder is freed by comedi_device_detach_cleanup().

--
-=( Ian Abbott <abbotti@xxxxxxxxx> || Web: www.mev.co.uk )=-
-=( MEV Ltd. is a company registered in England & Wales. )=-
-=( Registered number: 02862268. Registered address: )=-
-=( 15 West Park Road, Bramhall, STOCKPORT, SK7 3JZ, UK. )=-