On Tue, Apr 27, 2021 at 11:36 AM <trix@xxxxxxxxxx> wrote:
From: Tom Rix <trix@xxxxxxxxxx>Thanks for the patch.
Clang static analysis reports this error
fsl-mc-bus.c:891:2: warning: Attempt to free released memory
kfree(mc_dev);
^~~~~~~~~~~~~
In this block of code
if (strcmp(obj_desc->type, "dprc") == 0) {
..
mc_bus = kzalloc(..)
mc_dev = &mc_bus->mc_dev;
Aren't the allocations for mc_bus and mc_dev mutually exclusive based
on that conditional? If so...
mc_dev is not alloc-ed, so it should not be freed.The error handling here seems quite wrong (regardless of your patch).
Old handler triggers a false positive from checkpatch, so add a
comment and change logic a bit.
Fixes: a042fbed0290 ("staging: fsl-mc: simplify couple of deallocations")
Signed-off-by: Tom Rix <trix@xxxxxxxxxx>
---
drivers/bus/fsl-mc/fsl-mc-bus.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/bus/fsl-mc/fsl-mc-bus.c b/drivers/bus/fsl-mc/fsl-mc-bus.c
index 380ad1fdb745..fb3e1d8a7f63 100644
--- a/drivers/bus/fsl-mc/fsl-mc-bus.c
+++ b/drivers/bus/fsl-mc/fsl-mc-bus.c
@@ -887,8 +887,10 @@ int fsl_mc_device_add(struct fsl_mc_obj_desc *obj_desc,
error_cleanup_dev:
kfree(mc_dev->regions);
+ /* mc_dev is only allocated when it is not part of mc_bus */
+ if (!mc_bus)
+ kfree(mc_dev);
kfree(mc_bus);
- kfree(mc_dev);
mc_dev->regions is allocated by fsl_mc_device_get_mmio_regions() IIUC.
Wouldn't the first `goto error_cleanup_dev;` taken end up passing an
uninitialized pointer to kfree()?
what if `strcmp(obj_desc->type, "dprc") == 0` is false? We allocate
`mc_dev`, but then call kfree on `mc_bus`?
I think it would be safer to locally save the result ofthe local mc_bus is only set in this block, so I don't think another local is needed.
`strcmp(obj_desc->type, "dprc") == 0`, then check that throughout this
function, including the error handling at the end, or use multiple
labels to unwind the allocations correctly.
return error;
}
--
--
Thanks,
~Nick Desaulniers