[PATCH] clk: socfpga: Fix a memory leak bug in socfpga_gate_init()

[PATCH] clk: socfpga: Fix a memory leak bug in socfpga_gate_init()

[Zhou Qingyang]

In socfpga_gate_init(), when ops fails, socfpga_clk is not released or
passed out, which could lead to a memleak.

Fix this bug by adding a kfree of socfpga_clk on the failure path of ops.

This bug was found by a static analyzer.

Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.

Fixes: a30a67be7b6e ("clk: socfpga: Don't have get_parent for single parent ops")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent 
security operations (e.g., checks or kfrees) between two code paths 
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs. 

Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.

 drivers/clk/socfpga/clk-gate.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c
index 53d6e3ec4309..0ca5e0000925 100644
--- a/drivers/clk/socfpga/clk-gate.c
+++ b/drivers/clk/socfpga/clk-gate.c
@@ -188,8 +188,10 @@ void __init socfpga_gate_init(struct device_node *node)
 		return;
 
 	ops = kmemdup(&gateclk_ops, sizeof(gateclk_ops), GFP_KERNEL);
-	if (WARN_ON(!ops))
+	if (WARN_ON(!ops)) {
+		kfree(socfpga_clk);
 		return;
+	}
 
 	rc = of_property_read_u32_array(node, "clk-gate", clk_gate, 2);
 	if (rc)
-- 
2.25.1

Re: [PATCH] clk: socfpga: Fix a memory leak bug in socfpga_gate_init()

[Stephen Boyd]

Quoting Zhou Qingyang (2022-01-24 08:53:16)
> diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c
> index 53d6e3ec4309..0ca5e0000925 100644
> --- a/drivers/clk/socfpga/clk-gate.c
> +++ b/drivers/clk/socfpga/clk-gate.c
> @@ -188,8 +188,10 @@ void __init socfpga_gate_init(struct device_node *node)
>                 return;
>  
>         ops = kmemdup(&gateclk_ops, sizeof(gateclk_ops), GFP_KERNEL);
> -       if (WARN_ON(!ops))
> +       if (WARN_ON(!ops)) {

A WARN_ON() after an allocation failure will lead to double stacktraces.
Can you remove the WARN_ON()?

Furthermore, it looks like 'ops' is never freed on failure in this
function. Did the SA tool figure that out? There are more problems with
this function and error paths. Seems like nobody cares.

> +               kfree(socfpga_clk);
>                 return;
> +       }
>

Re: [PATCH] clk: socfpga: Fix a memory leak bug in socfpga_gate_init()

[Dinh Nguyen]

On 1/24/22 13:53, Stephen Boyd wrote:
> Quoting Zhou Qingyang (2022-01-24 08:53:16)
>> diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c
>> index 53d6e3ec4309..0ca5e0000925 100644
>> --- a/drivers/clk/socfpga/clk-gate.c
>> +++ b/drivers/clk/socfpga/clk-gate.c
>> @@ -188,8 +188,10 @@ void __init socfpga_gate_init(struct device_node *node)
>>                  return;
>>   
>>          ops = kmemdup(&gateclk_ops, sizeof(gateclk_ops), GFP_KERNEL);
>> -       if (WARN_ON(!ops))
>> +       if (WARN_ON(!ops)) {
> 
> A WARN_ON() after an allocation failure will lead to double stacktraces.
> Can you remove the WARN_ON()?
> 
> Furthermore, it looks like 'ops' is never freed on failure in this
> function. Did the SA tool figure that out? There are more problems with
> this function and error paths. Seems like nobody cares.
> 

Thanks for pointing this out. I'll take a look and will send a patch 
shortly.

Dinh

Re: [PATCH] clk: socfpga: Fix a memory leak bug in socfpga_gate_init()

[Greg KH]

On Tue, Jan 25, 2022 at 12:53:16AM +0800, Zhou Qingyang wrote:
> In socfpga_gate_init(), when ops fails, socfpga_clk is not released or
> passed out, which could lead to a memleak.
> 
> Fix this bug by adding a kfree of socfpga_clk on the failure path of ops.
> 
> This bug was found by a static analyzer.
> 
> Builds with 'make allyesconfig' show no new warnings,
> and our static analyzer no longer warns about this code.
> 
> Fixes: a30a67be7b6e ("clk: socfpga: Don't have get_parent for single parent ops")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> The analysis employs differential checking to identify inconsistent 
> security operations (e.g., checks or kfrees) between two code paths 
> and confirms that the inconsistent operations are not recovered in the
> current function or the callers, so they constitute bugs. 
> 
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
> 
>  drivers/clk/socfpga/clk-gate.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c
> index 53d6e3ec4309..0ca5e0000925 100644
> --- a/drivers/clk/socfpga/clk-gate.c
> +++ b/drivers/clk/socfpga/clk-gate.c
> @@ -188,8 +188,10 @@ void __init socfpga_gate_init(struct device_node *node)
>  		return;
>  
>  	ops = kmemdup(&gateclk_ops, sizeof(gateclk_ops), GFP_KERNEL);
> -	if (WARN_ON(!ops))
> +	if (WARN_ON(!ops)) {
> +		kfree(socfpga_clk);
>  		return;
> +	}
>  
>  	rc = of_property_read_u32_array(node, "clk-gate", clk_gate, 2);
>  	if (rc)
> -- 
> 2.25.1
> 

As stated before, umn.edu is still not allowed to contribute to the
Linux kernel.  Please work with your administration to resolve this
issue.