drivers/ata/pata_parport/pata_parport.c:446 pi_init_one() warn: possible memory leak of 'pi'

drivers/ata/pata_parport/pata_parport.c:446 pi_init_one() warn: possible memory leak of 'pi'

[Dan Carpenter]

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   ef5f68cc1f829b492b19cd4df5af4454aa816b93
commit: 72f2b0b2185099dce354c805009f591dda3ab73d drivers/block: Move PARIDE protocol modules to drivers/ata/pata_parport
config: ia64-randconfig-m041-20230308 (https://download.01.org/0day-ci/archive/20230311/202303111822.IHNchbkp-lkp@intel.com/config)
compiler: ia64-linux-gcc (GCC) 12.1.0

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/

New smatch warnings:
drivers/ata/pata_parport/pata_parport.c:446 pi_init_one() warn: possible memory leak of 'pi'
drivers/ata/pata_parport/comm.c:64 comm_read_regr() warn: inconsistent indenting
drivers/ata/pata_parport/comm.c:164 comm_write_block() warn: inconsistent indenting

Old smatch warnings:
drivers/ata/pata_parport/pata_parport.c:445 pi_init_one() warn: unsigned 'pi->dev.id' is never less than zero.
drivers/ata/pata_parport/comm.c:168 comm_write_block() warn: inconsistent indenting
drivers/ata/pata_parport/comm.c:172 comm_write_block() warn: inconsistent indenting

vim +/pi +446 drivers/ata/pata_parport/pata_parport.c

246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  418  static struct pi_adapter *pi_init_one(struct parport *parport,
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  419  			struct pi_protocol *pr, int mode, int unit, int delay)
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  420  {
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  421  	struct pardev_cb par_cb = { };
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  422  	char scratch[512];
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  423  	const struct ata_port_info *ppi[] = { &pata_parport_port_info };
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  424  	struct ata_host *host;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  425  	struct pi_adapter *pi;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  426  	struct pi_device_match match = { .parport = parport, .proto = pr };
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  427  
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  428  	/*
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  429  	 * Abort if there's a device already registered on the same parport
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  430  	 * using the same protocol.
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  431  	 */
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  432  	if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  433  		return NULL;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  434  
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  435  	pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  436  	if (!pi)
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  437  		return NULL;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  438  
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  439  	/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  440  	pi->dev.parent = &pata_parport_bus;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  441  	pi->dev.bus = &pata_parport_bus_type;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  442  	pi->dev.driver = &pr->driver;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  443  	pi->dev.release = pata_parport_dev_release;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  444  	pi->dev.id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  445  	if (pi->dev.id < 0)
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23 @446  		return NULL; /* pata_parport_dev_release will do kfree(pi) */

The comment says that pata_parport_dev_release() will free "pi" but
that's impossible because pi is a local variable and we haven't called
device_register().

246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  447  	dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  448  	if (device_register(&pi->dev)) {
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  449  		put_device(&pi->dev);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  450  		goto out_ida_free;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  451  	}
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  452  
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  453  	pi->proto = pr;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  454  
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  455  	if (!try_module_get(pi->proto->owner))
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  456  		goto out_unreg_dev;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  457  	if (pi->proto->init_proto && pi->proto->init_proto(pi) < 0)
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  458  		goto out_module_put;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  459  
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  460  	pi->delay = (delay == -1) ? pi->proto->default_delay : delay;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  461  	pi->mode = mode;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  462  	pi->port = parport->base;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  463  
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  464  	par_cb.private = pi;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  465  	pi->pardev = parport_register_dev_model(parport, DRV_NAME, &par_cb,
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  466  						pi->dev.id);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  467  	if (!pi->pardev)
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  468  		goto out_module_put;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  469  
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  470  	if (!pi_probe_unit(pi, unit, scratch)) {
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  471  		dev_info(&pi->dev, "Adapter not found\n");
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  472  		goto out_unreg_parport;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  473  	}
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  474  
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  475  	pi->proto->log_adapter(pi, scratch, 1);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  476  
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  477  	host = ata_host_alloc_pinfo(&pi->pardev->dev, ppi, 1);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  478  	if (!host)
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  479  		goto out_unreg_parport;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  480  	dev_set_drvdata(&pi->dev, host);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  481  	host->private_data = pi;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  482  
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  483  	ata_port_desc(host->ports[0], "port %s", pi->pardev->port->name);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  484  	ata_port_desc(host->ports[0], "protocol %s", pi->proto->name);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  485  
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  486  	pi_connect(pi);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  487  	if (ata_host_activate(host, 0, NULL, 0, &pata_parport_sht))
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  488  		goto out_unreg_parport;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  489  
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  490  	return pi;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  491  
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  492  out_unreg_parport:
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  493  	pi_disconnect(pi);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  494  	parport_unregister_device(pi->pardev);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  495  	if (pi->proto->release_proto)
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  496  		pi->proto->release_proto(pi);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  497  out_module_put:
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  498  	module_put(pi->proto->owner);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  499  out_unreg_dev:
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  500  	device_unregister(&pi->dev);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  501  out_ida_free:
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  502  	ida_free(&pata_parport_bus_dev_ids, pi->dev.id);
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  503  	return NULL;
246a1c4c6b7ffb drivers/ata/pata_parport.c Ondrej Zary 2023-01-23  504  }

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests

[PATCH] pata_parport: fix possible memory leak

[Ondrej Zary]

When ida_alloc() fails, "pi" is not freed although the misleading
comment says otherwise.
Move the ida_alloc() call up so we really don't have to free it.

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
Signed-off-by: Ondrej Zary <linux@zary.sk>
---
 drivers/ata/pata_parport/pata_parport.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c
index 6165ee9aa7da..fb1f10afa722 100644
--- a/drivers/ata/pata_parport/pata_parport.c
+++ b/drivers/ata/pata_parport/pata_parport.c
@@ -503,18 +503,19 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
 	if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
 		return NULL;
 
+	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
+	if (id < 0)
+		return NULL;
+
 	pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
 	if (!pi)
-		return NULL;
+		goto out_ida_free;
 
 	/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
 	pi->dev.parent = &pata_parport_bus;
 	pi->dev.bus = &pata_parport_bus_type;
 	pi->dev.driver = &pr->driver;
 	pi->dev.release = pata_parport_dev_release;
-	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
-	if (id < 0)
-		return NULL; /* pata_parport_dev_release will do kfree(pi) */
 	pi->dev.id = id;
 	dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
 	if (device_register(&pi->dev)) {
-- 
Ondrej Zary

Re: [PATCH] pata_parport: fix possible memory leak

[Sergei Shtylyov]

On 3/11/23 9:51 PM, Ondrej Zary wrote:

> When ida_alloc() fails, "pi" is not freed although the misleading
> comment says otherwise.
> Move the ida_alloc() call up so we really don't have to free it.
> 
> Reported-by: kernel test robot <lkp@intel.com>
> Reported-by: Dan Carpenter <error27@gmail.com>
> Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
> Signed-off-by: Ondrej Zary <linux@zary.sk>

Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>

[...]

MBR, Sergey

Re: [PATCH] pata_parport: fix possible memory leak

[Sergey Shtylyov]

On 3/11/23 11:19 PM, Sergei Shtylyov wrote:

>> When ida_alloc() fails, "pi" is not freed although the misleading
>> comment says otherwise.
>> Move the ida_alloc() call up so we really don't have to free it.

   Wait, but don't we still need to call kfree() in pi_init_one()?

>> Reported-by: kernel test robot <lkp@intel.com>
>> Reported-by: Dan Carpenter <error27@gmail.com>
>> Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
>> Signed-off-by: Ondrej Zary <linux@zary.sk>
> 
> Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
> 
> [...]

MBR, Sergey

Re: [PATCH] pata_parport: fix possible memory leak

[Ondrej Zary]

On Saturday 11 March 2023 21:23:25 Sergey Shtylyov wrote:
> On 3/11/23 11:19 PM, Sergei Shtylyov wrote:
> 
> >> When ida_alloc() fails, "pi" is not freed although the misleading
> >> comment says otherwise.
> >> Move the ida_alloc() call up so we really don't have to free it.
> 
>    Wait, but don't we still need to call kfree() in pi_init_one()?

If it fails at device_register, the dev.release is already set to pata_parport_dev_release which does the kfree(). put_device() should call it. If it fails later, device_unregister() should do it.
 
> >> Reported-by: kernel test robot <lkp@intel.com>
> >> Reported-by: Dan Carpenter <error27@gmail.com>
> >> Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
> >> Signed-off-by: Ondrej Zary <linux@zary.sk>
> > 
> > Reviewed-by: Sergey Shtylyov <s.shtylyov@omp.ru>
> > 
> > [...]
> 
> MBR, Sergey
> 


-- 
Ondrej Zary

Re: [PATCH] pata_parport: fix possible memory leak

[Ondrej Zary]

On Saturday 11 March 2023 22:11:57 Ondrej Zary wrote:
> On Saturday 11 March 2023 21:23:25 Sergey Shtylyov wrote:
> > On 3/11/23 11:19 PM, Sergei Shtylyov wrote:
> > 
> > >> When ida_alloc() fails, "pi" is not freed although the misleading
> > >> comment says otherwise.
> > >> Move the ida_alloc() call up so we really don't have to free it.
> > 
> >    Wait, but don't we still need to call kfree() in pi_init_one()?
> 
> If it fails at device_register, the dev.release is already set to
> pata_parport_dev_release which does the kfree(). put_device() should call
> it. If it fails later, device_unregister() should do it.  

But I see that the ida_free() at the end of pi_init_one() is wrong. It uses pi->dev.id but pi is either uninitialized or already freed.
  
-- 
Ondrej Zary

[PATCH v2] pata_parport: fix possible memory leak

[Ondrej Zary]

When ida_alloc() fails, "pi" is not freed although the misleading
comment says otherwise.
Move the ida_alloc() call up so we really don't have to free it.

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
Signed-off-by: Ondrej Zary <linux@zary.sk>
---
 drivers/ata/pata_parport/pata_parport.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c
index 6165ee9aa7da..a9eff6003098 100644
--- a/drivers/ata/pata_parport/pata_parport.c
+++ b/drivers/ata/pata_parport/pata_parport.c
@@ -503,18 +503,19 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
 	if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
 		return NULL;
 
+	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
+	if (id < 0)
+		return NULL;
+
 	pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
 	if (!pi)
-		return NULL;
+		goto out_ida_free;
 
 	/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
 	pi->dev.parent = &pata_parport_bus;
 	pi->dev.bus = &pata_parport_bus_type;
 	pi->dev.driver = &pr->driver;
 	pi->dev.release = pata_parport_dev_release;
-	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
-	if (id < 0)
-		return NULL; /* pata_parport_dev_release will do kfree(pi) */
 	pi->dev.id = id;
 	dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
 	if (device_register(&pi->dev)) {
@@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
 out_unreg_dev:
 	device_unregister(&pi->dev);
 out_ida_free:
-	ida_free(&pata_parport_bus_dev_ids, pi->dev.id);
+	ida_free(&pata_parport_bus_dev_ids, id);
 	return NULL;
 }
 
-- 
Ondrej Zary

Re: [PATCH v2] pata_parport: fix possible memory leak

[Damien Le Moal]

On 3/12/23 06:44, Ondrej Zary wrote:
> When ida_alloc() fails, "pi" is not freed although the misleading
> comment says otherwise.
> Move the ida_alloc() call up so we really don't have to free it.

Certainly you meant: "so we really do free it in case of error.", no ?

> 
> Reported-by: kernel test robot <lkp@intel.com>
> Reported-by: Dan Carpenter <error27@gmail.com>
> Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
> Signed-off-by: Ondrej Zary <linux@zary.sk>
> ---
>  drivers/ata/pata_parport/pata_parport.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c
> index 6165ee9aa7da..a9eff6003098 100644
> --- a/drivers/ata/pata_parport/pata_parport.c
> +++ b/drivers/ata/pata_parport/pata_parport.c
> @@ -503,18 +503,19 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
>  	if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
>  		return NULL;
>  
> +	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
> +	if (id < 0)
> +		return NULL;
> +
>  	pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
>  	if (!pi)
> -		return NULL;
> +		goto out_ida_free;
>  
>  	/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
>  	pi->dev.parent = &pata_parport_bus;
>  	pi->dev.bus = &pata_parport_bus_type;
>  	pi->dev.driver = &pr->driver;
>  	pi->dev.release = pata_parport_dev_release;
> -	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
> -	if (id < 0)
> -		return NULL; /* pata_parport_dev_release will do kfree(pi) */
>  	pi->dev.id = id;
>  	dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
>  	if (device_register(&pi->dev)) {
> @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
>  out_unreg_dev:
>  	device_unregister(&pi->dev);

Same comment as Sergey: isn't this going to do the ida free ? So shouldn't you
return here ?

>  out_ida_free:
> -	ida_free(&pata_parport_bus_dev_ids, pi->dev.id);
> +	ida_free(&pata_parport_bus_dev_ids, id);
>  	return NULL;
>  }
>  

-- 
Damien Le Moal
Western Digital Research

Re: [PATCH v2] pata_parport: fix possible memory leak

[Ondrej Zary]

On Sunday 12 March 2023 01:56:25 Damien Le Moal wrote:
> On 3/12/23 06:44, Ondrej Zary wrote:
> > When ida_alloc() fails, "pi" is not freed although the misleading
> > comment says otherwise.
> > Move the ida_alloc() call up so we really don't have to free it.
> 
> Certainly you meant: "so we really do free it in case of error.", no ?

I meant "so we don't have to free pi in case of ida_alloc failure".
 
> > 
> > Reported-by: kernel test robot <lkp@intel.com>
> > Reported-by: Dan Carpenter <error27@gmail.com>
> > Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
> > Signed-off-by: Ondrej Zary <linux@zary.sk>
> > ---
> >  drivers/ata/pata_parport/pata_parport.c | 11 ++++++-----
> >  1 file changed, 6 insertions(+), 5 deletions(-)
> > 
> > diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c
> > index 6165ee9aa7da..a9eff6003098 100644
> > --- a/drivers/ata/pata_parport/pata_parport.c
> > +++ b/drivers/ata/pata_parport/pata_parport.c
> > @@ -503,18 +503,19 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
> >  	if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
> >  		return NULL;
> >  
> > +	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
> > +	if (id < 0)
> > +		return NULL;
> > +
> >  	pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
> >  	if (!pi)
> > -		return NULL;
> > +		goto out_ida_free;
> >  
> >  	/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
> >  	pi->dev.parent = &pata_parport_bus;
> >  	pi->dev.bus = &pata_parport_bus_type;
> >  	pi->dev.driver = &pr->driver;
> >  	pi->dev.release = pata_parport_dev_release;
> > -	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
> > -	if (id < 0)
> > -		return NULL; /* pata_parport_dev_release will do kfree(pi) */
> >  	pi->dev.id = id;
> >  	dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
> >  	if (device_register(&pi->dev)) {
> > @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
> >  out_unreg_dev:
> >  	device_unregister(&pi->dev);
> 
> Same comment as Sergey: isn't this going to do the ida free ? So shouldn't you
> return here ?

No. device_unregister() calls pata_parport_dev_release() which does only kfree(pi), not ida_free(). But it probably should do ida_free() too.

> 
> >  out_ida_free:
> > -	ida_free(&pata_parport_bus_dev_ids, pi->dev.id);
> > +	ida_free(&pata_parport_bus_dev_ids, id);
> >  	return NULL;
> >  }
> >  
> 


-- 
Ondrej Zary

Re: [PATCH v2] pata_parport: fix possible memory leak

[Damien Le Moal]

On 3/13/23 06:24, Ondrej Zary wrote:
> On Sunday 12 March 2023 01:56:25 Damien Le Moal wrote:
>> On 3/12/23 06:44, Ondrej Zary wrote:
>>> When ida_alloc() fails, "pi" is not freed although the misleading
>>> comment says otherwise.
>>> Move the ida_alloc() call up so we really don't have to free it.
>>
>> Certainly you meant: "so we really do free it in case of error.", no ?
> 
> I meant "so we don't have to free pi in case of ida_alloc failure".

That is better. Please rephrase the commit message to this.

>>>  	/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
>>>  	pi->dev.parent = &pata_parport_bus;
>>>  	pi->dev.bus = &pata_parport_bus_type;
>>>  	pi->dev.driver = &pr->driver;
>>>  	pi->dev.release = pata_parport_dev_release;
>>> -	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
>>> -	if (id < 0)
>>> -		return NULL; /* pata_parport_dev_release will do kfree(pi) */
>>>  	pi->dev.id = id;
>>>  	dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
>>>  	if (device_register(&pi->dev)) {
>>> @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
>>>  out_unreg_dev:
>>>  	device_unregister(&pi->dev);
>>
>> Same comment as Sergey: isn't this going to do the ida free ? So shouldn't you
>> return here ?
> 
> No. device_unregister() calls pata_parport_dev_release() which does only kfree(pi), not ida_free(). But it probably should do ida_free() too.

Yes, it should, otherwise you are leaking the ida with the normal (no errors)
case. Care to send a fix for that too ?



-- 
Damien Le Moal
Western Digital Research

Re: [PATCH v2] pata_parport: fix possible memory leak

[Ondrej Zary]

On Monday 13 March 2023, Damien Le Moal wrote:
> On 3/13/23 06:24, Ondrej Zary wrote:
> > On Sunday 12 March 2023 01:56:25 Damien Le Moal wrote:
> >> On 3/12/23 06:44, Ondrej Zary wrote:
> >>> When ida_alloc() fails, "pi" is not freed although the misleading
> >>> comment says otherwise.
> >>> Move the ida_alloc() call up so we really don't have to free it.
> >>
> >> Certainly you meant: "so we really do free it in case of error.", no ?
> > 
> > I meant "so we don't have to free pi in case of ida_alloc failure".
> 
> That is better. Please rephrase the commit message to this.
> 
> >>>  	/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
> >>>  	pi->dev.parent = &pata_parport_bus;
> >>>  	pi->dev.bus = &pata_parport_bus_type;
> >>>  	pi->dev.driver = &pr->driver;
> >>>  	pi->dev.release = pata_parport_dev_release;
> >>> -	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
> >>> -	if (id < 0)
> >>> -		return NULL; /* pata_parport_dev_release will do kfree(pi) */
> >>>  	pi->dev.id = id;
> >>>  	dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
> >>>  	if (device_register(&pi->dev)) {
> >>> @@ -571,7 +572,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
> >>>  out_unreg_dev:
> >>>  	device_unregister(&pi->dev);
> >>
> >> Same comment as Sergey: isn't this going to do the ida free ? So shouldn't you
> >> return here ?
> > 
> > No. device_unregister() calls pata_parport_dev_release() which does only kfree(pi), not ida_free(). But it probably should do ida_free() too.
> 
> Yes, it should, otherwise you are leaking the ida with the normal (no errors)
> case. Care to send a fix for that too ?

Yes, I'll send it as soon as I fix a problem that I noticed during testing. The ida is never freed with this fix. And neither "pi" because pata_parport_dev_release is never called (confirmed by adding printk).

-- 
Ondrej Zary

[PATCH v3] pata_parport: fix memory leaks

[Ondrej Zary]

When ida_alloc() fails, "pi" is not freed although the misleading
comment says otherwise.
Move the ida_alloc() call up so we really don't have to free "pi" in
case of ida_alloc() failure.

Also move ida_free() call from pi_remove_one() to
pata_parport_dev_release(). It was dereferencing already freed dev
pointer.

Testing revealed leak even in non-failure case which was tracked down
to missing put_device() call after bus_find_device_by_name(). As a
result, pata_parport_dev_release() was never called.

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
Signed-off-by: Ondrej Zary <linux@zary.sk>
---
 drivers/ata/pata_parport/pata_parport.c | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c
index 6165ee9aa7da..dc77b4c6fcef 100644
--- a/drivers/ata/pata_parport/pata_parport.c
+++ b/drivers/ata/pata_parport/pata_parport.c
@@ -452,6 +452,7 @@ static void pata_parport_dev_release(struct device *dev)
 {
 	struct pi_adapter *pi = container_of(dev, struct pi_adapter, dev);
 
+	ida_free(&pata_parport_bus_dev_ids, dev->id);
 	kfree(pi);
 }
 
@@ -503,23 +504,27 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
 	if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
 		return NULL;
 
+	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
+	if (id < 0)
+		return NULL;
+
 	pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
-	if (!pi)
+	if (!pi) {
+		ida_free(&pata_parport_bus_dev_ids, id);
 		return NULL;
+	}
 
 	/* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
 	pi->dev.parent = &pata_parport_bus;
 	pi->dev.bus = &pata_parport_bus_type;
 	pi->dev.driver = &pr->driver;
 	pi->dev.release = pata_parport_dev_release;
-	id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
-	if (id < 0)
-		return NULL; /* pata_parport_dev_release will do kfree(pi) */
 	pi->dev.id = id;
 	dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
 	if (device_register(&pi->dev)) {
 		put_device(&pi->dev);
-		goto out_ida_free;
+		/* pata_parport_dev_release will do ida_free(dev->id) and kfree(pi) */
+		return NULL;
 	}
 
 	pi->proto = pr;
@@ -534,8 +539,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
 	pi->port = parport->base;
 
 	par_cb.private = pi;
-	pi->pardev = parport_register_dev_model(parport, DRV_NAME, &par_cb,
-						pi->dev.id);
+	pi->pardev = parport_register_dev_model(parport, DRV_NAME, &par_cb, id);
 	if (!pi->pardev)
 		goto out_module_put;
 
@@ -570,8 +574,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
 	module_put(pi->proto->owner);
 out_unreg_dev:
 	device_unregister(&pi->dev);
-out_ida_free:
-	ida_free(&pata_parport_bus_dev_ids, pi->dev.id);
+	/* pata_parport_dev_release will do ida_free(dev->id) and kfree(pi) */
 	return NULL;
 }
 
@@ -696,8 +699,7 @@ static void pi_remove_one(struct device *dev)
 	pi_disconnect(pi);
 	pi_release(pi);
 	device_unregister(dev);
-	ida_free(&pata_parport_bus_dev_ids, dev->id);
-	/* pata_parport_dev_release will do kfree(pi) */
+	/* pata_parport_dev_release will do ida_free(dev->id) and kfree(pi) */
 }
 
 static ssize_t delete_device_store(struct bus_type *bus, const char *buf,
@@ -713,6 +715,7 @@ static ssize_t delete_device_store(struct bus_type *bus, const char *buf,
 	}
 
 	pi_remove_one(dev);
+	put_device(dev);
 	mutex_unlock(&pi_mutex);
 
 	return count;
-- 
Ondrej Zary

Re: [PATCH v3] pata_parport: fix memory leaks

[Damien Le Moal]

On 3/15/23 07:58, Ondrej Zary wrote:
> When ida_alloc() fails, "pi" is not freed although the misleading
> comment says otherwise.
> Move the ida_alloc() call up so we really don't have to free "pi" in
> case of ida_alloc() failure.
> 
> Also move ida_free() call from pi_remove_one() to
> pata_parport_dev_release(). It was dereferencing already freed dev
> pointer.
> 
> Testing revealed leak even in non-failure case which was tracked down
> to missing put_device() call after bus_find_device_by_name(). As a
> result, pata_parport_dev_release() was never called.
> 
> Reported-by: kernel test robot <lkp@intel.com>
> Reported-by: Dan Carpenter <error27@gmail.com>
> Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
> Signed-off-by: Ondrej Zary <linux@zary.sk>

Applied to for-6.3-fixes. Thanks !

-- 
Damien Le Moal
Western Digital Research