linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2 0/2] Fix memory leak in of_pci_get_host_bridge_resources
@ 2017-03-23  8:12 Jeffy Chen
  2017-03-23  8:12 ` [PATCH v2 1/2] PCI: return resource_entry in pci_add_resource helpers Jeffy Chen
                   ` (2 more replies)
  0 siblings, 3 replies; 10+ messages in thread
From: Jeffy Chen @ 2017-03-23  8:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: robh, toshi.kani, shawn.lin, briannorris, dianders, bhelgaas,
	dtor, Jeffy Chen, devicetree, linux-pci, Frank Rowand,
	Rob Herring

In of_pci_get_host_bridge_resources, we alloced some struct resource
variables, and they would cause memory leak since no where to free them.

Changes in v2:
Don't change the resource_list_create_entry's behavior.

Jeffy Chen (2):
  PCI: return resource_entry in pci_add_resource helpers
  of/pci: Fix memory leak in of_pci_get_host_bridge_resources

 drivers/of/of_pci.c | 57 +++++++++++++++++++++++------------------------------
 drivers/pci/bus.c   | 13 +++++++-----
 include/linux/pci.h |  8 +++++---
 3 files changed, 38 insertions(+), 40 deletions(-)

-- 
2.1.4

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH v2 1/2] PCI: return resource_entry in pci_add_resource helpers
  2017-03-23  8:12 [PATCH v2 0/2] Fix memory leak in of_pci_get_host_bridge_resources Jeffy Chen
@ 2017-03-23  8:12 ` Jeffy Chen
  2017-03-23  8:12 ` [PATCH v2 2/2] of/pci: Fix memory leak in of_pci_get_host_bridge_resources Jeffy Chen
  2017-03-23  9:00 ` [PATCH v2 0/2] " Shawn Lin
  2 siblings, 0 replies; 10+ messages in thread
From: Jeffy Chen @ 2017-03-23  8:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: robh, toshi.kani, shawn.lin, briannorris, dianders, bhelgaas,
	dtor, Jeffy Chen, linux-pci

Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
---

Changes in v2: None

 drivers/pci/bus.c   | 13 ++++++++-----
 include/linux/pci.h |  8 +++++---
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/drivers/pci/bus.c b/drivers/pci/bus.c
index bc56cf1..36a1861 100644
--- a/drivers/pci/bus.c
+++ b/drivers/pci/bus.c
@@ -17,25 +17,28 @@
 
 #include "pci.h"
 
-void pci_add_resource_offset(struct list_head *resources, struct resource *res,
-			     resource_size_t offset)
+struct resource_entry *pci_add_resource_offset(struct list_head *resources,
+					       struct resource *res,
+					       resource_size_t offset)
 {
 	struct resource_entry *entry;
 
 	entry = resource_list_create_entry(res, 0);
 	if (!entry) {
 		printk(KERN_ERR "PCI: can't add host bridge window %pR\n", res);
-		return;
+		return NULL;
 	}
 
 	entry->offset = offset;
 	resource_list_add_tail(entry, resources);
+	return entry;
 }
 EXPORT_SYMBOL(pci_add_resource_offset);
 
-void pci_add_resource(struct list_head *resources, struct resource *res)
+struct resource_entry *pci_add_resource(struct list_head *resources,
+					struct resource *res)
 {
-	pci_add_resource_offset(resources, res, 0);
+	return pci_add_resource_offset(resources, res, 0);
 }
 EXPORT_SYMBOL(pci_add_resource);
 
diff --git a/include/linux/pci.h b/include/linux/pci.h
index eb3da1a..ab16abe 100644
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
@@ -1167,9 +1167,11 @@ void pci_release_selected_regions(struct pci_dev *, int);
 /* drivers/pci/bus.c */
 struct pci_bus *pci_bus_get(struct pci_bus *bus);
 void pci_bus_put(struct pci_bus *bus);
-void pci_add_resource(struct list_head *resources, struct resource *res);
-void pci_add_resource_offset(struct list_head *resources, struct resource *res,
-			     resource_size_t offset);
+struct resource_entry *pci_add_resource(struct list_head *resources,
+					struct resource *res);
+struct resource_entry *pci_add_resource_offset(struct list_head *resources,
+					       struct resource *res,
+					       resource_size_t offset);
 void pci_free_resource_list(struct list_head *resources);
 void pci_bus_add_resource(struct pci_bus *bus, struct resource *res,
 			  unsigned int flags);
-- 
2.1.4

^ permalink raw reply related	[flat|nested] 10+ messages in thread

* [PATCH v2 2/2] of/pci: Fix memory leak in of_pci_get_host_bridge_resources
  2017-03-23  8:12 [PATCH v2 0/2] Fix memory leak in of_pci_get_host_bridge_resources Jeffy Chen
  2017-03-23  8:12 ` [PATCH v2 1/2] PCI: return resource_entry in pci_add_resource helpers Jeffy Chen
@ 2017-03-23  8:12 ` Jeffy Chen
  2017-03-23 22:07   ` Rob Herring
  2017-03-23  9:00 ` [PATCH v2 0/2] " Shawn Lin
  2 siblings, 1 reply; 10+ messages in thread
From: Jeffy Chen @ 2017-03-23  8:12 UTC (permalink / raw)
  To: linux-kernel
  Cc: robh, toshi.kani, shawn.lin, briannorris, dianders, bhelgaas,
	dtor, Jeffy Chen, Frank Rowand, devicetree, Rob Herring

Currently we only free the allocated resource struct when error.
This would cause memory leak after pci_free_resource_list.

Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
---

Changes in v2:
Don't change the resource_list_create_entry's behavior.

 drivers/of/of_pci.c | 57 +++++++++++++++++++++++------------------------------
 1 file changed, 25 insertions(+), 32 deletions(-)

diff --git a/drivers/of/of_pci.c b/drivers/of/of_pci.c
index 0ee42c3..a0ec246 100644
--- a/drivers/of/of_pci.c
+++ b/drivers/of/of_pci.c
@@ -190,8 +190,7 @@ int of_pci_get_host_bridge_resources(struct device_node *dev,
 			struct list_head *resources, resource_size_t *io_base)
 {
 	struct resource_entry *window;
-	struct resource *res;
-	struct resource *bus_range;
+	struct resource res;
 	struct of_pci_range range;
 	struct of_pci_range_parser parser;
 	char range_type[4];
@@ -200,24 +199,24 @@ int of_pci_get_host_bridge_resources(struct device_node *dev,
 	if (io_base)
 		*io_base = (resource_size_t)OF_BAD_ADDR;
 
-	bus_range = kzalloc(sizeof(*bus_range), GFP_KERNEL);
-	if (!bus_range)
-		return -ENOMEM;
-
 	pr_info("host bridge %s ranges:\n", dev->full_name);
 
-	err = of_pci_parse_bus_range(dev, bus_range);
+	err = of_pci_parse_bus_range(dev, &res);
 	if (err) {
-		bus_range->start = busno;
-		bus_range->end = bus_max;
-		bus_range->flags = IORESOURCE_BUS;
-		pr_info("  No bus range found for %s, using %pR\n",
-			dev->full_name, bus_range);
+		res.start = busno;
+		res.end = bus_max;
+		res.flags = IORESOURCE_BUS;
+		pr_info("  No bus range found for %s\n", dev->full_name);
 	} else {
-		if (bus_range->end > bus_range->start + bus_max)
-			bus_range->end = bus_range->start + bus_max;
+		if (res.end > res.start + bus_max)
+			res.end = res.start + bus_max;
+	}
+	window = pci_add_resource(resources, NULL);
+	if (!window) {
+		err = -ENOMEM;
+		goto parse_failed;
 	}
-	pci_add_resource(resources, bus_range);
+	*window->res = res;
 
 	/* Check for ranges property */
 	err = of_pci_range_parser_init(&parser, dev);
@@ -244,24 +243,16 @@ int of_pci_get_host_bridge_resources(struct device_node *dev,
 		if (range.cpu_addr == OF_BAD_ADDR || range.size == 0)
 			continue;
 
-		res = kzalloc(sizeof(struct resource), GFP_KERNEL);
-		if (!res) {
-			err = -ENOMEM;
-			goto parse_failed;
-		}
-
-		err = of_pci_range_to_resource(&range, dev, res);
-		if (err) {
-			kfree(res);
+		err = of_pci_range_to_resource(&range, dev, &res);
+		if (err)
 			continue;
-		}
 
-		if (resource_type(res) == IORESOURCE_IO) {
+		if (resource_type(&res) == IORESOURCE_IO) {
 			if (!io_base) {
 				pr_err("I/O range found for %s. Please provide an io_base pointer to save CPU base address\n",
 					dev->full_name);
 				err = -EINVAL;
-				goto conversion_failed;
+				goto parse_failed;
 			}
 			if (*io_base != (resource_size_t)OF_BAD_ADDR)
 				pr_warn("More than one I/O resource converted for %s. CPU base address for old range lost!\n",
@@ -269,16 +260,18 @@ int of_pci_get_host_bridge_resources(struct device_node *dev,
 			*io_base = range.cpu_addr;
 		}
 
-		pci_add_resource_offset(resources, res,	res->start - range.pci_addr);
+		window = pci_add_resource(resources, NULL);
+		if (!window) {
+			err = -ENOMEM;
+			goto parse_failed;
+		}
+		*window->res = res;
+		window->offset = res.start - range.pci_addr;
 	}
 
 	return 0;
 
-conversion_failed:
-	kfree(res);
 parse_failed:
-	resource_list_for_each_entry(window, resources)
-		kfree(window->res);
 	pci_free_resource_list(resources);
 	return err;
 }
-- 
2.1.4

^ permalink raw reply related	[flat|nested] 10+ messages in thread

* Re: [PATCH v2 0/2] Fix memory leak in of_pci_get_host_bridge_resources
  2017-03-23  8:12 [PATCH v2 0/2] Fix memory leak in of_pci_get_host_bridge_resources Jeffy Chen
  2017-03-23  8:12 ` [PATCH v2 1/2] PCI: return resource_entry in pci_add_resource helpers Jeffy Chen
  2017-03-23  8:12 ` [PATCH v2 2/2] of/pci: Fix memory leak in of_pci_get_host_bridge_resources Jeffy Chen
@ 2017-03-23  9:00 ` Shawn Lin
  2 siblings, 0 replies; 10+ messages in thread
From: Shawn Lin @ 2017-03-23  9:00 UTC (permalink / raw)
  To: Jeffy Chen
  Cc: linux-kernel, robh, toshi.kani, briannorris, dianders, bhelgaas,
	dtor, devicetree, linux-pci, Frank Rowand, Rob Herring

Hi Jeffy,

On 2017/3/23 16:12, Jeffy Chen wrote:
> In of_pci_get_host_bridge_resources, we alloced some struct resource
> variables, and they would cause memory leak since no where to free them.
>

Tested-by: Shawn Lin <shawn.lin@rock-chips.com>

> Changes in v2:
> Don't change the resource_list_create_entry's behavior.
>
> Jeffy Chen (2):
>   PCI: return resource_entry in pci_add_resource helpers
>   of/pci: Fix memory leak in of_pci_get_host_bridge_resources
>
>  drivers/of/of_pci.c | 57 +++++++++++++++++++++++------------------------------
>  drivers/pci/bus.c   | 13 +++++++-----
>  include/linux/pci.h |  8 +++++---
>  3 files changed, 38 insertions(+), 40 deletions(-)
>

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH v2 2/2] of/pci: Fix memory leak in of_pci_get_host_bridge_resources
  2017-03-23  8:12 ` [PATCH v2 2/2] of/pci: Fix memory leak in of_pci_get_host_bridge_resources Jeffy Chen
@ 2017-03-23 22:07   ` Rob Herring
  2017-03-23 22:58     ` Dmitry Torokhov
  0 siblings, 1 reply; 10+ messages in thread
From: Rob Herring @ 2017-03-23 22:07 UTC (permalink / raw)
  To: Jeffy Chen
  Cc: linux-kernel, toshi.kani, Shawn Lin, Brian Norris, Doug Anderson,
	bhelgaas, Dmitry Torokhov, Frank Rowand, devicetree

On Thu, Mar 23, 2017 at 3:12 AM, Jeffy Chen <jeffy.chen@rock-chips.com> wrote:
> Currently we only free the allocated resource struct when error.
> This would cause memory leak after pci_free_resource_list.
>
> Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
> ---
>
> Changes in v2:
> Don't change the resource_list_create_entry's behavior.
>
>  drivers/of/of_pci.c | 57 +++++++++++++++++++++++------------------------------
>  1 file changed, 25 insertions(+), 32 deletions(-)
>
> diff --git a/drivers/of/of_pci.c b/drivers/of/of_pci.c
> index 0ee42c3..a0ec246 100644
> --- a/drivers/of/of_pci.c
> +++ b/drivers/of/of_pci.c
> @@ -190,8 +190,7 @@ int of_pci_get_host_bridge_resources(struct device_node *dev,
>                         struct list_head *resources, resource_size_t *io_base)
>  {
>         struct resource_entry *window;
> -       struct resource *res;
> -       struct resource *bus_range;
> +       struct resource res;
>         struct of_pci_range range;
>         struct of_pci_range_parser parser;
>         char range_type[4];
> @@ -200,24 +199,24 @@ int of_pci_get_host_bridge_resources(struct device_node *dev,
>         if (io_base)
>                 *io_base = (resource_size_t)OF_BAD_ADDR;
>
> -       bus_range = kzalloc(sizeof(*bus_range), GFP_KERNEL);
> -       if (!bus_range)
> -               return -ENOMEM;
> -
>         pr_info("host bridge %s ranges:\n", dev->full_name);
>
> -       err = of_pci_parse_bus_range(dev, bus_range);
> +       err = of_pci_parse_bus_range(dev, &res);
>         if (err) {
> -               bus_range->start = busno;
> -               bus_range->end = bus_max;
> -               bus_range->flags = IORESOURCE_BUS;
> -               pr_info("  No bus range found for %s, using %pR\n",
> -                       dev->full_name, bus_range);
> +               res.start = busno;
> +               res.end = bus_max;
> +               res.flags = IORESOURCE_BUS;
> +               pr_info("  No bus range found for %s\n", dev->full_name);
>         } else {
> -               if (bus_range->end > bus_range->start + bus_max)
> -                       bus_range->end = bus_range->start + bus_max;
> +               if (res.end > res.start + bus_max)
> +                       res.end = res.start + bus_max;
> +       }
> +       window = pci_add_resource(resources, NULL);
> +       if (!window) {
> +               err = -ENOMEM;
> +               goto parse_failed;
>         }
> -       pci_add_resource(resources, bus_range);
> +       *window->res = res;

Well, now this seems racy. You add a blank resource to the list first
and then fill it in.

Rob

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH v2 2/2] of/pci: Fix memory leak in of_pci_get_host_bridge_resources
  2017-03-23 22:07   ` Rob Herring
@ 2017-03-23 22:58     ` Dmitry Torokhov
  2017-03-24  1:39       ` jeffy
  2017-04-04 19:18       ` Bjorn Helgaas
  0 siblings, 2 replies; 10+ messages in thread
From: Dmitry Torokhov @ 2017-03-23 22:58 UTC (permalink / raw)
  To: Rob Herring
  Cc: Jeffy Chen, linux-kernel, toshi.kani, Shawn Lin, Brian Norris,
	Doug Anderson, bhelgaas, Dmitry Torokhov, Frank Rowand,
	devicetree

On Thu, Mar 23, 2017 at 3:07 PM, Rob Herring <robh@kernel.org> wrote:
> On Thu, Mar 23, 2017 at 3:12 AM, Jeffy Chen <jeffy.chen@rock-chips.com> wrote:
>> Currently we only free the allocated resource struct when error.
>> This would cause memory leak after pci_free_resource_list.
>>
>> Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
>> ---
>>
>> Changes in v2:
>> Don't change the resource_list_create_entry's behavior.
>>
>>  drivers/of/of_pci.c | 57 +++++++++++++++++++++++------------------------------
>>  1 file changed, 25 insertions(+), 32 deletions(-)
>>
>> diff --git a/drivers/of/of_pci.c b/drivers/of/of_pci.c
>> index 0ee42c3..a0ec246 100644
>> --- a/drivers/of/of_pci.c
>> +++ b/drivers/of/of_pci.c
>> @@ -190,8 +190,7 @@ int of_pci_get_host_bridge_resources(struct device_node *dev,
>>                         struct list_head *resources, resource_size_t *io_base)
>>  {
>>         struct resource_entry *window;
>> -       struct resource *res;
>> -       struct resource *bus_range;
>> +       struct resource res;
>>         struct of_pci_range range;
>>         struct of_pci_range_parser parser;
>>         char range_type[4];
>> @@ -200,24 +199,24 @@ int of_pci_get_host_bridge_resources(struct device_node *dev,
>>         if (io_base)
>>                 *io_base = (resource_size_t)OF_BAD_ADDR;
>>
>> -       bus_range = kzalloc(sizeof(*bus_range), GFP_KERNEL);
>> -       if (!bus_range)
>> -               return -ENOMEM;
>> -
>>         pr_info("host bridge %s ranges:\n", dev->full_name);
>>
>> -       err = of_pci_parse_bus_range(dev, bus_range);
>> +       err = of_pci_parse_bus_range(dev, &res);
>>         if (err) {
>> -               bus_range->start = busno;
>> -               bus_range->end = bus_max;
>> -               bus_range->flags = IORESOURCE_BUS;
>> -               pr_info("  No bus range found for %s, using %pR\n",
>> -                       dev->full_name, bus_range);
>> +               res.start = busno;
>> +               res.end = bus_max;
>> +               res.flags = IORESOURCE_BUS;
>> +               pr_info("  No bus range found for %s\n", dev->full_name);
>>         } else {
>> -               if (bus_range->end > bus_range->start + bus_max)
>> -                       bus_range->end = bus_range->start + bus_max;
>> +               if (res.end > res.start + bus_max)
>> +                       res.end = res.start + bus_max;
>> +       }
>> +       window = pci_add_resource(resources, NULL);
>> +       if (!window) {
>> +               err = -ENOMEM;
>> +               goto parse_failed;
>>         }
>> -       pci_add_resource(resources, bus_range);
>> +       *window->res = res;
>
> Well, now this seems racy. You add a blank resource to the list first
> and then fill it in.
>

Huh? There is absolutely no guarantees for concurrent access here.
pcI_add_resource_offset() first adds a resource and then modifies
offset. Here we add an empty resource and then fill it in.

Thanks.

-- 
Dmitry

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH v2 2/2] of/pci: Fix memory leak in of_pci_get_host_bridge_resources
  2017-03-23 22:58     ` Dmitry Torokhov
@ 2017-03-24  1:39       ` jeffy
  2017-04-04 19:18       ` Bjorn Helgaas
  1 sibling, 0 replies; 10+ messages in thread
From: jeffy @ 2017-03-24  1:39 UTC (permalink / raw)
  To: Dmitry Torokhov, Rob Herring
  Cc: linux-kernel, toshi.kani, Shawn Lin, Brian Norris, Doug Anderson,
	bhelgaas, Frank Rowand, devicetree

Hi Rob & Dmitry,

On 03/24/2017 06:58 AM, Dmitry Torokhov wrote:
> On Thu, Mar 23, 2017 at 3:07 PM, Rob Herring <robh@kernel.org> wrote:
>> On Thu, Mar 23, 2017 at 3:12 AM, Jeffy Chen <jeffy.chen@rock-chips.com> wrote:
>>> Currently we only free the allocated resource struct when error.
>>> This would cause memory leak after pci_free_resource_list.
>>>
>>> Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
>>> ---
>>>
>>> Changes in v2:
>>> Don't change the resource_list_create_entry's behavior.
>>>
>>>   drivers/of/of_pci.c | 57 +++++++++++++++++++++++------------------------------
>>>   1 file changed, 25 insertions(+), 32 deletions(-)
>>>
>>> diff --git a/drivers/of/of_pci.c b/drivers/of/of_pci.c
>>> index 0ee42c3..a0ec246 100644
>>> --- a/drivers/of/of_pci.c
>>> +++ b/drivers/of/of_pci.c
>>> @@ -190,8 +190,7 @@ int of_pci_get_host_bridge_resources(struct device_node *dev,
>>>                          struct list_head *resources, resource_size_t *io_base)
>>>   {
>>>          struct resource_entry *window;
>>> -       struct resource *res;
>>> -       struct resource *bus_range;
>>> +       struct resource res;
>>>          struct of_pci_range range;
>>>          struct of_pci_range_parser parser;
>>>          char range_type[4];
>>> @@ -200,24 +199,24 @@ int of_pci_get_host_bridge_resources(struct device_node *dev,
>>>          if (io_base)
>>>                  *io_base = (resource_size_t)OF_BAD_ADDR;
>>>
>>> -       bus_range = kzalloc(sizeof(*bus_range), GFP_KERNEL);
>>> -       if (!bus_range)
>>> -               return -ENOMEM;
>>> -
>>>          pr_info("host bridge %s ranges:\n", dev->full_name);
>>>
>>> -       err = of_pci_parse_bus_range(dev, bus_range);
>>> +       err = of_pci_parse_bus_range(dev, &res);
>>>          if (err) {
>>> -               bus_range->start = busno;
>>> -               bus_range->end = bus_max;
>>> -               bus_range->flags = IORESOURCE_BUS;
>>> -               pr_info("  No bus range found for %s, using %pR\n",
>>> -                       dev->full_name, bus_range);
>>> +               res.start = busno;
>>> +               res.end = bus_max;
>>> +               res.flags = IORESOURCE_BUS;
>>> +               pr_info("  No bus range found for %s\n", dev->full_name);
>>>          } else {
>>> -               if (bus_range->end > bus_range->start + bus_max)
>>> -                       bus_range->end = bus_range->start + bus_max;
>>> +               if (res.end > res.start + bus_max)
>>> +                       res.end = res.start + bus_max;
>>> +       }
>>> +       window = pci_add_resource(resources, NULL);
>>> +       if (!window) {
>>> +               err = -ENOMEM;
>>> +               goto parse_failed;
>>>          }
>>> -       pci_add_resource(resources, bus_range);
>>> +       *window->res = res;
>>
>> Well, now this seems racy. You add a blank resource to the list first
>> and then fill it in.
>>
>
> Huh? There is absolutely no guarantees for concurrent access here.
> pcI_add_resource_offset() first adds a resource and then modifies
> offset. Here we add an empty resource and then fill it in.
currently, we are using of_pci_get_host_bridge_resources in this pattern:

create resource list:
         LIST_HEAD(res);
...
add resources into the list:
         err = of_pci_get_host_bridge_resources(dev->of_node, 0, 0xff,
                                                &res, &io_base);
...
walk over the list:
         /* Get the I/O and memory ranges from DT */
         resource_list_for_each_entry(win, &res) {

so only of_pci_get_host_bridge_resources is accessing this list at that 
time.

and an empty resource is harmless i think(with zero size and flags) ;)

maybe i should add some comments in the patch

>
> Thanks.
>

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH v2 2/2] of/pci: Fix memory leak in of_pci_get_host_bridge_resources
  2017-03-23 22:58     ` Dmitry Torokhov
  2017-03-24  1:39       ` jeffy
@ 2017-04-04 19:18       ` Bjorn Helgaas
  2017-04-05  2:22         ` jeffy
  1 sibling, 1 reply; 10+ messages in thread
From: Bjorn Helgaas @ 2017-04-04 19:18 UTC (permalink / raw)
  To: Dmitry Torokhov
  Cc: Rob Herring, Jeffy Chen, linux-kernel, toshi.kani, Shawn Lin,
	Brian Norris, Doug Anderson, Frank Rowand, devicetree

On Thu, Mar 23, 2017 at 5:58 PM, Dmitry Torokhov <dtor@chromium.org> wrote:
> On Thu, Mar 23, 2017 at 3:07 PM, Rob Herring <robh@kernel.org> wrote:
>> On Thu, Mar 23, 2017 at 3:12 AM, Jeffy Chen <jeffy.chen@rock-chips.com> wrote:
>>> Currently we only free the allocated resource struct when error.
>>> This would cause memory leak after pci_free_resource_list.
>>>
>>> Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
>>> ---
>>>
>>> Changes in v2:
>>> Don't change the resource_list_create_entry's behavior.
>>>
>>>  drivers/of/of_pci.c | 57 +++++++++++++++++++++++------------------------------
>>>  1 file changed, 25 insertions(+), 32 deletions(-)
>>>
>>> diff --git a/drivers/of/of_pci.c b/drivers/of/of_pci.c
>>> index 0ee42c3..a0ec246 100644
>>> --- a/drivers/of/of_pci.c
>>> +++ b/drivers/of/of_pci.c
>>> @@ -190,8 +190,7 @@ int of_pci_get_host_bridge_resources(struct device_node *dev,
>>>                         struct list_head *resources, resource_size_t *io_base)
>>>  {
>>>         struct resource_entry *window;
>>> -       struct resource *res;
>>> -       struct resource *bus_range;
>>> +       struct resource res;
>>>         struct of_pci_range range;
>>>         struct of_pci_range_parser parser;
>>>         char range_type[4];
>>> @@ -200,24 +199,24 @@ int of_pci_get_host_bridge_resources(struct device_node *dev,
>>>         if (io_base)
>>>                 *io_base = (resource_size_t)OF_BAD_ADDR;
>>>
>>> -       bus_range = kzalloc(sizeof(*bus_range), GFP_KERNEL);
>>> -       if (!bus_range)
>>> -               return -ENOMEM;
>>> -
>>>         pr_info("host bridge %s ranges:\n", dev->full_name);
>>>
>>> -       err = of_pci_parse_bus_range(dev, bus_range);
>>> +       err = of_pci_parse_bus_range(dev, &res);
>>>         if (err) {
>>> -               bus_range->start = busno;
>>> -               bus_range->end = bus_max;
>>> -               bus_range->flags = IORESOURCE_BUS;
>>> -               pr_info("  No bus range found for %s, using %pR\n",
>>> -                       dev->full_name, bus_range);
>>> +               res.start = busno;
>>> +               res.end = bus_max;
>>> +               res.flags = IORESOURCE_BUS;
>>> +               pr_info("  No bus range found for %s\n", dev->full_name);
>>>         } else {
>>> -               if (bus_range->end > bus_range->start + bus_max)
>>> -                       bus_range->end = bus_range->start + bus_max;
>>> +               if (res.end > res.start + bus_max)
>>> +                       res.end = res.start + bus_max;
>>> +       }
>>> +       window = pci_add_resource(resources, NULL);
>>> +       if (!window) {
>>> +               err = -ENOMEM;
>>> +               goto parse_failed;
>>>         }
>>> -       pci_add_resource(resources, bus_range);
>>> +       *window->res = res;
>>
>> Well, now this seems racy. You add a blank resource to the list first
>> and then fill it in.
>>
>
> Huh? There is absolutely no guarantees for concurrent access here.
> pcI_add_resource_offset() first adds a resource and then modifies
> offset. Here we add an empty resource and then fill it in.

I don't really like this pattern either.  Even if there's no actual
racy behavior, it takes more analysis than necessary to figure that
out.

pci_add_resource_offset() allocates a resource list entry, sets the
offset, then adds it to the list.  It doesn't update a resource entry
that might be visible to anybody else.  Here we do update a resource
that is already visible to others because it's already on the list.

Bjorn

BTW, please CC linux-pci on the entire series so it's easier to
review.  I don't know where you envision having this applied, but I
only apply things to the PCI tree after they appear on linux-pci.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH v2 2/2] of/pci: Fix memory leak in of_pci_get_host_bridge_resources
  2017-04-04 19:18       ` Bjorn Helgaas
@ 2017-04-05  2:22         ` jeffy
  2017-04-05 13:21           ` Rob Herring
  0 siblings, 1 reply; 10+ messages in thread
From: jeffy @ 2017-04-05  2:22 UTC (permalink / raw)
  To: Bjorn Helgaas, Dmitry Torokhov
  Cc: Rob Herring, linux-kernel, toshi.kani, Shawn Lin, Brian Norris,
	Doug Anderson, Frank Rowand, devicetree

Hi Bjorn,

On 04/05/2017 03:18 AM, Bjorn Helgaas wrote:
> On Thu, Mar 23, 2017 at 5:58 PM, Dmitry Torokhov <dtor@chromium.org> wrote:
>> On Thu, Mar 23, 2017 at 3:07 PM, Rob Herring <robh@kernel.org> wrote:
>>> On Thu, Mar 23, 2017 at 3:12 AM, Jeffy Chen <jeffy.chen@rock-chips.com> wrote:
>>>> Currently we only free the allocated resource struct when error.
>>>> This would cause memory leak after pci_free_resource_list.
>>>>
>>>> Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
>>>> ---
>>>>
>>>> Changes in v2:
>>>> Don't change the resource_list_create_entry's behavior.
>>>>
>>>>   drivers/of/of_pci.c | 57 +++++++++++++++++++++++------------------------------
>>>>   1 file changed, 25 insertions(+), 32 deletions(-)
>>>>
>>>> diff --git a/drivers/of/of_pci.c b/drivers/of/of_pci.c
>>>> index 0ee42c3..a0ec246 100644
>>>> --- a/drivers/of/of_pci.c
>>>> +++ b/drivers/of/of_pci.c
>>>> @@ -190,8 +190,7 @@ int of_pci_get_host_bridge_resources(struct device_node *dev,
>>>>                          struct list_head *resources, resource_size_t *io_base)
>>>>   {
>>>>          struct resource_entry *window;
>>>> -       struct resource *res;
>>>> -       struct resource *bus_range;
>>>> +       struct resource res;
>>>>          struct of_pci_range range;
>>>>          struct of_pci_range_parser parser;
>>>>          char range_type[4];
>>>> @@ -200,24 +199,24 @@ int of_pci_get_host_bridge_resources(struct device_node *dev,
>>>>          if (io_base)
>>>>                  *io_base = (resource_size_t)OF_BAD_ADDR;
>>>>
>>>> -       bus_range = kzalloc(sizeof(*bus_range), GFP_KERNEL);
>>>> -       if (!bus_range)
>>>> -               return -ENOMEM;
>>>> -
>>>>          pr_info("host bridge %s ranges:\n", dev->full_name);
>>>>
>>>> -       err = of_pci_parse_bus_range(dev, bus_range);
>>>> +       err = of_pci_parse_bus_range(dev, &res);
>>>>          if (err) {
>>>> -               bus_range->start = busno;
>>>> -               bus_range->end = bus_max;
>>>> -               bus_range->flags = IORESOURCE_BUS;
>>>> -               pr_info("  No bus range found for %s, using %pR\n",
>>>> -                       dev->full_name, bus_range);
>>>> +               res.start = busno;
>>>> +               res.end = bus_max;
>>>> +               res.flags = IORESOURCE_BUS;
>>>> +               pr_info("  No bus range found for %s\n", dev->full_name);
>>>>          } else {
>>>> -               if (bus_range->end > bus_range->start + bus_max)
>>>> -                       bus_range->end = bus_range->start + bus_max;
>>>> +               if (res.end > res.start + bus_max)
>>>> +                       res.end = res.start + bus_max;
>>>> +       }
>>>> +       window = pci_add_resource(resources, NULL);
>>>> +       if (!window) {
>>>> +               err = -ENOMEM;
>>>> +               goto parse_failed;
>>>>          }
>>>> -       pci_add_resource(resources, bus_range);
>>>> +       *window->res = res;
>>>
>>> Well, now this seems racy. You add a blank resource to the list first
>>> and then fill it in.
>>>
>>
>> Huh? There is absolutely no guarantees for concurrent access here.
>> pcI_add_resource_offset() first adds a resource and then modifies
>> offset. Here we add an empty resource and then fill it in.
>
> I don't really like this pattern either.  Even if there's no actual
> racy behavior, it takes more analysis than necessary to figure that
> out.
>
> pci_add_resource_offset() allocates a resource list entry, sets the
> offset, then adds it to the list.  It doesn't update a resource entry
> that might be visible to anybody else.  Here we do update a resource
> that is already visible to others because it's already on the list.
i was following ./drivers/pnp/resource.c, but i'm agree this is not a 
good way.

i'll upload a new version to fix this in another way. more ideas:
1/ pass a struct device to of_pci_get_host_bridge_resources and use 
devm_kzalloc
2/ add a new type of flags(or reuse IORESOURCE_AUTO) to tell 
pci_free_resource_list to kfree them)
3/ add new helpers of of_pci_add_resource[_offset] to alloc empty res, 
fill it, add to list.
>
> Bjorn
>
> BTW, please CC linux-pci on the entire series so it's easier to
> review.  I don't know where you envision having this applied, but I
> only apply things to the PCI tree after they appear on linux-pci.
>
oh, sorry, didn't notice that, will do in next version.
>
>

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH v2 2/2] of/pci: Fix memory leak in of_pci_get_host_bridge_resources
  2017-04-05  2:22         ` jeffy
@ 2017-04-05 13:21           ` Rob Herring
  0 siblings, 0 replies; 10+ messages in thread
From: Rob Herring @ 2017-04-05 13:21 UTC (permalink / raw)
  To: jeffy
  Cc: Bjorn Helgaas, Dmitry Torokhov, linux-kernel, toshi.kani,
	Shawn Lin, Brian Norris, Doug Anderson, Frank Rowand, devicetree

On Tue, Apr 4, 2017 at 9:22 PM, jeffy <jeffy.chen@rock-chips.com> wrote:
> Hi Bjorn,
>
>
> On 04/05/2017 03:18 AM, Bjorn Helgaas wrote:
>>
>> On Thu, Mar 23, 2017 at 5:58 PM, Dmitry Torokhov <dtor@chromium.org>
>> wrote:
>>>
>>> On Thu, Mar 23, 2017 at 3:07 PM, Rob Herring <robh@kernel.org> wrote:
>>>>
>>>> On Thu, Mar 23, 2017 at 3:12 AM, Jeffy Chen <jeffy.chen@rock-chips.com>
>>>> wrote:
>>>>>
>>>>> Currently we only free the allocated resource struct when error.
>>>>> This would cause memory leak after pci_free_resource_list.

>>>>> -       pci_add_resource(resources, bus_range);
>>>>> +       *window->res = res;
>>>>
>>>>
>>>> Well, now this seems racy. You add a blank resource to the list first
>>>> and then fill it in.
>>>>
>>>
>>> Huh? There is absolutely no guarantees for concurrent access here.
>>> pcI_add_resource_offset() first adds a resource and then modifies
>>> offset. Here we add an empty resource and then fill it in.
>>
>>
>> I don't really like this pattern either.  Even if there's no actual
>> racy behavior, it takes more analysis than necessary to figure that
>> out.
>>
>> pci_add_resource_offset() allocates a resource list entry, sets the
>> offset, then adds it to the list.  It doesn't update a resource entry
>> that might be visible to anybody else.  Here we do update a resource
>> that is already visible to others because it's already on the list.
>
> i was following ./drivers/pnp/resource.c, but i'm agree this is not a good
> way.
>
> i'll upload a new version to fix this in another way. more ideas:
> 1/ pass a struct device to of_pci_get_host_bridge_resources and use
> devm_kzalloc

I would pick this one of the 3 options or...

> 2/ add a new type of flags(or reuse IORESOURCE_AUTO) to tell
> pci_free_resource_list to kfree them)
> 3/ add new helpers of of_pci_add_resource[_offset] to alloc empty res, fill
> it, add to list.

2 other options:

Add a function to undo everything that
of_pci_get_host_bridge_resources does. Then every caller of
of_pci_get_host_bridge_resources should have a call to that function.

Or maybe you can add a pci_free_resource_list_and_resources (needs a
better name) to free both resources and list. Then audit all the
current callers of pci_free_resource_list and determine which one's
can be changed (maybe it is all of them).

Rob

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2017-04-05 13:22 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-23  8:12 [PATCH v2 0/2] Fix memory leak in of_pci_get_host_bridge_resources Jeffy Chen
2017-03-23  8:12 ` [PATCH v2 1/2] PCI: return resource_entry in pci_add_resource helpers Jeffy Chen
2017-03-23  8:12 ` [PATCH v2 2/2] of/pci: Fix memory leak in of_pci_get_host_bridge_resources Jeffy Chen
2017-03-23 22:07   ` Rob Herring
2017-03-23 22:58     ` Dmitry Torokhov
2017-03-24  1:39       ` jeffy
2017-04-04 19:18       ` Bjorn Helgaas
2017-04-05  2:22         ` jeffy
2017-04-05 13:21           ` Rob Herring
2017-03-23  9:00 ` [PATCH v2 0/2] " Shawn Lin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).