From: Dongliang Mu <mudongliangabcd@gmail.com>
To: lyl2019@mail.ustc.edu.cn, siglesias@igalia.com,
jens.taprogge@taprogge.org, Greg KH <gregkh@linuxfoundation.org>
Cc: industrypack-devel@lists.sourceforge.net,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Doubts about Patch "ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe"
Date: Tue, 20 Jul 2021 14:47:23 +0800 [thread overview]
Message-ID: <CAD-N9QVFnhKGfRYDDjWb0o_ty57AbjfzEnFPHZxEC5NOKL1ecg@mail.gmail.com> (raw)
Hi all,
I have some doubts about the patch - "ipack/carriers/tpci200: Fix a
double free in tpci200_pci_probe".
> In the out_err_bus_register error branch of tpci200_pci_probe,
> tpci200->info->cfg_regs is freed by tpci200_uninstall()->
> tpci200_unregister()->pci_iounmap(..,tpci200->info->cfg_regs)
> in the first time.
From my code review, although pci_iounmap takes
"tpci200->info->cfg_regs" as its 2nd parameter, the implementation of
pci_iounmap may not use this parameter.
Depending on if CONFIG_PCI defines, the "tpci200->info->cfg_regs" may
not be freed.
#ifdef CONFIG_PCI
/* Destroy a virtual mapping cookie for a PCI BAR (memory or IO) */
struct pci_dev;
extern void pci_iounmap(struct pci_dev *dev, void __iomem *);
#elif defined(CONFIG_GENERIC_IOMAP)
struct pci_dev;
static inline void pci_iounmap(struct pci_dev *dev, void __iomem *addr)
{ }
#endif
> But later, iounmap() is called to free tpci200->info->cfg_regs again.
Even if CONFIG_PCI is undefined, it is possible that
tpci200->info->cfg_regs is not freed at all. Therefore, this patch
would cause memory leak. Take a look at the following code:
void pci_iounmap(struct pci_dev *dev, void __iomem * addr)
{
IO_COND(addr, /* nothing */, iounmap(addr));
}
#define IO_COND(addr, is_pio, is_mmio) do { \
unsigned long port = (unsigned long __force)addr; \
if (port >= PIO_RESERVED) { \
is_mmio; \
} else if (port > PIO_OFFSET) { \
port &= PIO_MASK; \
is_pio; \
} else \
bad_io_access(port, #is_pio ); \
} while (0)
If I make any mistakes, please let me know.
--
My best regards to you.
No System Is Safe!
Dongliang Mu
next reply other threads:[~2021-07-20 6:49 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-20 6:47 Dongliang Mu [this message]
2021-07-20 14:37 ` Doubts about Patch "ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe" lyl2019
2021-07-21 4:44 ` Dongliang Mu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAD-N9QVFnhKGfRYDDjWb0o_ty57AbjfzEnFPHZxEC5NOKL1ecg@mail.gmail.com \
--to=mudongliangabcd@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=industrypack-devel@lists.sourceforge.net \
--cc=jens.taprogge@taprogge.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lyl2019@mail.ustc.edu.cn \
--cc=siglesias@igalia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).