linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 00/12] staging: some memory-related patches
@ 2022-05-03  6:56 xkernel.wang
  2022-05-03  6:57 ` [PATCH 01/12] staging: rtl8712: fix potential memory leak in r8712_xmit_resource_alloc() xkernel.wang
                   ` (12 more replies)
  0 siblings, 13 replies; 17+ messages in thread
From: xkernel.wang @ 2022-05-03  6:56 UTC (permalink / raw)
  To: gregkh; +Cc: linux-staging, linux-kernel, Xiaoke Wang

From: Xiaoke Wang <xkernel.wang@foxmail.com>

This is a collection about some memory-related bugs fixing.
In brief, there are two types about them.
First is some memory allocation functions are called without proper
checking, which may result in wrong memory access in the subsequent
running or some else.
Second is lacking proper error handling that does not release some
allocated resources, which may result in memory leak problems.

These issuses are similar, so they are put in this series together.
Note that most of them are sent as each separate patch before, this series
rebased them to the lasted version. While there are some inherent logical
relationships between 03~05/11~12.

Xiaoke Wang (12):
  staging: rtl8712: fix potential memory leak in
    r8712_xmit_resource_alloc()
  staging: rtl8712: fix potential memory leak in _r8712_init_xmit_priv()
  staging: rtl8712: fix potential memory leak in r8712_init_drv_sw()
  staging: rtl8712: change the type of _r8712_init_recv_priv()
  staging: rtl8712: add two validation check in r8712_init_drv_sw()
  staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv()
  staging: rtl8723bs: fix potential memory leak in _rtw_init_xmit_priv()
  staging: rtl8723bs: fix potential memory leak in rtw_init_drv_sw()
  staging: r8188eu: fix a potential memory leak in _rtw_init_cmd_priv()
  staging: r8188eu: fix potential memory leak in
    rtw_os_xmit_resource_alloc()
  staging: r8188eu: fix potential memory leak in _rtw_init_xmit_priv()
  staging: r8188eu: check the return of kzalloc()

 drivers/staging/r8188eu/core/rtw_cmd.c      | 16 +++---
 drivers/staging/r8188eu/core/rtw_xmit.c     | 42 +++++++++++----
 drivers/staging/r8188eu/include/rtw_xmit.h  |  2 +-
 drivers/staging/r8188eu/os_dep/xmit_linux.c |  4 +-
 drivers/staging/rtl8712/os_intfs.c          | 26 +++++++--
 drivers/staging/rtl8712/recv_osdep.h        |  2 +-
 drivers/staging/rtl8712/rtl871x_recv.c      |  6 +--
 drivers/staging/rtl8712/rtl871x_xmit.c      | 27 +++++++---
 drivers/staging/rtl8712/xmit_linux.c        |  3 +-
 drivers/staging/rtl8723bs/core/rtw_cmd.c    | 17 +++---
 drivers/staging/rtl8723bs/core/rtw_xmit.c   | 50 ++++++++++++-----
 drivers/staging/rtl8723bs/os_dep/os_intfs.c | 60 +++++++++++----------
 12 files changed, 163 insertions(+), 92 deletions(-)

-- 

^ permalink raw reply	[flat|nested] 17+ messages in thread

* [PATCH 01/12] staging: rtl8712: fix potential memory leak in r8712_xmit_resource_alloc()
  2022-05-03  6:56 [PATCH 00/12] staging: some memory-related patches xkernel.wang
@ 2022-05-03  6:57 ` xkernel.wang
  2022-05-03  6:58 ` [PATCH 02/12] staging: rtl8712: fix potential memory leak in _r8712_init_xmit_priv() xkernel.wang
                   ` (11 subsequent siblings)
  12 siblings, 0 replies; 17+ messages in thread
From: xkernel.wang @ 2022-05-03  6:57 UTC (permalink / raw)
  To: Larry.Finger, florian.c.schilhabel, gregkh
  Cc: linux-staging, linux-kernel, Xiaoke Wang

From: Xiaoke Wang <xkernel.wang@foxmail.com>

In r8712_xmit_resource_alloc(), if usb_alloc_urb() fails, there can be
some explored items are not released before this function returns.

Therefore, this patch re-explores the allocated items and uses
usb_free_urb() to release them.

Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
---
 drivers/staging/rtl8712/xmit_linux.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/rtl8712/xmit_linux.c b/drivers/staging/rtl8712/xmit_linux.c
index 4a93839..034de02 100644
--- a/drivers/staging/rtl8712/xmit_linux.c
+++ b/drivers/staging/rtl8712/xmit_linux.c
@@ -113,9 +113,10 @@ int r8712_xmit_resource_alloc(struct _adapter *padapter,
 		pxmitbuf->pxmit_urb[i] = usb_alloc_urb(0, GFP_KERNEL);
 		if (!pxmitbuf->pxmit_urb[i]) {
 			netdev_err(padapter->pnetdev, "pxmitbuf->pxmit_urb[i] == NULL\n");
+			while (i-- > 0)
+				usb_free_urb(pxmitbuf->pxmit_urb[i]);
 			return -ENOMEM;
 		}
-		kmemleak_not_leak(pxmitbuf->pxmit_urb[i]);
 	}
 	return 0;
 }
-- 

^ permalink raw reply related	[flat|nested] 17+ messages in thread

* [PATCH 02/12] staging: rtl8712: fix potential memory leak in _r8712_init_xmit_priv()
  2022-05-03  6:56 [PATCH 00/12] staging: some memory-related patches xkernel.wang
  2022-05-03  6:57 ` [PATCH 01/12] staging: rtl8712: fix potential memory leak in r8712_xmit_resource_alloc() xkernel.wang
@ 2022-05-03  6:58 ` xkernel.wang
  2022-05-03  6:58 ` [PATCH 03/12] staging: rtl8712: fix potential memory leak in r8712_init_drv_sw() xkernel.wang
                   ` (10 subsequent siblings)
  12 siblings, 0 replies; 17+ messages in thread
From: xkernel.wang @ 2022-05-03  6:58 UTC (permalink / raw)
  To: Larry.Finger, florian.c.schilhabel, gregkh
  Cc: linux-staging, linux-kernel, Xiaoke Wang

From: Xiaoke Wang <xkernel.wang@foxmail.com>

In _r8712_init_xmit_priv(), if `pxmitbuf->pallocated_buf` is allocated in
failure or `r8712_xmit_resource_alloc(padapter, pxmitbuf)` fails, then it
just returns -ENOMEM but not releases the previous allocated resources,
which leads to various memory leaks.

To fix the memory leaks, this patch unifies the error handler in
_r8712_init_xmit_priv().
Note that if `r8712_xmit_resource_alloc(padapter, pxmitbuf)` fails, we
should call `kfree(pxmitbuf->pallocated_buf);` before goto the error
section so that we do not need to concern the failed item.

Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
---
 drivers/staging/rtl8712/rtl871x_xmit.c | 27 ++++++++++++++++++--------
 1 file changed, 19 insertions(+), 8 deletions(-)

diff --git a/drivers/staging/rtl8712/rtl871x_xmit.c b/drivers/staging/rtl8712/rtl871x_xmit.c
index 090345b..dcf3f76 100644
--- a/drivers/staging/rtl8712/rtl871x_xmit.c
+++ b/drivers/staging/rtl8712/rtl871x_xmit.c
@@ -117,11 +117,8 @@ int _r8712_init_xmit_priv(struct xmit_priv *pxmitpriv,
 	_init_queue(&pxmitpriv->pending_xmitbuf_queue);
 	pxmitpriv->pallocated_xmitbuf =
 		kmalloc(NR_XMITBUFF * sizeof(struct xmit_buf) + 4, GFP_ATOMIC);
-	if (!pxmitpriv->pallocated_xmitbuf) {
-		kfree(pxmitpriv->pallocated_frame_buf);
-		pxmitpriv->pallocated_frame_buf = NULL;
-		return -ENOMEM;
-	}
+	if (!pxmitpriv->pallocated_xmitbuf)
+		goto free_frame_buf;
 	pxmitpriv->pxmitbuf = pxmitpriv->pallocated_xmitbuf + 4 -
 			      ((addr_t)(pxmitpriv->pallocated_xmitbuf) & 3);
 	pxmitbuf = (struct xmit_buf *)pxmitpriv->pxmitbuf;
@@ -130,12 +127,14 @@ int _r8712_init_xmit_priv(struct xmit_priv *pxmitpriv,
 		pxmitbuf->pallocated_buf =
 			kmalloc(MAX_XMITBUF_SZ + XMITBUF_ALIGN_SZ, GFP_ATOMIC);
 		if (!pxmitbuf->pallocated_buf)
-			return -ENOMEM;
+			goto free_xmitbuf;
 		pxmitbuf->pbuf = pxmitbuf->pallocated_buf + XMITBUF_ALIGN_SZ -
 				 ((addr_t) (pxmitbuf->pallocated_buf) &
 				 (XMITBUF_ALIGN_SZ - 1));
-		if (r8712_xmit_resource_alloc(padapter, pxmitbuf))
-			return -ENOMEM;
+		if (r8712_xmit_resource_alloc(padapter, pxmitbuf)) {
+			kfree(pxmitbuf->pallocated_buf);
+			goto free_xmitbuf;
+		}
 		list_add_tail(&pxmitbuf->list,
 				 &(pxmitpriv->free_xmitbuf_queue.queue));
 		pxmitbuf++;
@@ -146,6 +145,18 @@ int _r8712_init_xmit_priv(struct xmit_priv *pxmitpriv,
 	init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry);
 	tasklet_setup(&pxmitpriv->xmit_tasklet, r8712_xmit_bh);
 	return 0;
+
+free_xmitbuf:
+	pxmitbuf = (struct xmit_buf *)pxmitpriv->pxmitbuf;
+	while (i-- > 0) {
+		r8712_xmit_resource_free(padapter, pxmitbuf);
+		kfree(pxmitbuf->pallocated_buf);
+		pxmitbuf++;
+	}
+	kfree(pxmitpriv->pallocated_xmitbuf);
+free_frame_buf:
+	kfree(pxmitpriv->pallocated_frame_buf);
+	return -ENOMEM;
 }
 
 void _free_xmit_priv(struct xmit_priv *pxmitpriv)
-- 

^ permalink raw reply related	[flat|nested] 17+ messages in thread

* [PATCH 03/12] staging: rtl8712: fix potential memory leak in r8712_init_drv_sw()
  2022-05-03  6:56 [PATCH 00/12] staging: some memory-related patches xkernel.wang
  2022-05-03  6:57 ` [PATCH 01/12] staging: rtl8712: fix potential memory leak in r8712_xmit_resource_alloc() xkernel.wang
  2022-05-03  6:58 ` [PATCH 02/12] staging: rtl8712: fix potential memory leak in _r8712_init_xmit_priv() xkernel.wang
@ 2022-05-03  6:58 ` xkernel.wang
  2022-05-03  6:59 ` [PATCH 04/12] staging: rtl8712: change the type of _r8712_init_recv_priv() xkernel.wang
                   ` (9 subsequent siblings)
  12 siblings, 0 replies; 17+ messages in thread
From: xkernel.wang @ 2022-05-03  6:58 UTC (permalink / raw)
  To: Larry.Finger, florian.c.schilhabel, gregkh
  Cc: linux-staging, linux-kernel, Xiaoke Wang

From: Xiaoke Wang <xkernel.wang@foxmail.com>

In r8712_init_drv_sw(), there are various error paths do not properly
release the previous allocated resources but directly return the error
status, which leads to various memory leaks.

To properly release the resources, this patch unifies the error handler
of r8712_init_drv_sw().
According to the allocation sequence, if the init function returns
failure, it will jump to the corresponding error tag.

Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
---
 drivers/staging/rtl8712/os_intfs.c | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/drivers/staging/rtl8712/os_intfs.c b/drivers/staging/rtl8712/os_intfs.c
index 003e972..43a7953 100644
--- a/drivers/staging/rtl8712/os_intfs.c
+++ b/drivers/staging/rtl8712/os_intfs.c
@@ -304,10 +304,10 @@ int r8712_init_drv_sw(struct _adapter *padapter)
 	padapter->cmdpriv.padapter = padapter;
 	ret = r8712_init_evt_priv(&padapter->evtpriv);
 	if (ret)
-		return ret;
+		goto free_cmd_priv;
 	ret = r8712_init_mlme_priv(padapter);
 	if (ret)
-		return ret;
+		goto free_evt_priv;
 	_r8712_init_xmit_priv(&padapter->xmitpriv, padapter);
 	_r8712_init_recv_priv(&padapter->recvpriv, padapter);
 	memset((unsigned char *)&padapter->securitypriv, 0,
@@ -316,13 +316,25 @@ int r8712_init_drv_sw(struct _adapter *padapter)
 		    r8712_use_tkipkey_handler, 0);
 	ret = _r8712_init_sta_priv(&padapter->stapriv);
 	if (ret)
-		return ret;
+		goto free_recv_priv;
 	padapter->stapriv.padapter = padapter;
 	r8712_init_bcmc_stainfo(padapter);
 	r8712_init_pwrctrl_priv(padapter);
 	mp871xinit(padapter);
 	init_default_value(padapter);
 	r8712_InitSwLeds(padapter);
+	return 0;
+
+free_recv_priv:
+	_r8712_free_recv_priv(&padapter->recvpriv);
+free_xmit_priv:
+	_free_xmit_priv(&padapter->xmitpriv);
+free_mlme_priv:
+	r8712_free_mlme_priv(&padapter->mlmepriv);
+free_evt_priv:
+	r8712_free_evt_priv(&padapter->evtpriv);
+free_cmd_priv:
+	r8712_free_cmd_priv(&padapter->cmdpriv);
 	return ret;
 }
 
-- 

^ permalink raw reply related	[flat|nested] 17+ messages in thread

* [PATCH 04/12] staging: rtl8712: change the type of _r8712_init_recv_priv()
  2022-05-03  6:56 [PATCH 00/12] staging: some memory-related patches xkernel.wang
                   ` (2 preceding siblings ...)
  2022-05-03  6:58 ` [PATCH 03/12] staging: rtl8712: fix potential memory leak in r8712_init_drv_sw() xkernel.wang
@ 2022-05-03  6:59 ` xkernel.wang
  2022-05-03  6:59 ` [PATCH 05/12] staging: rtl8712: add two validation check in r8712_init_drv_sw() xkernel.wang
                   ` (8 subsequent siblings)
  12 siblings, 0 replies; 17+ messages in thread
From: xkernel.wang @ 2022-05-03  6:59 UTC (permalink / raw)
  To: Larry.Finger, florian.c.schilhabel, gregkh
  Cc: linux-staging, linux-kernel, Xiaoke Wang

From: Xiaoke Wang <xkernel.wang@foxmail.com>

There is a memory allocation in _r8712_init_recv_priv().
However, since the original type of this function is `void`, its error
status can not be feedbacked to its caller.
Therefore, to make the error of allocation failures propagate to its
caller easily, this patch changes the type of this function to `int`.

Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
---
 drivers/staging/rtl8712/recv_osdep.h   | 2 +-
 drivers/staging/rtl8712/rtl871x_recv.c | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/rtl8712/recv_osdep.h b/drivers/staging/rtl8712/recv_osdep.h
index d8c1fa7..f5b97c5 100644
--- a/drivers/staging/rtl8712/recv_osdep.h
+++ b/drivers/staging/rtl8712/recv_osdep.h
@@ -18,7 +18,7 @@
 #include "drv_types.h"
 #include <linux/skbuff.h>
 
-void _r8712_init_recv_priv(struct recv_priv *precvpriv,
+int _r8712_init_recv_priv(struct recv_priv *precvpriv,
 			   struct _adapter *padapter);
 void _r8712_free_recv_priv(struct recv_priv *precvpriv);
 void r8712_recv_entry(union recv_frame *precv_frame);
diff --git a/drivers/staging/rtl8712/rtl871x_recv.c b/drivers/staging/rtl8712/rtl871x_recv.c
index de9a568..e814c07 100644
--- a/drivers/staging/rtl8712/rtl871x_recv.c
+++ b/drivers/staging/rtl8712/rtl871x_recv.c
@@ -44,7 +44,7 @@ void _r8712_init_sta_recv_priv(struct sta_recv_priv *psta_recvpriv)
 	_init_queue(&psta_recvpriv->defrag_q);
 }
 
-void _r8712_init_recv_priv(struct recv_priv *precvpriv,
+int _r8712_init_recv_priv(struct recv_priv *precvpriv,
 			   struct _adapter *padapter)
 {
 	sint i;
@@ -60,8 +60,7 @@ void _r8712_init_recv_priv(struct recv_priv *precvpriv,
 				sizeof(union recv_frame) + RXFRAME_ALIGN_SZ,
 				GFP_ATOMIC);
 	if (!precvpriv->pallocated_frame_buf)
-		return;
-	kmemleak_not_leak(precvpriv->pallocated_frame_buf);
+		return -ENOMEM;
 	precvpriv->precv_frame_buf = precvpriv->pallocated_frame_buf +
 				    RXFRAME_ALIGN_SZ -
 				    ((addr_t)(precvpriv->pallocated_frame_buf) &
@@ -77,6 +76,7 @@ void _r8712_init_recv_priv(struct recv_priv *precvpriv,
 	}
 	precvpriv->rx_pending_cnt = 1;
 	r8712_init_recv_priv(precvpriv, padapter);
+	return 0;
 }
 
 void _r8712_free_recv_priv(struct recv_priv *precvpriv)
-- 

^ permalink raw reply related	[flat|nested] 17+ messages in thread

* [PATCH 05/12] staging: rtl8712: add two validation check in r8712_init_drv_sw()
  2022-05-03  6:56 [PATCH 00/12] staging: some memory-related patches xkernel.wang
                   ` (3 preceding siblings ...)
  2022-05-03  6:59 ` [PATCH 04/12] staging: rtl8712: change the type of _r8712_init_recv_priv() xkernel.wang
@ 2022-05-03  6:59 ` xkernel.wang
  2022-05-03  7:00 ` [PATCH 06/12] staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv() xkernel.wang
                   ` (7 subsequent siblings)
  12 siblings, 0 replies; 17+ messages in thread
From: xkernel.wang @ 2022-05-03  6:59 UTC (permalink / raw)
  To: Larry.Finger, florian.c.schilhabel, gregkh
  Cc: linux-staging, linux-kernel, Xiaoke Wang

From: Xiaoke Wang <xkernel.wang@foxmail.com>

_r8712_init_xmit_priv() or _r8712_init_recv_priv() returns -ENOMEM
when some allocations inside it failed.
However, the caller, i.e., r8712_init_drv_sw(), does not properly
validate their return status, which may lead to potential wrong memory
access in the future.

Therefore, this patch adds two validation check for their return status
and properly jump to the corresponding error hanlding code if failures
happen.

Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
---
 drivers/staging/rtl8712/os_intfs.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/rtl8712/os_intfs.c b/drivers/staging/rtl8712/os_intfs.c
index 43a7953..3d79d24 100644
--- a/drivers/staging/rtl8712/os_intfs.c
+++ b/drivers/staging/rtl8712/os_intfs.c
@@ -308,8 +308,12 @@ int r8712_init_drv_sw(struct _adapter *padapter)
 	ret = r8712_init_mlme_priv(padapter);
 	if (ret)
 		goto free_evt_priv;
-	_r8712_init_xmit_priv(&padapter->xmitpriv, padapter);
-	_r8712_init_recv_priv(&padapter->recvpriv, padapter);
+	ret = _r8712_init_xmit_priv(&padapter->xmitpriv, padapter);
+	if (ret)
+		goto free_mlme_priv;
+	ret = _r8712_init_recv_priv(&padapter->recvpriv, padapter);
+	if (ret)
+		goto free_xmit_priv;
 	memset((unsigned char *)&padapter->securitypriv, 0,
 	       sizeof(struct security_priv));
 	timer_setup(&padapter->securitypriv.tkip_timer,
-- 

^ permalink raw reply related	[flat|nested] 17+ messages in thread

* [PATCH 06/12] staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv()
  2022-05-03  6:56 [PATCH 00/12] staging: some memory-related patches xkernel.wang
                   ` (4 preceding siblings ...)
  2022-05-03  6:59 ` [PATCH 05/12] staging: rtl8712: add two validation check in r8712_init_drv_sw() xkernel.wang
@ 2022-05-03  7:00 ` xkernel.wang
  2022-05-03  7:00 ` [PATCH 07/12] staging: rtl8723bs: fix potential memory leak in _rtw_init_xmit_priv() xkernel.wang
                   ` (6 subsequent siblings)
  12 siblings, 0 replies; 17+ messages in thread
From: xkernel.wang @ 2022-05-03  7:00 UTC (permalink / raw)
  To: gregkh; +Cc: linux-staging, linux-kernel, Xiaoke Wang

From: Xiaoke Wang <xkernel.wang@foxmail.com>

In rtw_init_cmd_priv(), if `pcmdpriv->rsp_allocated_buf` is allocated
in failure, then `pcmdpriv->cmd_allocated_buf` will be not properly
released. Besides, considering there are only two error paths and the
first one can directly return, so we do not need implicitly jump to the
`exit` tag to execute the error handler.

So this patch added `kfree(pcmdpriv->cmd_allocated_buf);` on the error
path to release the resource and simplified the return logic of
rtw_init_cmd_priv().

Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
---
 drivers/staging/rtl8723bs/core/rtw_cmd.c | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_cmd.c b/drivers/staging/rtl8723bs/core/rtw_cmd.c
index b4170f6..0a35142 100644
--- a/drivers/staging/rtl8723bs/core/rtw_cmd.c
+++ b/drivers/staging/rtl8723bs/core/rtw_cmd.c
@@ -161,8 +161,6 @@ static struct cmd_hdl wlancmds[] = {
 
 int rtw_init_cmd_priv(struct	cmd_priv *pcmdpriv)
 {
-	int res = 0;
-
 	init_completion(&pcmdpriv->cmd_queue_comp);
 	init_completion(&pcmdpriv->terminate_cmdthread_comp);
 
@@ -175,18 +173,17 @@ int rtw_init_cmd_priv(struct	cmd_priv *pcmdpriv)
 
 	pcmdpriv->cmd_allocated_buf = rtw_zmalloc(MAX_CMDSZ + CMDBUFF_ALIGN_SZ);
 
-	if (!pcmdpriv->cmd_allocated_buf) {
-		res = -ENOMEM;
-		goto exit;
-	}
+	if (!pcmdpriv->cmd_allocated_buf)
+		return -ENOMEM;
 
 	pcmdpriv->cmd_buf = pcmdpriv->cmd_allocated_buf  +  CMDBUFF_ALIGN_SZ - ((SIZE_PTR)(pcmdpriv->cmd_allocated_buf) & (CMDBUFF_ALIGN_SZ-1));
 
 	pcmdpriv->rsp_allocated_buf = rtw_zmalloc(MAX_RSPSZ + 4);
 
 	if (!pcmdpriv->rsp_allocated_buf) {
-		res = -ENOMEM;
-		goto exit;
+		kfree(pcmdpriv->cmd_allocated_buf);
+		pcmdpriv->cmd_allocated_buf = NULL;
+		return -ENOMEM;
 	}
 
 	pcmdpriv->rsp_buf = pcmdpriv->rsp_allocated_buf  +  4 - ((SIZE_PTR)(pcmdpriv->rsp_allocated_buf) & 3);
@@ -196,8 +193,8 @@ int rtw_init_cmd_priv(struct	cmd_priv *pcmdpriv)
 	pcmdpriv->rsp_cnt = 0;
 
 	mutex_init(&pcmdpriv->sctx_mutex);
-exit:
-	return res;
+
+	return 0;
 }
 
 static void c2h_wk_callback(struct work_struct *work);
-- 

^ permalink raw reply related	[flat|nested] 17+ messages in thread

* [PATCH 07/12] staging: rtl8723bs: fix potential memory leak in _rtw_init_xmit_priv()
  2022-05-03  6:56 [PATCH 00/12] staging: some memory-related patches xkernel.wang
                   ` (5 preceding siblings ...)
  2022-05-03  7:00 ` [PATCH 06/12] staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv() xkernel.wang
@ 2022-05-03  7:00 ` xkernel.wang
  2022-05-03  7:00 ` [PATCH 08/12] staging: rtl8723bs: fix potential memory leak in rtw_init_drv_sw() xkernel.wang
                   ` (5 subsequent siblings)
  12 siblings, 0 replies; 17+ messages in thread
From: xkernel.wang @ 2022-05-03  7:00 UTC (permalink / raw)
  To: gregkh; +Cc: linux-staging, linux-kernel, Xiaoke Wang

From: Xiaoke Wang <xkernel.wang@foxmail.com>

In _rtw_init_xmit_priv(), there are seven error paths for allocation
failures without releasing the resources but directly goto `exit`, while
the exit section only executes `return res;`, which leads to various
memory leaks.

To properly release them, this patch unifies the error handlers of
_rtw_init_xmit_priv() and several error handling paths are added.
According to the allocation sequence, each error will jump to its
corresponding error handling tag.

Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
---
 drivers/staging/rtl8723bs/core/rtw_xmit.c | 50 +++++++++++++++++------
 1 file changed, 37 insertions(+), 13 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_xmit.c b/drivers/staging/rtl8723bs/core/rtw_xmit.c
index a225126..2d10fa9 100644
--- a/drivers/staging/rtl8723bs/core/rtw_xmit.c
+++ b/drivers/staging/rtl8723bs/core/rtw_xmit.c
@@ -112,7 +112,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
 
 	if (!pxmitpriv->pallocated_xmitbuf) {
 		res = _FAIL;
-		goto exit;
+		goto free_frame_buf;
 	}
 
 	pxmitpriv->pxmitbuf = (u8 *)N_BYTE_ALIGMENT((SIZE_PTR)(pxmitpriv->pallocated_xmitbuf), 4);
@@ -132,7 +132,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
 			msleep(10);
 			res = rtw_os_xmit_resource_alloc(padapter, pxmitbuf, (MAX_XMITBUF_SZ + XMITBUF_ALIGN_SZ), true);
 			if (res == _FAIL)
-				goto exit;
+				goto free_xmitbuf;
 		}
 
 		pxmitbuf->phead = pxmitbuf->pbuf;
@@ -162,7 +162,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
 	if (!pxmitpriv->xframe_ext_alloc_addr) {
 		pxmitpriv->xframe_ext = NULL;
 		res = _FAIL;
-		goto exit;
+		goto free_xmitbuf;
 	}
 	pxmitpriv->xframe_ext = (u8 *)N_BYTE_ALIGMENT((SIZE_PTR)(pxmitpriv->xframe_ext_alloc_addr), 4);
 	pxframe = (struct xmit_frame *)pxmitpriv->xframe_ext;
@@ -195,7 +195,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
 
 	if (!pxmitpriv->pallocated_xmit_extbuf) {
 		res = _FAIL;
-		goto exit;
+		goto free_xframe_ext;
 	}
 
 	pxmitpriv->pxmit_extbuf = (u8 *)N_BYTE_ALIGMENT((SIZE_PTR)(pxmitpriv->pallocated_xmit_extbuf), 4);
@@ -210,10 +210,8 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
 		pxmitbuf->buf_tag = XMITBUF_MGNT;
 
 		res = rtw_os_xmit_resource_alloc(padapter, pxmitbuf, MAX_XMIT_EXTBUF_SZ + XMITBUF_ALIGN_SZ, true);
-		if (res == _FAIL) {
-			res = _FAIL;
-			goto exit;
-		}
+		if (res == _FAIL)
+			goto free_xmit_extbuf;
 
 		pxmitbuf->phead = pxmitbuf->pbuf;
 		pxmitbuf->pend = pxmitbuf->pbuf + MAX_XMIT_EXTBUF_SZ;
@@ -240,10 +238,8 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
 			pxmitbuf->buf_tag = XMITBUF_CMD;
 
 			res = rtw_os_xmit_resource_alloc(padapter, pxmitbuf, MAX_CMDBUF_SZ+XMITBUF_ALIGN_SZ, true);
-			if (res == _FAIL) {
-				res = _FAIL;
-				goto exit;
-			}
+			if (res == _FAIL)
+				goto free_cmd_xmitbuf;
 
 			pxmitbuf->phead = pxmitbuf->pbuf;
 			pxmitbuf->pend = pxmitbuf->pbuf + MAX_CMDBUF_SZ;
@@ -255,7 +251,7 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
 
 	res = rtw_alloc_hwxmits(padapter);
 	if (res == _FAIL)
-		goto exit;
+		goto free_cmd_xmitbuf;
 	rtw_init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry);
 
 	for (i = 0; i < 4; i++)
@@ -267,6 +263,34 @@ s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
 
 	rtw_hal_init_xmit_priv(padapter);
 
+	return res;
+
+free_cmd_xmitbuf:
+	while (i-- > 0) {
+		pxmitbuf = &pxmitpriv->pcmd_xmitbuf[i];
+		if (pxmitbuf)
+			rtw_os_xmit_resource_free(padapter, pxmitbuf, MAX_CMDBUF_SZ + XMITBUF_ALIGN_SZ, true);
+	}
+	i = NR_XMIT_EXTBUFF;
+free_xmit_extbuf:
+	pxmitbuf = (struct xmit_buf *)pxmitpriv->pxmit_extbuf;
+	while (i-- > 0) {
+		rtw_os_xmit_resource_free(padapter, pxmitbuf, (MAX_XMIT_EXTBUF_SZ + XMITBUF_ALIGN_SZ), true);
+		pxmitbuf++;
+	}
+	vfree(pxmitpriv->pallocated_xmit_extbuf);
+free_xframe_ext:
+	vfree(pxmitpriv->xframe_ext_alloc_addr);
+	i = NR_XMITBUFF;
+free_xmitbuf:
+	pxmitbuf = (struct xmit_buf *)pxmitpriv->pxmitbuf;
+	while (i-- > 0) {
+		rtw_os_xmit_resource_free(padapter, pxmitbuf, (MAX_XMITBUF_SZ + XMITBUF_ALIGN_SZ), true);
+		pxmitbuf++;
+	}
+	vfree(pxmitpriv->pallocated_xmitbuf);
+free_frame_buf:
+	vfree(pxmitpriv->pallocated_frame_buf);
 exit:
 	return res;
 }
-- 

^ permalink raw reply related	[flat|nested] 17+ messages in thread

* [PATCH 08/12] staging: rtl8723bs: fix potential memory leak in rtw_init_drv_sw()
  2022-05-03  6:56 [PATCH 00/12] staging: some memory-related patches xkernel.wang
                   ` (6 preceding siblings ...)
  2022-05-03  7:00 ` [PATCH 07/12] staging: rtl8723bs: fix potential memory leak in _rtw_init_xmit_priv() xkernel.wang
@ 2022-05-03  7:00 ` xkernel.wang
  2022-05-03  7:01 ` [PATCH 09/12] staging: r8188eu: fix a potential memory leak in _rtw_init_cmd_priv() xkernel.wang
                   ` (4 subsequent siblings)
  12 siblings, 0 replies; 17+ messages in thread
From: xkernel.wang @ 2022-05-03  7:00 UTC (permalink / raw)
  To: gregkh; +Cc: linux-staging, linux-kernel, Xiaoke Wang

From: Xiaoke Wang <xkernel.wang@foxmail.com>

In rtw_init_drv_sw(), there are various init functions are called to
populate the padapter structure and some checks for their return value.
However, except for the first one error path, the other five error paths
do not properly release the previous allocated resources, which leads to
various memory leaks.

This patch fixes this and keeps the success and error separate.

Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
---
 drivers/staging/rtl8723bs/os_dep/os_intfs.c | 60 +++++++++++----------
 1 file changed, 31 insertions(+), 29 deletions(-)

diff --git a/drivers/staging/rtl8723bs/os_dep/os_intfs.c b/drivers/staging/rtl8723bs/os_dep/os_intfs.c
index 380d8c9..68bba3c 100644
--- a/drivers/staging/rtl8723bs/os_dep/os_intfs.c
+++ b/drivers/staging/rtl8723bs/os_dep/os_intfs.c
@@ -664,51 +664,36 @@ void rtw_reset_drv_sw(struct adapter *padapter)
 
 u8 rtw_init_drv_sw(struct adapter *padapter)
 {
-	u8 ret8 = _SUCCESS;
-
 	rtw_init_default_value(padapter);
 
 	rtw_init_hal_com_default_value(padapter);
 
-	if (rtw_init_cmd_priv(&padapter->cmdpriv)) {
-		ret8 = _FAIL;
-		goto exit;
-	}
+	if (rtw_init_cmd_priv(&padapter->cmdpriv))
+		return _FAIL;
 
 	padapter->cmdpriv.padapter = padapter;
 
-	if (rtw_init_evt_priv(&padapter->evtpriv)) {
-		ret8 = _FAIL;
-		goto exit;
-	}
+	if (rtw_init_evt_priv(&padapter->evtpriv))
+		goto free_cmd_priv;
 
-
-	if (rtw_init_mlme_priv(padapter) == _FAIL) {
-		ret8 = _FAIL;
-		goto exit;
-	}
+	if (rtw_init_mlme_priv(padapter) == _FAIL)
+		goto free_evt_priv;
 
 	init_mlme_ext_priv(padapter);
 
-	if (_rtw_init_xmit_priv(&padapter->xmitpriv, padapter) == _FAIL) {
-		ret8 = _FAIL;
-		goto exit;
-	}
+	if (_rtw_init_xmit_priv(&padapter->xmitpriv, padapter) == _FAIL)
+		goto free_mlme_ext;
 
-	if (_rtw_init_recv_priv(&padapter->recvpriv, padapter) == _FAIL) {
-		ret8 = _FAIL;
-		goto exit;
-	}
+	if (_rtw_init_recv_priv(&padapter->recvpriv, padapter) == _FAIL)
+		goto free_xmit_priv;
 	/*  add for CONFIG_IEEE80211W, none 11w also can use */
 	spin_lock_init(&padapter->security_key_mutex);
 
 	/*  We don't need to memset padapter->XXX to zero, because adapter is allocated by vzalloc(). */
 	/* memset((unsigned char *)&padapter->securitypriv, 0, sizeof (struct security_priv)); */
 
-	if (_rtw_init_sta_priv(&padapter->stapriv) == _FAIL) {
-		ret8 = _FAIL;
-		goto exit;
-	}
+	if (_rtw_init_sta_priv(&padapter->stapriv) == _FAIL)
+		goto free_recv_priv;
 
 	padapter->stapriv.padapter = padapter;
 	padapter->setband = GHZ24_50;
@@ -719,9 +704,26 @@ u8 rtw_init_drv_sw(struct adapter *padapter)
 
 	rtw_hal_dm_init(padapter);
 
-exit:
+	return _SUCCESS;
+
+free_recv_priv:
+	_rtw_free_recv_priv(&padapter->recvpriv);
+
+free_xmit_priv:
+	_rtw_free_xmit_priv(&padapter->xmitpriv);
+
+free_mlme_ext:
+	free_mlme_ext_priv(&padapter->mlmeextpriv);
 
-	return ret8;
+	rtw_free_mlme_priv(&padapter->mlmepriv);
+
+free_evt_priv:
+	rtw_free_evt_priv(&padapter->evtpriv);
+
+free_cmd_priv:
+	rtw_free_cmd_priv(&padapter->cmdpriv);
+
+	return _FAIL;
 }
 
 void rtw_cancel_all_timer(struct adapter *padapter)
-- 

^ permalink raw reply related	[flat|nested] 17+ messages in thread

* [PATCH 09/12] staging: r8188eu: fix a potential memory leak in _rtw_init_cmd_priv()
  2022-05-03  6:56 [PATCH 00/12] staging: some memory-related patches xkernel.wang
                   ` (7 preceding siblings ...)
  2022-05-03  7:00 ` [PATCH 08/12] staging: rtl8723bs: fix potential memory leak in rtw_init_drv_sw() xkernel.wang
@ 2022-05-03  7:01 ` xkernel.wang
  2022-05-03  7:01 ` [PATCH 10/12] staging: r8188eu: fix potential memory leak in rtw_os_xmit_resource_alloc() xkernel.wang
                   ` (3 subsequent siblings)
  12 siblings, 0 replies; 17+ messages in thread
From: xkernel.wang @ 2022-05-03  7:01 UTC (permalink / raw)
  To: Larry.Finger, phil, gregkh; +Cc: linux-staging, linux-kernel, Xiaoke Wang

From: Xiaoke Wang <xkernel.wang@foxmail.com>

In _rtw_init_cmd_priv(), if `pcmdpriv->rsp_allocated_buf` is allocated
in failure, then `pcmdpriv->cmd_allocated_buf` will not be properly
released. Besides, considering there are only two error paths and the
first one can directly return, we do not need to implicitly jump to the
`exit` tag to execute the error handling code.

So this patch added `kfree(pcmdpriv->cmd_allocated_buf);` on the error
path to release the resource and simplified the return logic of
_rtw_init_cmd_priv().

Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
---
 drivers/staging/r8188eu/core/rtw_cmd.c | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/drivers/staging/r8188eu/core/rtw_cmd.c b/drivers/staging/r8188eu/core/rtw_cmd.c
index 06523d9..37b68a9 100644
--- a/drivers/staging/r8188eu/core/rtw_cmd.c
+++ b/drivers/staging/r8188eu/core/rtw_cmd.c
@@ -58,8 +58,6 @@ static int _rtw_enqueue_cmd(struct __queue *queue, struct cmd_obj *obj)
 
 u32	rtw_init_cmd_priv(struct cmd_priv *pcmdpriv)
 {
-	u32 res = _SUCCESS;
-
 	init_completion(&pcmdpriv->enqueue_cmd);
 	/* sema_init(&(pcmdpriv->cmd_done_sema), 0); */
 	init_completion(&pcmdpriv->start_cmd_thread);
@@ -74,27 +72,25 @@ u32	rtw_init_cmd_priv(struct cmd_priv *pcmdpriv)
 	pcmdpriv->cmd_allocated_buf = kzalloc(MAX_CMDSZ + CMDBUFF_ALIGN_SZ,
 					      GFP_KERNEL);
 
-	if (!pcmdpriv->cmd_allocated_buf) {
-		res = _FAIL;
-		goto exit;
-	}
+	if (!pcmdpriv->cmd_allocated_buf)
+		return _FAIL;
 
 	pcmdpriv->cmd_buf = pcmdpriv->cmd_allocated_buf  +  CMDBUFF_ALIGN_SZ - ((size_t)(pcmdpriv->cmd_allocated_buf) & (CMDBUFF_ALIGN_SZ - 1));
 
 	pcmdpriv->rsp_allocated_buf = kzalloc(MAX_RSPSZ + 4, GFP_KERNEL);
 
 	if (!pcmdpriv->rsp_allocated_buf) {
-		res = _FAIL;
-		goto exit;
+		kfree(pcmdpriv->cmd_allocated_buf);
+		pcmdpriv->cmd_allocated_buf = NULL;
+		return _FAIL;
 	}
 
 	pcmdpriv->rsp_buf = pcmdpriv->rsp_allocated_buf  +  4 - ((size_t)(pcmdpriv->rsp_allocated_buf) & 3);
 
 	pcmdpriv->cmd_done_cnt = 0;
 	pcmdpriv->rsp_cnt = 0;
-exit:
 
-	return res;
+	return _SUCCESS;
 }
 
 u32 rtw_init_evt_priv(struct evt_priv *pevtpriv)
-- 

^ permalink raw reply related	[flat|nested] 17+ messages in thread

* [PATCH 10/12] staging: r8188eu: fix potential memory leak in rtw_os_xmit_resource_alloc()
  2022-05-03  6:56 [PATCH 00/12] staging: some memory-related patches xkernel.wang
                   ` (8 preceding siblings ...)
  2022-05-03  7:01 ` [PATCH 09/12] staging: r8188eu: fix a potential memory leak in _rtw_init_cmd_priv() xkernel.wang
@ 2022-05-03  7:01 ` xkernel.wang
  2022-05-03  7:02 ` [PATCH 11/12] staging: r8188eu: fix potential memory leak in _rtw_init_xmit_priv() xkernel.wang
                   ` (2 subsequent siblings)
  12 siblings, 0 replies; 17+ messages in thread
From: xkernel.wang @ 2022-05-03  7:01 UTC (permalink / raw)
  To: Larry.Finger, phil, gregkh; +Cc: linux-staging, linux-kernel, Xiaoke Wang

From: Xiaoke Wang <xkernel.wang@foxmail.com>

In rtw_os_xmit_resource_alloc(), if usb_alloc_urb() fails, then the
memory `pxmitbuf_pallocated_buf` which is allocated by kzalloc() is
not properly released before returning.
So this patch add kfree() on the above error path to release it.

Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
---
 drivers/staging/r8188eu/os_dep/xmit_linux.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/r8188eu/os_dep/xmit_linux.c b/drivers/staging/r8188eu/os_dep/xmit_linux.c
index e430c64..0c448e0 100644
--- a/drivers/staging/r8188eu/os_dep/xmit_linux.c
+++ b/drivers/staging/r8188eu/os_dep/xmit_linux.c
@@ -75,8 +75,10 @@ int rtw_os_xmit_resource_alloc(struct adapter *padapter, struct xmit_buf *pxmitb
 	pxmitbuf->dma_transfer_addr = 0;
 
 	pxmitbuf->pxmit_urb = usb_alloc_urb(0, GFP_KERNEL);
-	if (!pxmitbuf->pxmit_urb)
+	if (!pxmitbuf->pxmit_urb) {
+		kfree(pxmitbuf->pallocated_buf);
 		return _FAIL;
+	}
 
 	return _SUCCESS;
 }
-- 

^ permalink raw reply related	[flat|nested] 17+ messages in thread

* [PATCH 11/12] staging: r8188eu: fix potential memory leak in _rtw_init_xmit_priv()
  2022-05-03  6:56 [PATCH 00/12] staging: some memory-related patches xkernel.wang
                   ` (9 preceding siblings ...)
  2022-05-03  7:01 ` [PATCH 10/12] staging: r8188eu: fix potential memory leak in rtw_os_xmit_resource_alloc() xkernel.wang
@ 2022-05-03  7:02 ` xkernel.wang
  2022-05-03  7:02 ` [PATCH 12/12] staging: r8188eu: check the return of kzalloc() xkernel.wang
  2022-06-06  6:11 ` [PATCH 00/12] staging: some memory-related patches Greg KH
  12 siblings, 0 replies; 17+ messages in thread
From: xkernel.wang @ 2022-05-03  7:02 UTC (permalink / raw)
  To: Larry.Finger, phil, gregkh; +Cc: linux-staging, linux-kernel, Xiaoke Wang

From: Xiaoke Wang <xkernel.wang@foxmail.com>

In _rtw_init_xmit_priv(), there are several error paths for allocation
failures just jump to the `exit` section. However, there is no action
will be performed, so the allocated resources are not properly released,
which leads to various memory leaks.

To properly release them, this patch unifies the error handling code and
several error handling paths are added.
According to the allocation sequence, if the validation fails, it will
jump to its corresponding error tag to release the resources.

Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
---
 drivers/staging/r8188eu/core/rtw_xmit.c | 32 ++++++++++++++++++-------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/drivers/staging/r8188eu/core/rtw_xmit.c b/drivers/staging/r8188eu/core/rtw_xmit.c
index d086812..4c54647 100644
--- a/drivers/staging/r8188eu/core/rtw_xmit.c
+++ b/drivers/staging/r8188eu/core/rtw_xmit.c
@@ -112,7 +112,7 @@ s32	_rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
 
 	if (!pxmitpriv->pallocated_xmitbuf) {
 		res = _FAIL;
-		goto exit;
+		goto free_frame_buf;
 	}
 
 	pxmitpriv->pxmitbuf = (u8 *)N_BYTE_ALIGMENT((size_t)(pxmitpriv->pallocated_xmitbuf), 4);
@@ -134,7 +134,7 @@ s32	_rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
 			msleep(10);
 			res = rtw_os_xmit_resource_alloc(padapter, pxmitbuf, (MAX_XMITBUF_SZ + XMITBUF_ALIGN_SZ));
 			if (res == _FAIL)
-				goto exit;
+				goto free_xmitbuf;
 		}
 
 		pxmitbuf->flags = XMIT_VO_QUEUE;
@@ -152,7 +152,7 @@ s32	_rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
 
 	if (!pxmitpriv->pallocated_xmit_extbuf) {
 		res = _FAIL;
-		goto exit;
+		goto free_xmitbuf;
 	}
 
 	pxmitpriv->pxmit_extbuf = (u8 *)N_BYTE_ALIGMENT((size_t)(pxmitpriv->pallocated_xmit_extbuf), 4);
@@ -167,10 +167,8 @@ s32	_rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
 		pxmitbuf->ext_tag = true;
 
 		res = rtw_os_xmit_resource_alloc(padapter, pxmitbuf, max_xmit_extbuf_size + XMITBUF_ALIGN_SZ);
-		if (res == _FAIL) {
-			res = _FAIL;
-			goto exit;
-		}
+		if (res == _FAIL)
+			goto free_xmit_extbuf;
 
 		list_add_tail(&pxmitbuf->list, &pxmitpriv->free_xmit_extbuf_queue.queue);
 		pxmitbuf++;
@@ -200,8 +198,26 @@ s32	_rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
 
 	rtl8188eu_init_xmit_priv(padapter);
 
-exit:
+	return _SUCCESS;
 
+free_xmit_extbuf:
+	pxmitbuf = (struct xmit_buf *)pxmitpriv->pxmit_extbuf;
+	while (i-- > 0) {
+		rtw_os_xmit_resource_free(padapter, pxmitbuf, (max_xmit_extbuf_size + XMITBUF_ALIGN_SZ));
+		pxmitbuf++;
+	}
+	vfree(pxmitpriv->pallocated_xmit_extbuf);
+	i = NR_XMITBUFF;
+free_xmitbuf:
+	pxmitbuf = (struct xmit_buf *)pxmitpriv->pxmitbuf;
+	while (i-- > 0) {
+		rtw_os_xmit_resource_free(padapter, pxmitbuf, (MAX_XMITBUF_SZ + XMITBUF_ALIGN_SZ));
+		pxmitbuf++;
+	}
+	vfree(pxmitpriv->pallocated_xmitbuf);
+free_frame_buf:
+	vfree(pxmitpriv->pallocated_frame_buf);
+exit:
 	return res;
 }
 
-- 

^ permalink raw reply related	[flat|nested] 17+ messages in thread

* [PATCH 12/12] staging: r8188eu: check the return of kzalloc()
  2022-05-03  6:56 [PATCH 00/12] staging: some memory-related patches xkernel.wang
                   ` (10 preceding siblings ...)
  2022-05-03  7:02 ` [PATCH 11/12] staging: r8188eu: fix potential memory leak in _rtw_init_xmit_priv() xkernel.wang
@ 2022-05-03  7:02 ` xkernel.wang
  2022-05-03  7:08   ` Joe Perches
  2022-06-06  6:11 ` [PATCH 00/12] staging: some memory-related patches Greg KH
  12 siblings, 1 reply; 17+ messages in thread
From: xkernel.wang @ 2022-05-03  7:02 UTC (permalink / raw)
  To: Larry.Finger, phil, gregkh; +Cc: linux-staging, linux-kernel, Xiaoke Wang

From: Xiaoke Wang <xkernel.wang@foxmail.com>

kzalloc() is a memory allocation function which can return NULL when
some internal memory errors happen. So it is better to handle the return
of it to prevent potential wrong memory access.

Besides, to propagate the error to the caller, the type of
rtw_alloc_hwxmits() is changed to `int` and another check is added to
its caller.
Then if kzalloc() fails, the caller will properly jump to the
corresponding error hanlding code.

Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
---
 drivers/staging/r8188eu/core/rtw_xmit.c    | 10 ++++++++--
 drivers/staging/r8188eu/include/rtw_xmit.h |  2 +-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/drivers/staging/r8188eu/core/rtw_xmit.c b/drivers/staging/r8188eu/core/rtw_xmit.c
index 4c54647..7d1fa52 100644
--- a/drivers/staging/r8188eu/core/rtw_xmit.c
+++ b/drivers/staging/r8188eu/core/rtw_xmit.c
@@ -176,7 +176,9 @@ s32	_rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
 
 	pxmitpriv->free_xmit_extbuf_cnt = num_xmit_extbuf;
 
-	rtw_alloc_hwxmits(padapter);
+	res = rtw_alloc_hwxmits(padapter);
+	if (res == _FAIL)
+		goto free_xmit_extbuf;
 	rtw_init_hwxmits(pxmitpriv->hwxmits, pxmitpriv->hwxmit_entry);
 
 	for (i = 0; i < 4; i++)
@@ -1487,7 +1489,7 @@ s32 rtw_xmit_classifier(struct adapter *padapter, struct xmit_frame *pxmitframe)
 	return res;
 }
 
-void rtw_alloc_hwxmits(struct adapter *padapter)
+int rtw_alloc_hwxmits(struct adapter *padapter)
 {
 	struct hw_xmit *hwxmits;
 	struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
@@ -1495,6 +1497,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
 	pxmitpriv->hwxmit_entry = HWXMIT_ENTRY;
 
 	pxmitpriv->hwxmits = kzalloc(sizeof(struct hw_xmit) * pxmitpriv->hwxmit_entry, GFP_KERNEL);
+	if (!pxmitpriv->hwxmits)
+		return _FAIL;
 
 	hwxmits = pxmitpriv->hwxmits;
 
@@ -1511,6 +1515,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
 		hwxmits[3] .sta_queue = &pxmitpriv->bk_pending;
 	} else {
 	}
+
+	return _SUCCESS;
 }
 
 void rtw_free_hwxmits(struct adapter *padapter)
diff --git a/drivers/staging/r8188eu/include/rtw_xmit.h b/drivers/staging/r8188eu/include/rtw_xmit.h
index 54c2bdf..034a9f8 100644
--- a/drivers/staging/r8188eu/include/rtw_xmit.h
+++ b/drivers/staging/r8188eu/include/rtw_xmit.h
@@ -341,7 +341,7 @@ s32 rtw_txframes_sta_ac_pending(struct adapter *padapter,
 void rtw_init_hwxmits(struct hw_xmit *phwxmit, int entry);
 s32 _rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter);
 void _rtw_free_xmit_priv(struct xmit_priv *pxmitpriv);
-void rtw_alloc_hwxmits(struct adapter *padapter);
+int rtw_alloc_hwxmits(struct adapter *padapter);
 void rtw_free_hwxmits(struct adapter *padapter);
 s32 rtw_xmit(struct adapter *padapter, struct sk_buff **pkt);
 
-- 

^ permalink raw reply related	[flat|nested] 17+ messages in thread

* Re: [PATCH 12/12] staging: r8188eu: check the return of kzalloc()
  2022-05-03  7:02 ` [PATCH 12/12] staging: r8188eu: check the return of kzalloc() xkernel.wang
@ 2022-05-03  7:08   ` Joe Perches
  2022-05-03  8:22     ` xkernel.wang
  0 siblings, 1 reply; 17+ messages in thread
From: Joe Perches @ 2022-05-03  7:08 UTC (permalink / raw)
  To: xkernel.wang, Larry.Finger, phil, gregkh; +Cc: linux-staging, linux-kernel

On Tue, 2022-05-03 at 15:02 +0800, xkernel.wang@foxmail.com wrote:
> From: Xiaoke Wang <xkernel.wang@foxmail.com>
> 
> kzalloc() is a memory allocation function which can return NULL when
> some internal memory errors happen. So it is better to handle the return
> of it to prevent potential wrong memory access.
> 
> Besides, to propagate the error to the caller, the type of
> rtw_alloc_hwxmits() is changed to `int` and another check is added to
> its caller.
> Then if kzalloc() fails, the caller will properly jump to the
> corresponding error hanlding code.

It'd be better to use the typical error returns

> diff --git a/drivers/staging/r8188eu/core/rtw_xmit.c b/drivers/staging/r8188eu/core/rtw_xmit.c
[]
> @@ -176,7 +176,9 @@ s32	_rtw_init_xmit_priv(struct xmit_priv *pxmitpriv, struct adapter *padapter)
>  
>  	pxmitpriv->free_xmit_extbuf_cnt = num_xmit_extbuf;
>  
> -	rtw_alloc_hwxmits(padapter);
> +	res = rtw_alloc_hwxmits(padapter);
> +	if (res == _FAIL)
> +		goto free_xmit_extbuf;

	if (res)
		goto free_xmit_extbuf;

[]

> -void rtw_alloc_hwxmits(struct adapter *padapter)
> +int rtw_alloc_hwxmits(struct adapter *padapter)
>  {
>  	struct hw_xmit *hwxmits;
>  	struct xmit_priv *pxmitpriv = &padapter->xmitpriv;
> @@ -1495,6 +1497,8 @@ void rtw_alloc_hwxmits(struct adapter *padapter)
>  	pxmitpriv->hwxmit_entry = HWXMIT_ENTRY;
>  
>  	pxmitpriv->hwxmits = kzalloc(sizeof(struct hw_xmit) * pxmitpriv->hwxmit_entry, GFP_KERNEL);
> +	if (!pxmitpriv->hwxmits)

		return -ENOMEM;




^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH 12/12] staging: r8188eu: check the return of kzalloc()
  2022-05-03  7:08   ` Joe Perches
@ 2022-05-03  8:22     ` xkernel.wang
  0 siblings, 0 replies; 17+ messages in thread
From: xkernel.wang @ 2022-05-03  8:22 UTC (permalink / raw)
  To: joe; +Cc: Larry.Finger, phil, gregkh, linux-staging, linux-kernel

On Tuesday, May 3, 2022 3:09 PM +0800, joe@perches.com wrote:
> It'd be better to use the typical error returns

Hi Joe,

Thank you for your suggestion. The typical error returns will make these
codes unified with the code in other places.
But now we can not directly do that in this patch, otherwise, the original
functionality will be affected:

Apart from the returns of the error paths in _rtw_init_xmit_priv itself,
the functions on its call chain such as rtw_init_drv_sw() in
staging/r8188eu/os_dep/os_intfs.c are also sensitive to _SUCCESS or _FAIL.
If we want to unify all of them, there are a lot of changes need to do
which I think is at least beyond the purpose of this patch.

So I just keeps the form of error returns consistent with the original
logic.

Regards,
Xiaoke Wang



^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH 00/12] staging: some memory-related patches
  2022-05-03  6:56 [PATCH 00/12] staging: some memory-related patches xkernel.wang
                   ` (11 preceding siblings ...)
  2022-05-03  7:02 ` [PATCH 12/12] staging: r8188eu: check the return of kzalloc() xkernel.wang
@ 2022-06-06  6:11 ` Greg KH
  2022-06-06 12:08   ` xkernel.wang
  12 siblings, 1 reply; 17+ messages in thread
From: Greg KH @ 2022-06-06  6:11 UTC (permalink / raw)
  To: xkernel.wang; +Cc: linux-staging, linux-kernel

On Tue, May 03, 2022 at 02:56:47PM +0800, xkernel.wang@foxmail.com wrote:
> From: Xiaoke Wang <xkernel.wang@foxmail.com>
> 
> This is a collection about some memory-related bugs fixing.
> In brief, there are two types about them.
> First is some memory allocation functions are called without proper
> checking, which may result in wrong memory access in the subsequent
> running or some else.
> Second is lacking proper error handling that does not release some
> allocated resources, which may result in memory leak problems.
> 
> These issuses are similar, so they are put in this series together.
> Note that most of them are sent as each separate patch before, this series
> rebased them to the lasted version. While there are some inherent logical
> relationships between 03~05/11~12.

Can you please look at Documentation/process/researcher-guidelines.rst
and update the changelog texts of these commits to provide the extra
information that this document requires of changes like this?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 17+ messages in thread

* Re: [PATCH 00/12] staging: some memory-related patches
  2022-06-06  6:11 ` [PATCH 00/12] staging: some memory-related patches Greg KH
@ 2022-06-06 12:08   ` xkernel.wang
  0 siblings, 0 replies; 17+ messages in thread
From: xkernel.wang @ 2022-06-06 12:08 UTC (permalink / raw)
  To: gregkh; +Cc: linux-staging, linux-kernel

On Monday, June 6, 2022 2:12 PM +0800, Greg KH <gregkh@linuxfoundation.org> wrote:
 > Can you please look at Documentation/process/researcher-guidelines.rst
> and update the changelog texts of these commits to provide the extra
> information that this document requires of changes like this?

Hi Greg,
Ok, I'll see what's missing.

In fact, I originally used my developing tool to find the lacking checks
for kzalloc(patch 12 in this series) and the other bugs are found manually
by myself for the purpose of improving code quality.

Now I am happy to find the bug for checking the return of kzalloc() is
fixed now, however, the patch to fix it didn't even consider potential
memory leaks. So I'm a little confused about why these patches from me are
suspended again and again.

Anyway, when I have time, I will rebase them and send new patches if they
are still there.

Regards,
Xiaoke Wang


^ permalink raw reply	[flat|nested] 17+ messages in thread

end of thread, other threads:[~2022-06-06 12:09 UTC | newest]

Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-03  6:56 [PATCH 00/12] staging: some memory-related patches xkernel.wang
2022-05-03  6:57 ` [PATCH 01/12] staging: rtl8712: fix potential memory leak in r8712_xmit_resource_alloc() xkernel.wang
2022-05-03  6:58 ` [PATCH 02/12] staging: rtl8712: fix potential memory leak in _r8712_init_xmit_priv() xkernel.wang
2022-05-03  6:58 ` [PATCH 03/12] staging: rtl8712: fix potential memory leak in r8712_init_drv_sw() xkernel.wang
2022-05-03  6:59 ` [PATCH 04/12] staging: rtl8712: change the type of _r8712_init_recv_priv() xkernel.wang
2022-05-03  6:59 ` [PATCH 05/12] staging: rtl8712: add two validation check in r8712_init_drv_sw() xkernel.wang
2022-05-03  7:00 ` [PATCH 06/12] staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv() xkernel.wang
2022-05-03  7:00 ` [PATCH 07/12] staging: rtl8723bs: fix potential memory leak in _rtw_init_xmit_priv() xkernel.wang
2022-05-03  7:00 ` [PATCH 08/12] staging: rtl8723bs: fix potential memory leak in rtw_init_drv_sw() xkernel.wang
2022-05-03  7:01 ` [PATCH 09/12] staging: r8188eu: fix a potential memory leak in _rtw_init_cmd_priv() xkernel.wang
2022-05-03  7:01 ` [PATCH 10/12] staging: r8188eu: fix potential memory leak in rtw_os_xmit_resource_alloc() xkernel.wang
2022-05-03  7:02 ` [PATCH 11/12] staging: r8188eu: fix potential memory leak in _rtw_init_xmit_priv() xkernel.wang
2022-05-03  7:02 ` [PATCH 12/12] staging: r8188eu: check the return of kzalloc() xkernel.wang
2022-05-03  7:08   ` Joe Perches
2022-05-03  8:22     ` xkernel.wang
2022-06-06  6:11 ` [PATCH 00/12] staging: some memory-related patches Greg KH
2022-06-06 12:08   ` xkernel.wang

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).