Message ID | 20221112131010.3757845-1-yangyingliang@huawei.com (mailing list archive) |
---|---|
State | Accepted |
Headers | show |
Series | scsi: scsi_debug: fix possible name leak in sdebug_add_host_helper() | expand |
Yang, > Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's > bus_id string array"), the name of device is allocated dynamically, > it needs be freed, when device_register() returns error. Applied to 6.2/scsi-staging, thanks!
On Sat, 12 Nov 2022 21:10:10 +0800, Yang Yingliang wrote: > Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's > bus_id string array"), the name of device is allocated dynamically, > it needs be freed, when device_register() returns error. > > As comment of device_register() says, it should use put_device() > to give up the reference in the error path. So fix this by calling > put_device(), then the name can be freed in kobject_cleanup(), and > sdbg_host is freed in sdebug_release_adapter(). > > [...] Applied to 6.2/scsi-queue, thanks! [1/1] scsi: scsi_debug: fix possible name leak in sdebug_add_host_helper() https://git.kernel.org/mkp/scsi/c/e6d773f93a49
diff --git a/drivers/scsi/scsi_debug.c b/drivers/scsi/scsi_debug.c index 697fc57bc711..104888bed801 100644 --- a/drivers/scsi/scsi_debug.c +++ b/drivers/scsi/scsi_debug.c @@ -7329,7 +7329,10 @@ static int sdebug_add_host_helper(int per_host_idx) kfree(sdbg_devinfo->zstate); kfree(sdbg_devinfo); } - kfree(sdbg_host); + if (sdbg_host->dev.release) + put_device(&sdbg_host->dev); + else + kfree(sdbg_host); pr_warn("%s: failed, errno=%d\n", __func__, -error); return error; }
Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array"), the name of device is allocated dynamically, it needs be freed, when device_register() returns error. As comment of device_register() says, it should use put_device() to give up the reference in the error path. So fix this by calling put_device(), then the name can be freed in kobject_cleanup(), and sdbg_host is freed in sdebug_release_adapter(). When the device release is not set, it means the device is not initialized, we can not call put_device(), in this case, use kfree() to free memory. Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> --- drivers/scsi/scsi_debug.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)