diff mbox series

net: allwinner: Fix some resources leak in the error handling path of the probe and in the remove function

Message ID 20201214202117.146293-1-christophe.jaillet@wanadoo.fr (mailing list archive)
State Accepted
Commit 322e53d1e2529ae9d501f5e0f20604a79b873aef
Delegated to: Netdev Maintainers
Headers show
Series net: allwinner: Fix some resources leak in the error handling path of the probe and in the remove function | expand

Checks

Context Check Description
netdev/cover_letter success Link
netdev/fixes_present success Link
netdev/patch_count success Link
netdev/tree_selection success Guessed tree name to be net-next
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Link
netdev/module_param success Was 0 now: 0
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Link
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 30 lines checked
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/header_inline success Link
netdev/stable success Stable not CCed

Commit Message

Christophe JAILLET Dec. 14, 2020, 8:21 p.m. UTC 
'irq_of_parse_and_map()' should be balanced by a corresponding
'irq_dispose_mapping()' call. Otherwise, there is some resources leaks.

Add such a call in the error handling path of the probe function and in the
remove function.

Fixes: 492205050d77 ("net: Add EMAC ethernet driver found on Allwinner A10 SoC's")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
---
Please, carefully check the remove function, I'm not always confident by
the correct order when releasing resources. This is sometimes tricky.
---
 drivers/net/ethernet/allwinner/sun4i-emac.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

Comments

Maxime Ripard Dec. 15, 2020, 8:56 a.m. UTC | #1 
Hi,

On Mon, Dec 14, 2020 at 09:21:17PM +0100, Christophe JAILLET wrote:
> 'irq_of_parse_and_map()' should be balanced by a corresponding
> 'irq_dispose_mapping()' call. Otherwise, there is some resources leaks.

Do you have a source to back that? It's not clear at all from the
documentation for those functions, and couldn't find any user calling it
from the ten-or-so random picks I took.

Maxime
Dan Carpenter Dec. 15, 2020, 9:11 a.m. UTC | #2 
On Tue, Dec 15, 2020 at 09:56:55AM +0100, Maxime Ripard wrote:
> Hi,
> 
> On Mon, Dec 14, 2020 at 09:21:17PM +0100, Christophe JAILLET wrote:
> > 'irq_of_parse_and_map()' should be balanced by a corresponding
> > 'irq_dispose_mapping()' call. Otherwise, there is some resources leaks.
> 
> Do you have a source to back that? It's not clear at all from the
> documentation for those functions, and couldn't find any user calling it
> from the ten-or-so random picks I took.

It looks like irq_create_of_mapping() needs to be freed with
irq_dispose_mapping() so this is correct.

regards,
dan carpenter
Maxime Ripard Dec. 15, 2020, 11:37 a.m. UTC | #3 
On Tue, Dec 15, 2020 at 12:11:53PM +0300, Dan Carpenter wrote:
> On Tue, Dec 15, 2020 at 09:56:55AM +0100, Maxime Ripard wrote:
> > Hi,
> > 
> > On Mon, Dec 14, 2020 at 09:21:17PM +0100, Christophe JAILLET wrote:
> > > 'irq_of_parse_and_map()' should be balanced by a corresponding
> > > 'irq_dispose_mapping()' call. Otherwise, there is some resources leaks.
> > 
> > Do you have a source to back that? It's not clear at all from the
> > documentation for those functions, and couldn't find any user calling it
> > from the ten-or-so random picks I took.
> 
> It looks like irq_create_of_mapping() needs to be freed with
> irq_dispose_mapping() so this is correct.

The doc should be updated first to make that clear then, otherwise we're
going to fix one user while multiples will have poped up

Maxime
Christophe JAILLET Dec. 15, 2020, 6:18 p.m. UTC | #4 
Le 15/12/2020 à 12:37, Maxime Ripard a écrit :
> On Tue, Dec 15, 2020 at 12:11:53PM +0300, Dan Carpenter wrote:
>> On Tue, Dec 15, 2020 at 09:56:55AM +0100, Maxime Ripard wrote:
>>> Hi,
>>>
>>> On Mon, Dec 14, 2020 at 09:21:17PM +0100, Christophe JAILLET wrote:
>>>> 'irq_of_parse_and_map()' should be balanced by a corresponding
>>>> 'irq_dispose_mapping()' call. Otherwise, there is some resources leaks.
>>>
>>> Do you have a source to back that? It's not clear at all from the
>>> documentation for those functions, and couldn't find any user calling it
>>> from the ten-or-so random picks I took.
>>
>> It looks like irq_create_of_mapping() needs to be freed with
>> irq_dispose_mapping() so this is correct.
> 
> The doc should be updated first to make that clear then, otherwise we're
> going to fix one user while multiples will have poped up
> 
> Maxime
> 

Hi,

as Dan explained, I think that 'irq_dispose_mapping()' is needed because 
of the 'irq_create_of_mapping()" within 'irq_of_parse_and_map()'.

As you suggest, I'll propose a doc update to make it clear and more 
future proof.

CJ
Maxime Ripard Dec. 15, 2020, 7:08 p.m. UTC | #5 
On Tue, Dec 15, 2020 at 07:18:48PM +0100, Christophe JAILLET wrote:
> Le 15/12/2020 à 12:37, Maxime Ripard a écrit :
> > On Tue, Dec 15, 2020 at 12:11:53PM +0300, Dan Carpenter wrote:
> > > On Tue, Dec 15, 2020 at 09:56:55AM +0100, Maxime Ripard wrote:
> > > > Hi,
> > > > 
> > > > On Mon, Dec 14, 2020 at 09:21:17PM +0100, Christophe JAILLET wrote:
> > > > > 'irq_of_parse_and_map()' should be balanced by a corresponding
> > > > > 'irq_dispose_mapping()' call. Otherwise, there is some resources leaks.
> > > > 
> > > > Do you have a source to back that? It's not clear at all from the
> > > > documentation for those functions, and couldn't find any user calling it
> > > > from the ten-or-so random picks I took.
> > > 
> > > It looks like irq_create_of_mapping() needs to be freed with
> > > irq_dispose_mapping() so this is correct.
> > 
> > The doc should be updated first to make that clear then, otherwise we're
> > going to fix one user while multiples will have poped up
> > 
> > Maxime
> > 
> 
> Hi,
> 
> as Dan explained, I think that 'irq_dispose_mapping()' is needed because of
> the 'irq_create_of_mapping()" within 'irq_of_parse_and_map()'.
> 
> As you suggest, I'll propose a doc update to make it clear and more future
> proof.

Thanks :)

And if you feel like it, a coccinelle script would be awesome too so
that other users get fixed over time

Maxime
Dan Carpenter Dec. 15, 2020, 7:35 p.m. UTC | #6 
On Tue, Dec 15, 2020 at 08:08:15PM +0100, Maxime Ripard wrote:
> On Tue, Dec 15, 2020 at 07:18:48PM +0100, Christophe JAILLET wrote:
> > Le 15/12/2020 à 12:37, Maxime Ripard a écrit :
> > > On Tue, Dec 15, 2020 at 12:11:53PM +0300, Dan Carpenter wrote:
> > > > On Tue, Dec 15, 2020 at 09:56:55AM +0100, Maxime Ripard wrote:
> > > > > Hi,
> > > > > 
> > > > > On Mon, Dec 14, 2020 at 09:21:17PM +0100, Christophe JAILLET wrote:
> > > > > > 'irq_of_parse_and_map()' should be balanced by a corresponding
> > > > > > 'irq_dispose_mapping()' call. Otherwise, there is some resources leaks.
> > > > > 
> > > > > Do you have a source to back that? It's not clear at all from the
> > > > > documentation for those functions, and couldn't find any user calling it
> > > > > from the ten-or-so random picks I took.
> > > > 
> > > > It looks like irq_create_of_mapping() needs to be freed with
> > > > irq_dispose_mapping() so this is correct.
> > > 
> > > The doc should be updated first to make that clear then, otherwise we're
> > > going to fix one user while multiples will have poped up
> > > 
> > > Maxime
> > > 
> > 
> > Hi,
> > 
> > as Dan explained, I think that 'irq_dispose_mapping()' is needed because of
> > the 'irq_create_of_mapping()" within 'irq_of_parse_and_map()'.
> > 
> > As you suggest, I'll propose a doc update to make it clear and more future
> > proof.
> 
> Thanks :)
> 
> And if you feel like it, a coccinelle script would be awesome too so
> that other users get fixed over time
> 
> Maxime

Smatch has a new check for resource leaks which hopefully people will
find useful.

https://github.com/error27/smatch/blob/master/check_unwind.c

To check for these I would need to add the following lines to the table:

        { "irq_of_parse_and_map", ALLOC, -1, "$", &int_one, &int_max},
        { "irq_create_of_mapping", ALLOC, -1, "$", &int_one, &int_max},
        { "irq_dispose_mapping", RELEASE, 0, "$"},

The '-1, "$"' means the returned value.  irq_of_parse_and_map() and
irq_create_of_mapping() return positive int on success.

The irq_dispose_mapping() frees its zeroth parameter so it's listed as
'0, "$"'.  We don't care about the returns from irq_dispose_mapping().

It doesn't apply in this case but if a function frees a struct member
then that's listed as '0, "$->member_name"'.

regards,
dan carpenter
Christophe JAILLET Dec. 15, 2020, 8:15 p.m. UTC | #7 
Le 15/12/2020 à 20:35, Dan Carpenter a écrit :
> On Tue, Dec 15, 2020 at 08:08:15PM +0100, Maxime Ripard wrote:
>> On Tue, Dec 15, 2020 at 07:18:48PM +0100, Christophe JAILLET wrote:
>>> Le 15/12/2020 à 12:37, Maxime Ripard a écrit :
>>>> On Tue, Dec 15, 2020 at 12:11:53PM +0300, Dan Carpenter wrote:
>>>>> On Tue, Dec 15, 2020 at 09:56:55AM +0100, Maxime Ripard wrote:
>>>>>> Hi,
>>>>>>
>>>>>> On Mon, Dec 14, 2020 at 09:21:17PM +0100, Christophe JAILLET wrote:
>>>>>>> 'irq_of_parse_and_map()' should be balanced by a corresponding
>>>>>>> 'irq_dispose_mapping()' call. Otherwise, there is some resources leaks.
>>>>>>
>>>>>> Do you have a source to back that? It's not clear at all from the
>>>>>> documentation for those functions, and couldn't find any user calling it
>>>>>> from the ten-or-so random picks I took.
>>>>>
>>>>> It looks like irq_create_of_mapping() needs to be freed with
>>>>> irq_dispose_mapping() so this is correct.
>>>>
>>>> The doc should be updated first to make that clear then, otherwise we're
>>>> going to fix one user while multiples will have poped up
>>>>
>>>> Maxime
>>>>
>>>
>>> Hi,
>>>
>>> as Dan explained, I think that 'irq_dispose_mapping()' is needed because of
>>> the 'irq_create_of_mapping()" within 'irq_of_parse_and_map()'.
>>>
>>> As you suggest, I'll propose a doc update to make it clear and more future
>>> proof.
>>
>> Thanks :)
>>
>> And if you feel like it, a coccinelle script would be awesome too so
>> that other users get fixed over time
>>
>> Maxime
> 
> Smatch has a new check for resource leaks which hopefully people will
> find useful.
> 
> https://github.com/error27/smatch/blob/master/check_unwind.c

Nice :)
I wasn't aware of it.

> 
> To check for these I would need to add the following lines to the table:
> 
>          { "irq_of_parse_and_map", ALLOC, -1, "$", &int_one, &int_max},
>          { "irq_create_of_mapping", ALLOC, -1, "$", &int_one, &int_max},
>          { "irq_dispose_mapping", RELEASE, 0, "$"},
> 
> The '-1, "$"' means the returned value.  irq_of_parse_and_map() and
> irq_create_of_mapping() return positive int on success.
> 
> The irq_dispose_mapping() frees its zeroth parameter so it's listed as
> '0, "$"'.  We don't care about the returns from irq_dispose_mapping().
> 
> It doesn't apply in this case but if a function frees a struct member
> then that's listed as '0, "$->member_name"'.
> 
> regards,
> dan carpenter
> 

The script I use to try to spot missing release function is:
///
@@
expression  x, y;
identifier f, l;
@@

*       x = irq_of_parse_and_map(...);
         ... when any
*       y = f(...);
         ... when any
*       if (<+... y ...+>)
         {
                 ...
(
*               goto l;
|
*               return ...;
)
                 ...
         }
         ... when any
*l:
         ... when != irq_dispose_mapping(...);
*       return ...;
///

It is likely that some improvement can be made, but it works pretty well 
for what I want.

And I have a collection of alloc/free functions that I manually put in 
place of irq_of_parse_and_map and irq_dispose_mapping.

Up to know, this list is:

// alloc_etherdev/alloc_etherdev_mq/alloc_etherdev_mqs - free_netdev
// alloc_workqueue - destroy_workqueue
// class_register - class_unregister
// clk_get - clk_put
// clk_prepare - clk_unprepare
// create_workqueue - destroy_workqueue
// create_singlethread_workqueue - destroy_workqueue
// 
dev_pm_domain_attach/dev_pm_domain_attach_by_id/dev_pm_domain_attach_by_name 
- dev_pm_domain_detach
// devres_alloc - devres_free
// dma_alloc_coherent - dma_free_coherent
// dma_map_resource - dma_unmap_resource
// dma_map_single - dma_unmap_single
// dma_request_slave_channel - dma_release_channel
// dma_request_chan - dma_release_channel
// framebuffer_alloc - framebuffer_release
// get_device - put_device
// iio_channel_get - iio_channel_release
// ioremap - iounmap
// input_allocate_device - input_free_device
// input_register_handle - input_unregister_handle
// irq_of_parse_and_map / irq_create_of_mapping - irq_dispose_mapping
// kmalloc - kfree
// mempool_alloc - mempool_free
// of_node_get - of_node_put
// of_reserved_mem_device_init - of_reserved_mem_device_release
// pinctrl_register - pinctrl_unregister
// request_irq - free_irq
// request_region - release_region
// request_mem_region - release_mem_region
// reset_control_assert - reset_control_deassert
// scsi_host_alloc - scsi_host_put

// pci_alloc_irq_vectors - pci_free_irq_vectors
// pci_dev_get - pci_dev_put
// pci_enable_device - pci_disable_device
// pci_iomap - pci_iounmap
// pci_request_region - pci_release_region
// pci_request_regions - pci_release_regions

// alloc_skb/__alloc_skb - kfree_skb/__kfree_skb
// dev_alloc_skb - dev_kfree_skb

// spi_dev_get - spi_dev_put
// spi_message_alloc - spi_message_free
// spi_register_master - spi_unregister_master
Chen-Yu Tsai Dec. 16, 2020, 3:23 a.m. UTC | #8 
On Wed, Dec 16, 2020 at 4:16 AM Christophe JAILLET
<christophe.jaillet@wanadoo.fr> wrote:
>
> Le 15/12/2020 à 20:35, Dan Carpenter a écrit :
> > On Tue, Dec 15, 2020 at 08:08:15PM +0100, Maxime Ripard wrote:
> >> On Tue, Dec 15, 2020 at 07:18:48PM +0100, Christophe JAILLET wrote:
> >>> Le 15/12/2020 à 12:37, Maxime Ripard a écrit :
> >>>> On Tue, Dec 15, 2020 at 12:11:53PM +0300, Dan Carpenter wrote:
> >>>>> On Tue, Dec 15, 2020 at 09:56:55AM +0100, Maxime Ripard wrote:
> >>>>>> Hi,
> >>>>>>
> >>>>>> On Mon, Dec 14, 2020 at 09:21:17PM +0100, Christophe JAILLET wrote:
> >>>>>>> 'irq_of_parse_and_map()' should be balanced by a corresponding
> >>>>>>> 'irq_dispose_mapping()' call. Otherwise, there is some resources leaks.
> >>>>>>
> >>>>>> Do you have a source to back that? It's not clear at all from the
> >>>>>> documentation for those functions, and couldn't find any user calling it
> >>>>>> from the ten-or-so random picks I took.
> >>>>>
> >>>>> It looks like irq_create_of_mapping() needs to be freed with
> >>>>> irq_dispose_mapping() so this is correct.
> >>>>
> >>>> The doc should be updated first to make that clear then, otherwise we're
> >>>> going to fix one user while multiples will have poped up
> >>>>
> >>>> Maxime
> >>>>
> >>>
> >>> Hi,
> >>>
> >>> as Dan explained, I think that 'irq_dispose_mapping()' is needed because of
> >>> the 'irq_create_of_mapping()" within 'irq_of_parse_and_map()'.
> >>>
> >>> As you suggest, I'll propose a doc update to make it clear and more future
> >>> proof.
> >>
> >> Thanks :)
> >>
> >> And if you feel like it, a coccinelle script would be awesome too so
> >> that other users get fixed over time
> >>
> >> Maxime
> >
> > Smatch has a new check for resource leaks which hopefully people will
> > find useful.
> >
> > https://github.com/error27/smatch/blob/master/check_unwind.c
>
> Nice :)
> I wasn't aware of it.
>
> >
> > To check for these I would need to add the following lines to the table:
> >
> >          { "irq_of_parse_and_map", ALLOC, -1, "$", &int_one, &int_max},
> >          { "irq_create_of_mapping", ALLOC, -1, "$", &int_one, &int_max},
> >          { "irq_dispose_mapping", RELEASE, 0, "$"},
> >
> > The '-1, "$"' means the returned value.  irq_of_parse_and_map() and
> > irq_create_of_mapping() return positive int on success.
> >
> > The irq_dispose_mapping() frees its zeroth parameter so it's listed as
> > '0, "$"'.  We don't care about the returns from irq_dispose_mapping().
> >
> > It doesn't apply in this case but if a function frees a struct member
> > then that's listed as '0, "$->member_name"'.
> >
> > regards,
> > dan carpenter
> >
>
> The script I use to try to spot missing release function is:
> ///
> @@
> expression  x, y;
> identifier f, l;
> @@
>
> *       x = irq_of_parse_and_map(...);
>          ... when any
> *       y = f(...);
>          ... when any
> *       if (<+... y ...+>)
>          {
>                  ...
> (
> *               goto l;
> |
> *               return ...;
> )
>                  ...
>          }
>          ... when any
> *l:
>          ... when != irq_dispose_mapping(...);
> *       return ...;
> ///
>
> It is likely that some improvement can be made, but it works pretty well
> for what I want.
>
> And I have a collection of alloc/free functions that I manually put in
> place of irq_of_parse_and_map and irq_dispose_mapping.

AFAICT the resource leak is likely larger in scope, as many drivers use
platform_get_irq(), which eventually ends up calling irq_create_of_mapping()
through of_irq_get() in the OF path. Same goes for platform_get_irq_byname().

ChenYu


> Up to know, this list is:
>
> // alloc_etherdev/alloc_etherdev_mq/alloc_etherdev_mqs - free_netdev
> // alloc_workqueue - destroy_workqueue
> // class_register - class_unregister
> // clk_get - clk_put
> // clk_prepare - clk_unprepare
> // create_workqueue - destroy_workqueue
> // create_singlethread_workqueue - destroy_workqueue
> //
> dev_pm_domain_attach/dev_pm_domain_attach_by_id/dev_pm_domain_attach_by_name
> - dev_pm_domain_detach
> // devres_alloc - devres_free
> // dma_alloc_coherent - dma_free_coherent
> // dma_map_resource - dma_unmap_resource
> // dma_map_single - dma_unmap_single
> // dma_request_slave_channel - dma_release_channel
> // dma_request_chan - dma_release_channel
> // framebuffer_alloc - framebuffer_release
> // get_device - put_device
> // iio_channel_get - iio_channel_release
> // ioremap - iounmap
> // input_allocate_device - input_free_device
> // input_register_handle - input_unregister_handle
> // irq_of_parse_and_map / irq_create_of_mapping - irq_dispose_mapping
> // kmalloc - kfree
> // mempool_alloc - mempool_free
> // of_node_get - of_node_put
> // of_reserved_mem_device_init - of_reserved_mem_device_release
> // pinctrl_register - pinctrl_unregister
> // request_irq - free_irq
> // request_region - release_region
> // request_mem_region - release_mem_region
> // reset_control_assert - reset_control_deassert
> // scsi_host_alloc - scsi_host_put
>
> // pci_alloc_irq_vectors - pci_free_irq_vectors
> // pci_dev_get - pci_dev_put
> // pci_enable_device - pci_disable_device
> // pci_iomap - pci_iounmap
> // pci_request_region - pci_release_region
> // pci_request_regions - pci_release_regions
>
> // alloc_skb/__alloc_skb - kfree_skb/__kfree_skb
> // dev_alloc_skb - dev_kfree_skb
>
> // spi_dev_get - spi_dev_put
> // spi_message_alloc - spi_message_free
> // spi_register_master - spi_unregister_master
>
>
> _______________________________________________
> linux-arm-kernel mailing list
> linux-arm-kernel@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
patchwork-bot+netdevbpf@kernel.org Dec. 16, 2020, 7:50 p.m. UTC | #9 
Hello:

This patch was applied to netdev/net.git (refs/heads/master):

On Mon, 14 Dec 2020 21:21:17 +0100 you wrote:
> 'irq_of_parse_and_map()' should be balanced by a corresponding
> 'irq_dispose_mapping()' call. Otherwise, there is some resources leaks.
> 
> Add such a call in the error handling path of the probe function and in the
> remove function.
> 
> Fixes: 492205050d77 ("net: Add EMAC ethernet driver found on Allwinner A10 SoC's")
> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
> 
> [...]

Here is the summary with links:
  - net: allwinner: Fix some resources leak in the error handling path of the probe and in the remove function
    https://git.kernel.org/netdev/net/c/322e53d1e252

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
diff mbox series

Patch

diff --git a/drivers/net/ethernet/allwinner/sun4i-emac.c b/drivers/net/ethernet/allwinner/sun4i-emac.c
index 862ea44beea7..5ed80d9a6b9f 100644
--- a/drivers/net/ethernet/allwinner/sun4i-emac.c
+++ b/drivers/net/ethernet/allwinner/sun4i-emac.c
@@ -828,13 +828,13 @@  static int emac_probe(struct platform_device *pdev)
 	db->clk = devm_clk_get(&pdev->dev, NULL);
 	if (IS_ERR(db->clk)) {
 		ret = PTR_ERR(db->clk);
-		goto out_iounmap;
+		goto out_dispose_mapping;
 	}
 
 	ret = clk_prepare_enable(db->clk);
 	if (ret) {
 		dev_err(&pdev->dev, "Error couldn't enable clock (%d)\n", ret);
-		goto out_iounmap;
+		goto out_dispose_mapping;
 	}
 
 	ret = sunxi_sram_claim(&pdev->dev);
@@ -893,6 +893,8 @@  static int emac_probe(struct platform_device *pdev)
 	sunxi_sram_release(&pdev->dev);
 out_clk_disable_unprepare:
 	clk_disable_unprepare(db->clk);
+out_dispose_mapping:
+	irq_dispose_mapping(ndev->irq);
 out_iounmap:
 	iounmap(db->membase);
 out:
@@ -911,6 +913,7 @@  static int emac_remove(struct platform_device *pdev)
 	unregister_netdev(ndev);
 	sunxi_sram_release(&pdev->dev);
 	clk_disable_unprepare(db->clk);
+	irq_dispose_mapping(ndev->irq);
 	iounmap(db->membase);
 	free_netdev(ndev);