[RFC v3] PCMCIA locking updates for 2.6.34

Dominik Brodowski linux at dominikbrodowski.net
Sun Jan 24 10:30:56 EST 2010 

Hey Wolfram,

On Mon, Jan 18, 2010 at 09:41:43PM +0100, Wolfram Sang wrote:
> kmemleak reports something, but
> this is a different issue (haven't even checked if this is a false positive). I
> just put it here as I stumbled over it during this test-run:
>
> unreferenced object 0xb5c644a0 (size 32):
>   comm "pccardd", pid 1298, jiffies 202222 (age 1400.050s)
>   hex dump (first 32 bytes):
>     20 00 a7 a6 20 a4 a5 9e d6 a4 87 f4 9c b4 c5 96   ... ...........
>     2e 62 6a a6 27 23 e2 ca 62 e2 a2 62 6e c2 ae ee  .bj.'#..b..bn...
>   backtrace:
>     [<8052ece1>] kmemleak_alloc+0x61/0xb0
>     [<801c4b8a>] __kmalloc+0x1ba/0x1f0
>     [<c1db240c>] pcmcia_device_query+0x26c/0x320 [pcmcia]
>     [<c1db33b8>] pcmcia_device_add+0x368/0x490 [pcmcia]
>     [<c1db359a>] pcmcia_card_add+0xba/0x1e0 [pcmcia]
>     [<c1db373e>] ds_event+0x7e/0x230 [pcmcia]
>     [<c186157a>] send_event+0xba/0x160 [pcmcia_core]
>     [<c18623a6>] socket_insert+0x156/0x1b0 [pcmcia_core]
>     [<c1862865>] pccardd+0x2c5/0x3a0 [pcmcia_core]
>     [<8014b374>] kthread+0x74/0x80
>     [<801031ba>] kernel_thread_helper+0x6/0x10
>     [<ffffffff>] 0xffffffff

Should be fixed by:

From: Dominik Brodowski <linux at dominikbrodowski.net>
Date: Sun, 24 Jan 2010 12:11:02 +0100
Subject: [PATCH] pcmcia: avoid prod_id memleak

Reported-by: Wolfram Sang <w.sang at pengutronix.de>
Signed-off-by: Dominik Brodowski <linux at dominikbrodowski.net>

diff --git a/drivers/pcmcia/ds.c b/drivers/pcmcia/ds.c
index 1b16a0f..10164b9 100644
--- a/drivers/pcmcia/ds.c
+++ b/drivers/pcmcia/ds.c
@@ -237,8 +237,11 @@ static void pcmcia_release_function(struct kref *ref)
 static void pcmcia_release_dev(struct device *dev)
 {
 	struct pcmcia_device *p_dev = to_pcmcia_dev(dev);
+	int i;
 	dev_dbg(dev, "releasing device\n");
 	pcmcia_put_socket(p_dev->socket);
+	for (i = 0; i < 4; i++)
+		kfree(p_dev->prod_id[i]);
 	kfree(p_dev->devname);
 	kref_put(&p_dev->function_config->ref, pcmcia_release_function);
 	kfree(p_dev);
@@ -450,6 +453,7 @@ static int pcmcia_device_query(struct pcmcia_device *p_dev)
 		for (i = 0; i < min_t(unsigned int, 4, vers1->ns); i++) {
 			char *tmp;
 			unsigned int length;
+			char *new;
 
 			tmp = vers1->str + vers1->ofs[i];
 
@@ -457,13 +461,15 @@ static int pcmcia_device_query(struct pcmcia_device *p_dev)
 			if ((length < 2) || (length > 255))
 				continue;
 
-			p_dev->prod_id[i] = kmalloc(sizeof(char) * length,
-						    GFP_KERNEL);
-			if (!p_dev->prod_id[i])
+			new = kmalloc(sizeof(char) * length, GFP_KERNEL);
+			if (!new)
 				continue;
 
-			p_dev->prod_id[i] = strncpy(p_dev->prod_id[i],
-						    tmp, length);
+			new = strncpy(new, tmp, length);
+
+			tmp = p_dev->prod_id[i];
+			p_dev->prod_id[i] = new;
+			kfree(tmp);
 		}
 		mutex_unlock(&p_dev->socket->ops_mutex);
 	}
@@ -485,6 +491,7 @@ static DEFINE_MUTEX(device_add_lock);
 struct pcmcia_device *pcmcia_device_add(struct pcmcia_socket *s, unsigned int function)
 {
 	struct pcmcia_device *p_dev, *tmp_dev;
+	int i;
 
 	s = pcmcia_get_socket(s);
 	if (!s)
@@ -575,6 +582,8 @@ struct pcmcia_device *pcmcia_device_add(struct pcmcia_socket *s, unsigned int fu
 	s->device_count--;
 	mutex_unlock(&s->ops_mutex);
 
+	for (i = 0; i < 4; i++)
+		kfree(p_dev->prod_id[i]);
 	kfree(p_dev->devname);
 	kfree(p_dev);
  err_put:

More information about the linux-pcmcia mailing list