[RFC v3] PCMCIA locking updates for 2.6.34
Dominik Brodowski
linux at dominikbrodowski.net
Sun Jan 24 10:30:56 EST 2010
Hey Wolfram,
On Mon, Jan 18, 2010 at 09:41:43PM +0100, Wolfram Sang wrote:
> kmemleak reports something, but
> this is a different issue (haven't even checked if this is a false positive). I
> just put it here as I stumbled over it during this test-run:
>
> unreferenced object 0xb5c644a0 (size 32):
> comm "pccardd", pid 1298, jiffies 202222 (age 1400.050s)
> hex dump (first 32 bytes):
> 20 00 a7 a6 20 a4 a5 9e d6 a4 87 f4 9c b4 c5 96 ... ...........
> 2e 62 6a a6 27 23 e2 ca 62 e2 a2 62 6e c2 ae ee .bj.'#..b..bn...
> backtrace:
> [<8052ece1>] kmemleak_alloc+0x61/0xb0
> [<801c4b8a>] __kmalloc+0x1ba/0x1f0
> [<c1db240c>] pcmcia_device_query+0x26c/0x320 [pcmcia]
> [<c1db33b8>] pcmcia_device_add+0x368/0x490 [pcmcia]
> [<c1db359a>] pcmcia_card_add+0xba/0x1e0 [pcmcia]
> [<c1db373e>] ds_event+0x7e/0x230 [pcmcia]
> [<c186157a>] send_event+0xba/0x160 [pcmcia_core]
> [<c18623a6>] socket_insert+0x156/0x1b0 [pcmcia_core]
> [<c1862865>] pccardd+0x2c5/0x3a0 [pcmcia_core]
> [<8014b374>] kthread+0x74/0x80
> [<801031ba>] kernel_thread_helper+0x6/0x10
> [<ffffffff>] 0xffffffff
Should be fixed by:
From: Dominik Brodowski <linux at dominikbrodowski.net>
Date: Sun, 24 Jan 2010 12:11:02 +0100
Subject: [PATCH] pcmcia: avoid prod_id memleak
Reported-by: Wolfram Sang <w.sang at pengutronix.de>
Signed-off-by: Dominik Brodowski <linux at dominikbrodowski.net>
diff --git a/drivers/pcmcia/ds.c b/drivers/pcmcia/ds.c
index 1b16a0f..10164b9 100644
--- a/drivers/pcmcia/ds.c
+++ b/drivers/pcmcia/ds.c
@@ -237,8 +237,11 @@ static void pcmcia_release_function(struct kref *ref)
static void pcmcia_release_dev(struct device *dev)
{
struct pcmcia_device *p_dev = to_pcmcia_dev(dev);
+ int i;
dev_dbg(dev, "releasing device\n");
pcmcia_put_socket(p_dev->socket);
+ for (i = 0; i < 4; i++)
+ kfree(p_dev->prod_id[i]);
kfree(p_dev->devname);
kref_put(&p_dev->function_config->ref, pcmcia_release_function);
kfree(p_dev);
@@ -450,6 +453,7 @@ static int pcmcia_device_query(struct pcmcia_device *p_dev)
for (i = 0; i < min_t(unsigned int, 4, vers1->ns); i++) {
char *tmp;
unsigned int length;
+ char *new;
tmp = vers1->str + vers1->ofs[i];
@@ -457,13 +461,15 @@ static int pcmcia_device_query(struct pcmcia_device *p_dev)
if ((length < 2) || (length > 255))
continue;
- p_dev->prod_id[i] = kmalloc(sizeof(char) * length,
- GFP_KERNEL);
- if (!p_dev->prod_id[i])
+ new = kmalloc(sizeof(char) * length, GFP_KERNEL);
+ if (!new)
continue;
- p_dev->prod_id[i] = strncpy(p_dev->prod_id[i],
- tmp, length);
+ new = strncpy(new, tmp, length);
+
+ tmp = p_dev->prod_id[i];
+ p_dev->prod_id[i] = new;
+ kfree(tmp);
}
mutex_unlock(&p_dev->socket->ops_mutex);
}
@@ -485,6 +491,7 @@ static DEFINE_MUTEX(device_add_lock);
struct pcmcia_device *pcmcia_device_add(struct pcmcia_socket *s, unsigned int function)
{
struct pcmcia_device *p_dev, *tmp_dev;
+ int i;
s = pcmcia_get_socket(s);
if (!s)
@@ -575,6 +582,8 @@ struct pcmcia_device *pcmcia_device_add(struct pcmcia_socket *s, unsigned int fu
s->device_count--;
mutex_unlock(&s->ops_mutex);
+ for (i = 0; i < 4; i++)
+ kfree(p_dev->prod_id[i]);
kfree(p_dev->devname);
kfree(p_dev);
err_put:
More information about the linux-pcmcia
mailing list