Message ID | 20210922221613.2115038-1-vladimir.zapolskiy@linaro.org |
---|---|
State | New |
Headers | show |
Series | phy: qcom-qusb2: Fix a memory leak on probe | expand |
On Wed 22 Sep 15:16 PDT 2021, Vladimir Zapolskiy wrote: > On success nvmem_cell_read() returns a pointer to a dynamically allocated > buffer, and therefore it shall be freed after usage. > > The issue is reported by kmemleak: > > # cat /sys/kernel/debug/kmemleak > unreferenced object 0xffff3b3803e4b280 (size 128): > comm "kworker/u16:1", pid 107, jiffies 4294892861 (age 94.120s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [<000000007739afdc>] __kmalloc+0x27c/0x41c > [<0000000071c0fbf8>] nvmem_cell_read+0x40/0xe0 > [<00000000e803ef1f>] qusb2_phy_init+0x258/0x5bc > [<00000000fc81fcfa>] phy_init+0x70/0x110 > [<00000000e3d48a57>] dwc3_core_soft_reset+0x4c/0x234 > [<0000000027d1dbd4>] dwc3_core_init+0x68/0x990 > [<000000001965faf9>] dwc3_probe+0x4f4/0x730 > [<000000002f7617ca>] platform_probe+0x74/0xf0 > [<00000000a2576cac>] really_probe+0xc4/0x470 > [<00000000bc77f2c5>] __driver_probe_device+0x11c/0x190 > [<00000000130db71f>] driver_probe_device+0x48/0x110 > [<0000000019f36c2b>] __device_attach_driver+0xa4/0x140 > [<00000000e5812ff7>] bus_for_each_drv+0x84/0xe0 > [<00000000f4bac574>] __device_attach+0xe4/0x1c0 > [<00000000d3beb631>] device_initial_probe+0x20/0x30 > [<000000008019b9db>] bus_probe_device+0xa4/0xb0 > > Fixes: 0b56e9a7e835 ("phy: Group vendor specific phy drivers") > Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org> > --- > drivers/phy/qualcomm/phy-qcom-qusb2.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c > index 3c1d3b71c825..061665ba8ef7 100644 > --- a/drivers/phy/qualcomm/phy-qcom-qusb2.c > +++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c > @@ -589,6 +589,8 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy) > qusb2_write_mask(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE2], > val[0] << HSTX_TRIM_SHIFT, > HSTX_TRIM_MASK); > + > + kfree(val); Nice catch, here's my: Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> That said, do you think we could replace the nvmem_cell_read() with a call to nvmem_cell_read_u8() to avoid the need to clean it up instead? Regards, Bjorn > } > > static int qusb2_phy_set_mode(struct phy *phy, > -- > 2.33.0 >
Hi Bjorn, On 9/23/21 1:56 AM, Bjorn Andersson wrote: > On Wed 22 Sep 15:16 PDT 2021, Vladimir Zapolskiy wrote: > >> On success nvmem_cell_read() returns a pointer to a dynamically allocated >> buffer, and therefore it shall be freed after usage. >> >> The issue is reported by kmemleak: >> >> # cat /sys/kernel/debug/kmemleak >> unreferenced object 0xffff3b3803e4b280 (size 128): >> comm "kworker/u16:1", pid 107, jiffies 4294892861 (age 94.120s) >> hex dump (first 32 bytes): >> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ >> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ >> backtrace: >> [<000000007739afdc>] __kmalloc+0x27c/0x41c >> [<0000000071c0fbf8>] nvmem_cell_read+0x40/0xe0 >> [<00000000e803ef1f>] qusb2_phy_init+0x258/0x5bc >> [<00000000fc81fcfa>] phy_init+0x70/0x110 >> [<00000000e3d48a57>] dwc3_core_soft_reset+0x4c/0x234 >> [<0000000027d1dbd4>] dwc3_core_init+0x68/0x990 >> [<000000001965faf9>] dwc3_probe+0x4f4/0x730 >> [<000000002f7617ca>] platform_probe+0x74/0xf0 >> [<00000000a2576cac>] really_probe+0xc4/0x470 >> [<00000000bc77f2c5>] __driver_probe_device+0x11c/0x190 >> [<00000000130db71f>] driver_probe_device+0x48/0x110 >> [<0000000019f36c2b>] __device_attach_driver+0xa4/0x140 >> [<00000000e5812ff7>] bus_for_each_drv+0x84/0xe0 >> [<00000000f4bac574>] __device_attach+0xe4/0x1c0 >> [<00000000d3beb631>] device_initial_probe+0x20/0x30 >> [<000000008019b9db>] bus_probe_device+0xa4/0xb0 >> >> Fixes: 0b56e9a7e835 ("phy: Group vendor specific phy drivers") >> Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org> >> --- >> drivers/phy/qualcomm/phy-qcom-qusb2.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c >> index 3c1d3b71c825..061665ba8ef7 100644 >> --- a/drivers/phy/qualcomm/phy-qcom-qusb2.c >> +++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c >> @@ -589,6 +589,8 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy) >> qusb2_write_mask(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE2], >> val[0] << HSTX_TRIM_SHIFT, >> HSTX_TRIM_MASK); >> + >> + kfree(val); > > Nice catch, here's my: > > Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> Thank you for the review, however I have just found a still unresolved memleak when zeroes are returned, so there is v2. > > That said, do you think we could replace the nvmem_cell_read() with a > call to nvmem_cell_read_u8() to avoid the need to clean it up instead? It might be a good idea to do it in a separate change, nvmem_cell_read_u8() is found in v5.9 and later versions, so its usage prevents a probable backport to stable branches, because the original problem comes in v4.12. FWIW the sent fix should be clearly applicable to v4.20 and later versions only, if it's needed, separate changes are required to cover v4.12-v4.20 range. -- Best wishes, Vladimir
diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c index 3c1d3b71c825..061665ba8ef7 100644 --- a/drivers/phy/qualcomm/phy-qcom-qusb2.c +++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c @@ -589,6 +589,8 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy) qusb2_write_mask(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE2], val[0] << HSTX_TRIM_SHIFT, HSTX_TRIM_MASK); + + kfree(val); } static int qusb2_phy_set_mode(struct phy *phy,
On success nvmem_cell_read() returns a pointer to a dynamically allocated buffer, and therefore it shall be freed after usage. The issue is reported by kmemleak: # cat /sys/kernel/debug/kmemleak unreferenced object 0xffff3b3803e4b280 (size 128): comm "kworker/u16:1", pid 107, jiffies 4294892861 (age 94.120s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000007739afdc>] __kmalloc+0x27c/0x41c [<0000000071c0fbf8>] nvmem_cell_read+0x40/0xe0 [<00000000e803ef1f>] qusb2_phy_init+0x258/0x5bc [<00000000fc81fcfa>] phy_init+0x70/0x110 [<00000000e3d48a57>] dwc3_core_soft_reset+0x4c/0x234 [<0000000027d1dbd4>] dwc3_core_init+0x68/0x990 [<000000001965faf9>] dwc3_probe+0x4f4/0x730 [<000000002f7617ca>] platform_probe+0x74/0xf0 [<00000000a2576cac>] really_probe+0xc4/0x470 [<00000000bc77f2c5>] __driver_probe_device+0x11c/0x190 [<00000000130db71f>] driver_probe_device+0x48/0x110 [<0000000019f36c2b>] __device_attach_driver+0xa4/0x140 [<00000000e5812ff7>] bus_for_each_drv+0x84/0xe0 [<00000000f4bac574>] __device_attach+0xe4/0x1c0 [<00000000d3beb631>] device_initial_probe+0x20/0x30 [<000000008019b9db>] bus_probe_device+0xa4/0xb0 Fixes: 0b56e9a7e835 ("phy: Group vendor specific phy drivers") Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org> --- drivers/phy/qualcomm/phy-qcom-qusb2.c | 2 ++ 1 file changed, 2 insertions(+) -- 2.33.0