On Wed 22 Sep 16:35 PDT 2021, Vladimir Zapolskiy wrote:
> On success nvmem_cell_read() returns a pointer to a dynamically allocated
> buffer, and therefore it shall be freed after usage.
>
> The issue is reported by kmemleak:
>
> # cat /sys/kernel/debug/kmemleak
> unreferenced object 0xffff3b3803e4b280 (size 128):
> comm "kworker/u16:1", pid 107, jiffies 4294892861 (age 94.120s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<000000007739afdc>] __kmalloc+0x27c/0x41c
> [<0000000071c0fbf8>] nvmem_cell_read+0x40/0xe0
> [<00000000e803ef1f>] qusb2_phy_init+0x258/0x5bc
> [<00000000fc81fcfa>] phy_init+0x70/0x110
> [<00000000e3d48a57>] dwc3_core_soft_reset+0x4c/0x234
> [<0000000027d1dbd4>] dwc3_core_init+0x68/0x990
> [<000000001965faf9>] dwc3_probe+0x4f4/0x730
> [<000000002f7617ca>] platform_probe+0x74/0xf0
> [<00000000a2576cac>] really_probe+0xc4/0x470
> [<00000000bc77f2c5>] __driver_probe_device+0x11c/0x190
> [<00000000130db71f>] driver_probe_device+0x48/0x110
> [<0000000019f36c2b>] __device_attach_driver+0xa4/0x140
> [<00000000e5812ff7>] bus_for_each_drv+0x84/0xe0
> [<00000000f4bac574>] __device_attach+0xe4/0x1c0
> [<00000000d3beb631>] device_initial_probe+0x20/0x30
> [<000000008019b9db>] bus_probe_device+0xa4/0xb0
>
> Fixes: ca04d9d3e1b1 ("phy: qcom-qusb2: New driver for QUSB2 PHY on Qcom chips")
> Signed-off-by: Vladimir Zapolskiy <vladimir.zapolskiy@xxxxxxxxxx>
> ---
> Changes from v1 to v2:
> * fixed a memory leak in case of reading a zero value and return,
> * corrected the fixed commit, the memory leak is present before a rename.
>
> drivers/phy/qualcomm/phy-qcom-qusb2.c | 16 ++++++++++------
> 1 file changed, 10 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/phy/qualcomm/phy-qcom-qusb2.c b/drivers/phy/qualcomm/phy-qcom-qusb2.c
> index 3c1d3b71c825..f1d97fbd1331 100644
> --- a/drivers/phy/qualcomm/phy-qcom-qusb2.c
> +++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c
> @@ -561,7 +561,7 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy)
> {
> struct device *dev = &qphy->phy->dev;
> const struct qusb2_phy_cfg *cfg = qphy->cfg;
> - u8 *val;
> + u8 *val, hstx_trim;
>
> /* efuse register is optional */
> if (!qphy->cell)
> @@ -575,7 +575,13 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy)
> * set while configuring the phy.
> */
> val = nvmem_cell_read(qphy->cell, NULL);
> - if (IS_ERR(val) || !val[0]) {
> + if (IS_ERR(val)) {
> + dev_dbg(dev, "failed to read a valid hs-tx trim value\n");
> + return;
> + }
> + hstx_trim = val[0];
> + kfree(val);
I don't see any additional value added by the introduction of
"hstx_trim", compared to v1.
However, it certainly makes sense if you change this to:
ret = nvmem_cell_read_u8(qphy->cell, NULL, &hstx_trim);
if (ret < 0 || !hstx_trim) {
dev_dbg(dev, "failed to read a valid hs-tx trim value\n");
return;
}
In which case you don't need the kfree(), and you can drop "val"...
Regards,
Bjorn
> + if (!hstx_trim) {
> dev_dbg(dev, "failed to read a valid hs-tx trim value\n");
> return;
> }
> @@ -583,12 +589,10 @@ static void qusb2_phy_set_tune2_param(struct qusb2_phy *qphy)
> /* Fused TUNE1/2 value is the higher nibble only */
> if (cfg->update_tune1_with_efuse)
> qusb2_write_mask(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE1],
> - val[0] << HSTX_TRIM_SHIFT,
> - HSTX_TRIM_MASK);
> + hstx_trim << HSTX_TRIM_SHIFT, HSTX_TRIM_MASK);
> else
> qusb2_write_mask(qphy->base, cfg->regs[QUSB2PHY_PORT_TUNE2],
> - val[0] << HSTX_TRIM_SHIFT,
> - HSTX_TRIM_MASK);
> + hstx_trim << HSTX_TRIM_SHIFT, HSTX_TRIM_MASK);
> }
>
> static int qusb2_phy_set_mode(struct phy *phy,
> --
> 2.33.0
>
