On Thu, Aug 22, 2024 at 11:30:50AM +0800, Zheng Qixing wrote:
> From: Zheng Qixing <zhengqixing@xxxxxxxxxx>
>
> In ata_host_alloc(), if ata_port_alloc(host) fails to allocate memory
> for a port, the allocated 'host' structure is not freed before returning
> from the function. This results in a potential memory leak.
This sentence is wrong.
If ata_port_alloc() fails, we must have already called
devres_alloc(ata_devres_release, ...);
which means that when:
ap = ata_port_alloc(host);
if (!ap)
goto err_out;
...
err_out:
devres_release_group(dev, NULL);
return NULL;
devres_release_group() will trigger a call to ata_host_release().
ata_host_release() calls kfree(host).
So we will not leak "host" if ata_port_alloc() fails.
>
> This patch adds a kfree(host) before the error handling code is executed
> to ensure that the 'host' structure is properly freed in case of an
> allocation failure.
>
> Signed-off-by: Zheng Qixing <zhengqixing@xxxxxxxxxx>
> ---
> Changes in v2:
> - error path is wrong in v1
>
> drivers/ata/libata-core.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
> index e4023fc288ac..f27a18990c38 100644
> --- a/drivers/ata/libata-core.c
> +++ b/drivers/ata/libata-core.c
> @@ -5663,8 +5663,10 @@ struct ata_host *ata_host_alloc(struct device *dev, int n_ports)
> }
>
> dr = devres_alloc(ata_devres_release, 0, GFP_KERNEL);
> - if (!dr)
> + if (!dr) {
> + kfree(host);
> goto err_out;
This code does free "host" if devres_alloc() fails, which looks correct,
as "host" will currently be leaked if devres_alloc() fails.
However, that is not what the commit log above claims :P
Please update the commit message to reflect reality.
Kind regards,
Niklas
