On Thu, May 7, 2015 at 6:51 PM, Srinivas Pandruvada
<srinivas.pandruvada@xxxxxxxxxxxxxxx> wrote:
> On Thu, 2015-05-07 at 11:09 -0300, Fabio Estevam wrote:
>> 'channels' is allocated via kmemdup, so we need to free it after its usage.
>>
>> This way we fix the memory leak in both probe and remove paths.
>>
>> Also, as 'indio_dev' is allocated via devm_iio_device_alloc(), so there is
>> no need to call kfree for it.
> Where is the kfree for indio_dev..?
It is kfree(indio_dev->channels) actually.
>>
>> Reported-by: Alexey Khoroshilov <khoroshilov@xxxxxxxxx>
>> Signed-off-by: Fabio Estevam <fabio.estevam@xxxxxxxxxxxxx>
>> ---
>> Changes since v1:
>> - Always call kfree(channel) after its usage.
>>
>> drivers/iio/light/hid-sensor-prox.c | 14 ++++++--------
>> 1 file changed, 6 insertions(+), 8 deletions(-)
>>
>> diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c
>> index 91ecc46..00ce0f6 100644
>> --- a/drivers/iio/light/hid-sensor-prox.c
>> +++ b/drivers/iio/light/hid-sensor-prox.c
>> @@ -278,16 +278,17 @@ static int hid_prox_probe(struct platform_device *pdev)
>> return -ENOMEM;
>> }
>>
>> + indio_dev->channels = channels;
>> +
>> ret = prox_parse_report(pdev, hsdev, channels,
>> HID_USAGE_SENSOR_PROX, prox_state);
>> + kfree(channels);
> You are freeing channels so indio_dev->channels will point to junk.
> This will be passed to iio_device_register..
No, I am freeing channels, not indio_dev->channels.
At this point in the code nobody uses channels, so it is safe to kfree it.
>> if (ret) {
>> dev_err(&pdev->dev, "failed to setup attributes\n");
>> - goto error_free_dev_mem;
>> + return ret;
>> }
>>
>> - indio_dev->channels = channels;
>> - indio_dev->num_channels =
>> - ARRAY_SIZE(prox_channels);
>> + indio_dev->num_channels = ARRAY_SIZE(prox_channels);
>> indio_dev->dev.parent = &pdev->dev;
>> indio_dev->info = &prox_info;
>> indio_dev->name = name;
>> @@ -297,7 +298,7 @@ static int hid_prox_probe(struct platform_device *pdev)
>> NULL, NULL);
>> if (ret) {
>> dev_err(&pdev->dev, "failed to initialize trigger buffer\n");
>> - goto error_free_dev_mem;
>> + return ret;
>> }
>> atomic_set(&prox_state->common_attributes.data_ready, 0);
>> ret = hid_sensor_setup_trigger(indio_dev, name,
>> @@ -331,8 +332,6 @@ error_remove_trigger:
>> hid_sensor_remove_trigger(&prox_state->common_attributes);
>> error_unreg_buffer_funcs:
>> iio_triggered_buffer_cleanup(indio_dev);
>> -error_free_dev_mem:
>> - kfree(indio_dev->channels);
> This is required.
Why? It is allocated with devm_ .
>> return ret;
>> }
>>
>> @@ -347,7 +346,6 @@ static int hid_prox_remove(struct platform_device *pdev)
>> iio_device_unregister(indio_dev);
>> hid_sensor_remove_trigger(&prox_state->common_attributes);
>> iio_triggered_buffer_cleanup(indio_dev);
>> - kfree(indio_dev->channels);
>> This is required..
Ditto.
--
To unsubscribe from this list: send the line "unsubscribe linux-iio" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
