[PATCH 4/5] flashdisk.c: Fix Resource leak (CID #1439298)

Chris Johns chrisj at rtems.org
Tue Mar 16 01:00:41 UTC 2021


On 16/3/21 11:49 am, Joel Sherrill wrote:
> On Mon, Mar 15, 2021, 6:10 PM Chris Johns <chrisj at rtems.org
> <mailto:chrisj at rtems.org>> wrote:
> 
>     On 15/3/21 2:21 pm, Joel Sherrill wrote:
>     > On Sun, Mar 14, 2021, 9:27 PM Chris Johns <chrisj at rtems.org
>     <mailto:chrisj at rtems.org>
>     > <mailto:chrisj at rtems.org <mailto:chrisj at rtems.org>>> wrote:
>     >     On 13/3/21 2:18 am, Ryan Long wrote:
>     >     > CID 1439298: Resource leak in rtems_fdisk_initialize().
>     >     >
>     >     > Closes #4299
>     >     > ---
>     >     >  cpukit/libblock/src/flashdisk.c | 42
>     >     ++++++++++++++++++++++++++++++-----------
>     >     >  1 file changed, 31 insertions(+), 11 deletions(-)
>     >     >
>     >     > diff --git a/cpukit/libblock/src/flashdisk.c
>     b/cpukit/libblock/src/flashdisk.c
>     >     > index 91f99e0..c4bac82 100644
>     >     > --- a/cpukit/libblock/src/flashdisk.c
>     >     > +++ b/cpukit/libblock/src/flashdisk.c
>     >     > @@ -2463,6 +2463,7 @@ rtems_fdisk_initialize
>     (rtems_device_major_number major,
>     >     >    {
>     >     >      char     name[] = RTEMS_FLASHDISK_DEVICE_BASE_NAME "a";
>     >     >      uint32_t device;
>     >     > +    uint32_t device_to_free;
>     >     >      uint32_t blocks = 0;
>     >     >      int      ret;
>     >     > 
>     >     > @@ -2485,18 +2486,27 @@ rtems_fdisk_initialize
>     (rtems_device_major_number
>     >     major,
>     >     >       * One copy buffer of a page size.
>     >     >       */
>     >     >      fd->copy_buffer = malloc (c->block_size);
>     >     > -    if (!fd->copy_buffer)
>     >     > +    if (!fd->copy_buffer) {
>     >     > +      free(fd);
>     >     >        return RTEMS_NO_MEMORY;
>     >     > +    }
>     >     > 
>     >     >      fd->blocks = calloc (blocks, sizeof (rtems_fdisk_block_ctl));
>     >     > -    if (!fd->blocks)
>     >     > +    if (!fd->blocks) {
>     >     > +      free(fd->copy_buffer);
>     >     > +      free(fd);
>     >     >        return RTEMS_NO_MEMORY;
>     >     > +    }
>     >     > 
>     >     >      fd->block_count = blocks;
>     >     > 
>     >     >      fd->devices = calloc (c->device_count, sizeof
>     (rtems_fdisk_device_ctl));
>     >     > -    if (!fd->devices)
>     >     > +    if (!fd->devices) {
>     >     > +      free (fd->blocks);
>     >     > +      free (fd->copy_buffer);
>     >     > +      free (fd);
>     >     >        return RTEMS_NO_MEMORY;
>     >     > +    }
>     >     > 
>     >     >      rtems_mutex_init (&fd->lock, "Flash Disk");
>     >     > 
>     >     > @@ -2505,9 +2515,10 @@ rtems_fdisk_initialize (rtems_device_major_number
>     >     major,
>     >     >      if (sc != RTEMS_SUCCESSFUL)
>     >     >      {
>     >     >        rtems_mutex_destroy (&fd->lock);
>     >     > -      free (fd->copy_buffer);
>     >     > -      free (fd->blocks);
>     >     >        free (fd->devices);
>     >     > +      free (fd->blocks);
>     >     > +      free (fd->copy_buffer);
>     >
>     >     Why the order change?
>     >
>     > Does the change make it exactly the opposite order of creation or do you
>     see it
>     > not being in inverse order?
> 
>     If there is no reason to change the order the blocks are freed then I suggest
>     not changing the order. It avoids adding noise to the change.
> 
>     > This was a hard one. It was missing a LOT of cleanup.
>     >
>     >
>     >     > +      free (fd);
>     >
>     >     What happens to the created blkdev the fd is passed into? Does that
>     need to be
>     >     destroyed before this is released?
> 
>     I do not know. I have not looked.
> 
>     > I didn't recognise that as an allocation. What's the destroy call for that?
> 
>     If the block dev holds the pointer and you have freed it bad things will happen.
> 
>     I have a funny feeling there was no block dev destroy when the code was written
>     and why there are no free's for this allocation.
> 
> 
> Is this one we should leave a version of the patch on the ticket, link to this
> threadz and walk away from? 

The patch is wrong so I do not think it is a good idea holding it on the ticket.

Walking away ... I have walked around this one for a while now so that is what
we have been doing but it does not resolve the coverity side of things.

> Or add block dev destroy? 

This is one option and would be a reasonable path but I am not sure how deep the
pit it opens is.

> What concerns me about
> that is that it is another layer in the onion we (Ryan and I) don't fully
> understand the interactions.

Yeah, this is where it gets hard. What does it mean if the nvdisk create fails?

> Is blocked destroy going to be just resources or will it have to interrupt
> outstanding work, etc?

I do not know.

Can this code be arrange so everything but the block dev create is done and if
that fails you can undo everything else?

Chris


More information about the devel mailing list