Hi all,
I have some doubts about the patch - "ipack/carriers/tpci200: Fix a
double free in tpci200_pci_probe".
> In the out_err_bus_register error branch of tpci200_pci_probe,
> tpci200->info->cfg_regs is freed by tpci200_uninstall()->
> tpci200_unregister()->pci_iounmap(..,tpci200->info->cfg_regs)
> in the first time.
>From my code review, although pci_iounmap takes
"tpci200->info->cfg_regs" as its 2nd parameter, the implementation of
pci_iounmap may not use this parameter.
Depending on if CONFIG_PCI defines, the "tpci200->info->cfg_regs" may
not be freed.
#ifdef CONFIG_PCI
/* Destroy a virtual mapping cookie for a PCI BAR (memory or IO) */
struct pci_dev;
extern void pci_iounmap(struct pci_dev *dev, void __iomem *);
#elif defined(CONFIG_GENERIC_IOMAP)
struct pci_dev;
static inline void pci_iounmap(struct pci_dev *dev, void __iomem *addr)
{ }
#endif
> But later, iounmap() is called to free tpci200->info->cfg_regs again.
Even if CONFIG_PCI is undefined, it is possible that
tpci200->info->cfg_regs is not freed at all. Therefore, this patch
would cause memory leak. Take a look at the following code:
void pci_iounmap(struct pci_dev *dev, void __iomem * addr)
{
IO_COND(addr, /* nothing */, iounmap(addr));
}
#define IO_COND(addr, is_pio, is_mmio) do { \
unsigned long port = (unsigned long __force)addr; \
if (port >= PIO_RESERVED) { \
is_mmio; \
} else if (port > PIO_OFFSET) { \
port &= PIO_MASK; \
is_pio; \
} else \
bad_io_access(port, #is_pio ); \
} while (0)
If I make any mistakes, please let me know.
--
My best regards to you.
No System Is Safe!
Dongliang Mu
_______________________________________________
Industrypack-devel mailing list
Industrypack-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/industrypack-devel
