From: Yongxin Liu <[email protected]>
The intel_pmc_ipc() function uses ACPI_ALLOCATE_BUFFER to allocate memory
for the ACPI evaluation result but never frees it, causing a 192-byte
memory leak on each call.
This leak is triggered during network interface initialization when the
stmmac driver calls intel_mac_finish() -> intel_pmc_ipc().
unreferenced object 0xffff96a848d6ea80 (size 192):
comm "dhcpcd", pid 541, jiffies 4294684345
hex dump (first 32 bytes):
04 00 00 00 05 00 00 00 98 ea d6 48 a8 96 ff ff ...........H....
00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
backtrace (crc b1564374):
kmemleak_alloc+0x2d/0x40
__kmalloc_noprof+0x2fa/0x730
acpi_ut_initialize_buffer+0x83/0xc0
acpi_evaluate_object+0x29a/0x2f0
intel_pmc_ipc+0xfd/0x170
intel_mac_finish+0x168/0x230
stmmac_mac_finish+0x3d/0x50
phylink_major_config+0x22b/0x5b0
phylink_mac_initial_config.constprop.0+0xf1/0x1b0
phylink_start+0x8e/0x210
__stmmac_open+0x12c/0x2b0
stmmac_open+0x23c/0x380
__dev_open+0x11d/0x2c0
__dev_change_flags+0x1d2/0x250
netif_change_flags+0x2b/0x70
dev_change_flags+0x40/0xb0
Add kfree() to properly release the allocated buffer.
Cc: [email protected]
Fixes: 7e2f7e25f6ff ("arch: x86: add IPC mailbox accessor function and add SoC
register access")
Signed-off-by: Yongxin Liu <[email protected]>
---
arch/x86/platform/intel/pmc_ipc.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/arch/x86/platform/intel/pmc_ipc.c
b/arch/x86/platform/intel/pmc_ipc.c
index a96234982710..85ec9e0d8312 100644
--- a/arch/x86/platform/intel/pmc_ipc.c
+++ b/arch/x86/platform/intel/pmc_ipc.c
@@ -28,7 +28,7 @@ int intel_pmc_ipc(struct pmc_ipc_cmd *ipc_cmd, u32 *rbuf)
};
struct acpi_object_list arg_list = { PMC_IPCS_PARAM_COUNT, params };
union acpi_object *obj;
- int status;
+ int status, ret = 0;
if (!ipc_cmd || !rbuf)
return -EINVAL;
@@ -56,18 +56,22 @@ int intel_pmc_ipc(struct pmc_ipc_cmd *ipc_cmd, u32 *rbuf)
if (obj && obj->type == ACPI_TYPE_PACKAGE && obj->package.count == 5) {
const union acpi_object *objs = obj->package.elements;
- if ((u8)objs[0].integer.value != 0)
- return -EINVAL;
+ if ((u8)objs[0].integer.value != 0) {
+ ret = -EINVAL;
+ goto out;
+ }
rbuf[0] = objs[1].integer.value;
rbuf[1] = objs[2].integer.value;
rbuf[2] = objs[3].integer.value;
rbuf[3] = objs[4].integer.value;
} else {
- return -EINVAL;
+ ret = -EINVAL;
}
- return 0;
+out:
+ kfree(obj);
+ return ret;
}
EXPORT_SYMBOL(intel_pmc_ipc);
--
2.49.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#16000):
https://lists.yoctoproject.org/g/linux-yocto/message/16000
Mute This Topic: https://lists.yoctoproject.org/mt/116462748/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
