Re: memory leaks in bwfm
The code hands off the reponsibility of ctl and ctl->buf to bs_txctl
which will free both buffers if there is an error enqueueing the
command. Only if bs_txctl succeeds in enqueueing and there is a
response timeout we can free it. Thus, not ok. If this pattern
is not understandable then we can work on that, but the diff as is
will add double frees on error.
On Tue, Sep 18, 2018 at 03:52:45PM +1000, Jonathan Gray wrote:
> Index: bwfm.c
> ===
> RCS file: /cvs/src/sys/dev/ic/bwfm.c,v
> retrieving revision 1.54
> diff -u -p -r1.54 bwfm.c
> --- bwfm.c25 Jul 2018 20:37:11 - 1.54
> +++ bwfm.c18 Sep 2018 05:21:30 -
> @@ -1297,6 +1297,7 @@ bwfm_proto_bcdc_query_dcmd(struct bwfm_s
>
> if (bwfm_proto_bcdc_txctl(sc, reqid, (char *)dcmd, )) {
> DPRINTF(("%s: tx failed\n", DEVNAME(sc)));
> + free(dcmd, M_TEMP, size);
> return ret;
> }
>
> @@ -1337,6 +1338,7 @@ bwfm_proto_bcdc_set_dcmd(struct bwfm_sof
>
> if (bwfm_proto_bcdc_txctl(sc, reqid, (char *)dcmd, )) {
> DPRINTF(("%s: txctl failed\n", DEVNAME(sc)));
> + free(dcmd, M_TEMP, size);
> return ret;
> }
>
> @@ -1361,6 +1363,7 @@ bwfm_proto_bcdc_txctl(struct bwfm_softc
>
> if (sc->sc_bus_ops->bs_txctl(sc, ctl)) {
> DPRINTF(("%s: tx failed\n", DEVNAME(sc)));
> + free(ctl, M_TEMP, sizeof(*ctl));
> return 1;
> }
>
>
Re: memory leaks in bwfm
On Tue, Sep 18, 2018 at 03:52:45PM +1000, Jonathan Gray wrote:
> Index: bwfm.c
> ===
> RCS file: /cvs/src/sys/dev/ic/bwfm.c,v
> retrieving revision 1.54
> diff -u -p -r1.54 bwfm.c
> --- bwfm.c25 Jul 2018 20:37:11 - 1.54
> +++ bwfm.c18 Sep 2018 05:21:30 -
> @@ -1297,6 +1297,7 @@ bwfm_proto_bcdc_query_dcmd(struct bwfm_s
>
> if (bwfm_proto_bcdc_txctl(sc, reqid, (char *)dcmd, )) {
> DPRINTF(("%s: tx failed\n", DEVNAME(sc)));
> + free(dcmd, M_TEMP, size);
> return ret;
> }
>
> @@ -1337,6 +1338,7 @@ bwfm_proto_bcdc_set_dcmd(struct bwfm_sof
>
> if (bwfm_proto_bcdc_txctl(sc, reqid, (char *)dcmd, )) {
> DPRINTF(("%s: txctl failed\n", DEVNAME(sc)));
> + free(dcmd, M_TEMP, size);
> return ret;
> }
>
> @@ -1361,6 +1363,7 @@ bwfm_proto_bcdc_txctl(struct bwfm_softc
>
> if (sc->sc_bus_ops->bs_txctl(sc, ctl)) {
> DPRINTF(("%s: tx failed\n", DEVNAME(sc)));
> + free(ctl, M_TEMP, sizeof(*ctl));
> return 1;
> }
>
>
There is now the possibility of a double free because of the timeout code
in bwfm_proto_bcdc_txctl(). That code does:
if (timeout) {
TAILQ_REMOVE(>sc_bcdc_rxctlq, ctl, next);
DPRINTF(("%s: timeout waiting for txctl response\n",
DEVNAME(sc)));
free(ctl->buf, M_TEMP, ctl->len);
free(ctl, M_TEMP, sizeof(*ctl));
return 1;
}
Since ctl->buf is the dcmd from e.g. bwfm_proto_bcdc_set_dcmd this results
in a double free of dcmd. I would suggest to remove the
free(ctl->buf, M_TEMP, ctl->len);
from that timeout block and then the diff is OK.
--
:wq Claudio
memory leaks in bwfm
Index: bwfm.c
===
RCS file: /cvs/src/sys/dev/ic/bwfm.c,v
retrieving revision 1.54
diff -u -p -r1.54 bwfm.c
--- bwfm.c 25 Jul 2018 20:37:11 - 1.54
+++ bwfm.c 18 Sep 2018 05:21:30 -
@@ -1297,6 +1297,7 @@ bwfm_proto_bcdc_query_dcmd(struct bwfm_s
if (bwfm_proto_bcdc_txctl(sc, reqid, (char *)dcmd, )) {
DPRINTF(("%s: tx failed\n", DEVNAME(sc)));
+ free(dcmd, M_TEMP, size);
return ret;
}
@@ -1337,6 +1338,7 @@ bwfm_proto_bcdc_set_dcmd(struct bwfm_sof
if (bwfm_proto_bcdc_txctl(sc, reqid, (char *)dcmd, )) {
DPRINTF(("%s: txctl failed\n", DEVNAME(sc)));
+ free(dcmd, M_TEMP, size);
return ret;
}
@@ -1361,6 +1363,7 @@ bwfm_proto_bcdc_txctl(struct bwfm_softc
if (sc->sc_bus_ops->bs_txctl(sc, ctl)) {
DPRINTF(("%s: tx failed\n", DEVNAME(sc)));
+ free(ctl, M_TEMP, sizeof(*ctl));
return 1;
}
