infiniband: hfi1: fix a memory leak bug [Linux 4.19.72]

This Linux kernel change "infiniband: hfi1: fix a memory leak bug" is included in the Linux 4.19.72 release. This change is authored by Wenwen Wang <wenwen [at] cs.uga.edu> on Sun Aug 18 14:29:31 2019 -0500. The commit for this change in Linux stable tree is d1b7f32 (patch) which is from upstream commit b08afa0. The same Linux upstream change may have been applied to various maintained Linux releases and you can find all Linux releases containing changes from upstream b08afa0.

infiniband: hfi1: fix a memory leak bug

[ Upstream commit b08afa064c320e5d85cdc27228426b696c4c8dae ]

In fault_opcodes_read(), 'data' is not deallocated if debugfs_file_get()
fails, leading to a memory leak. To fix this bug, introduce the 'free_data'
label to free 'data' before returning the error.

Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Acked-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Link: https://lore.kernel.org/r/1566156571-4335-1-git-send-email-wenwen@cs.uga.edu
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

There are 3 lines of Linux source code added/deleted in this change. Code changes to Linux kernel are as follows.

 drivers/infiniband/hw/hfi1/fault.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/hfi1/fault.c b/drivers/infiniband/hw/hfi1/fault.c
index 7eaff4d..72ca0dc 100644
--- a/drivers/infiniband/hw/hfi1/fault.c
+++ b/drivers/infiniband/hw/hfi1/fault.c
@@ -214,7 +214,7 @@ static ssize_t fault_opcodes_read(struct file *file, char __user *buf,
        return -ENOMEM;
    ret = debugfs_file_get(file->f_path.dentry);
    if (unlikely(ret))
-       return ret;
+       goto free_data;
    bit = find_first_bit(fault->opcodes, bitsize);
    while (bit < bitsize) {
        zero = find_next_zero_bit(fault->opcodes, bitsize, bit);
@@ -232,6 +232,7 @@ static ssize_t fault_opcodes_read(struct file *file, char __user *buf,
    data[size - 1] = '\n';
    data[size] = '\0';
    ret = simple_read_from_buffer(buf, len, pos, data, size);
+free_data:
    kfree(data);
    return ret;
 }

Leave a Reply

Your email address will not be published. Required fields are marked *