ata: pata_parport: fix memory leaks

When ida_alloc() fails, "pi" is not freed although the misleading
comment says otherwise.
Move the ida_alloc() call up so we really don't have to free "pi" in
case of ida_alloc() failure.

Also move ida_free() call from pi_remove_one() to
pata_parport_dev_release(). It was dereferencing already freed dev
pointer.

Testing revealed leak even in non-failure case which was tracked down
to missing put_device() call after bus_find_device_by_name(). As a
result, pata_parport_dev_release() was never called.

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <error27@gmail.com>
Link: https://lore.kernel.org/r/202303111822.IHNchbkp-lkp@intel.com/
Signed-off-by: Ondrej Zary <linux@zary.sk>
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>

diff --git a/drivers/ata/pata_parport/pata_parport.c b/drivers/ata/pata_parport/pata_parport.c
index 31c9677a45e333aa0d07ed9c87cac5b0ba09c6ed..c1576d943b4364b861c85ec609fd51c21dbe46d4 100644 (file)
--- a/drivers/ata/pata_parport/pata_parport.c
+++ b/drivers/ata/pata_parport/pata_parport.c
@@ -381,6 +381,7 @@ static void pata_parport_dev_release(struct device *dev)
 {
        struct pi_adapter *pi = container_of(dev, struct pi_adapter, dev);
 
+       ida_free(&pata_parport_bus_dev_ids, dev->id);
        kfree(pi);
 }
 
@@ -433,23 +434,27 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
        if (bus_for_each_dev(&pata_parport_bus_type, NULL, &match, pi_find_dev))
                return NULL;
 
+       id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
+       if (id < 0)
+               return NULL;
+
        pi = kzalloc(sizeof(struct pi_adapter), GFP_KERNEL);
-       if (!pi)
+       if (!pi) {
+               ida_free(&pata_parport_bus_dev_ids, id);
                return NULL;
+       }
 
        /* set up pi->dev before pi_probe_unit() so it can use dev_printk() */
        pi->dev.parent = &pata_parport_bus;
        pi->dev.bus = &pata_parport_bus_type;
        pi->dev.driver = &pr->driver;
        pi->dev.release = pata_parport_dev_release;
-       id = ida_alloc(&pata_parport_bus_dev_ids, GFP_KERNEL);
-       if (id < 0)
-               return NULL; /* pata_parport_dev_release will do kfree(pi) */
        pi->dev.id = id;
        dev_set_name(&pi->dev, "pata_parport.%u", pi->dev.id);
        if (device_register(&pi->dev)) {
                put_device(&pi->dev);
-               goto out_ida_free;
+               /* pata_parport_dev_release will do ida_free(dev->id) and kfree(pi) */
+               return NULL;
        }
 
        pi->proto = pr;
@@ -464,8 +469,7 @@ static struct pi_adapter *pi_init_one(struct parport *parport,
        pi->port = parport->base;
 
        par_cb.private = pi;
-       pi->pardev = parport_register_dev_model(parport, DRV_NAME, &par_cb,
-                                               pi->dev.id);
+       pi->pardev = parport_register_dev_model(parport, DRV_NAME, &par_cb, id);
        if (!pi->pardev)
                goto out_module_put;
 
@@ -501,8 +505,7 @@ out_module_put:
        module_put(pi->proto->owner);
 out_unreg_dev:
        device_unregister(&pi->dev);
-out_ida_free:
-       ida_free(&pata_parport_bus_dev_ids, pi->dev.id);
+       /* pata_parport_dev_release will do ida_free(dev->id) and kfree(pi) */
        return NULL;
 }
 
@@ -627,8 +630,7 @@ static void pi_remove_one(struct device *dev)
        pi_disconnect(pi);
        pi_release(pi);
        device_unregister(dev);
-       ida_free(&pata_parport_bus_dev_ids, dev->id);
-       /* pata_parport_dev_release will do kfree(pi) */
+       /* pata_parport_dev_release will do ida_free(dev->id) and kfree(pi) */
 }
 
 static ssize_t delete_device_store(struct bus_type *bus, const char *buf,
@@ -644,6 +646,7 @@ static ssize_t delete_device_store(struct bus_type *bus, const char *buf,
        }
 
        pi_remove_one(dev);
+       put_device(dev);
        mutex_unlock(&pi_mutex);
 
        return count;