In function device_init_td0_ring, memory is allocated for member
td_info of priv->apTD0Rings[i], with i increasing from 0. In case of
allocation failure, the memory is freed in reversed order, with i
decreasing to 0. However, the case i=0 is left out and thus memory is
leaked.

Modify the memory freeing loop to include the case i=0.

Signed-off-by: Nam Cao <namcaov@gmail.com>
---
 drivers/staging/vt6655/device_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c
index 3397c78b975a..a65014195fdc 100644
--- a/drivers/staging/vt6655/device_main.c
+++ b/drivers/staging/vt6655/device_main.c
@@ -743,7 +743,7 @@ static int device_init_td0_ring(struct vnt_private *priv)
 	return 0;
 
 err_free_desc:
-	while (--i) {
+	while (i--) {
 		desc = &priv->apTD0Rings[i];
 		kfree(desc->td_info);
 	}
-- 
2.25.1

I did not realize this initially, but this bug can cause more serious problem
than just a memory leak. In the case that kzalloc fails right from the
beginning with i=0; then in the while loop, "i" will wrap around and the code
will access priv->apTD0Rings[4294967295] which is obviously not good.

Best regards,
Nam

On Fri, Sep 09, 2022 at 04:42:05PM +0200, Nam Cao wrote:
> I did not realize this initially, but this bug can cause more serious problem
> than just a memory leak. In the case that kzalloc fails right from the
> beginning with i=0; then in the while loop, "i" will wrap around and the code
> will access priv->apTD0Rings[4294967295] which is obviously not good.
> 

True.  You probably want to resend with that added to the commit
message.  I will create a Smatch check to prevent these in the future.

regards,
dan carpenter

On Mon, Sep 12, 2022 at 05:17:28PM +0300, Dan Carpenter wrote:
> On Fri, Sep 09, 2022 at 04:42:05PM +0200, Nam Cao wrote:
> > I did not realize this initially, but this bug can cause more serious problem
> > than just a memory leak. In the case that kzalloc fails right from the
> > beginning with i=0; then in the while loop, "i" will wrap around and the code
> > will access priv->apTD0Rings[4294967295] which is obviously not good.
> > 
> 
> True.  You probably want to resend with that added to the commit
> message.  I will create a Smatch check to prevent these in the future.
> 

I created a static checker warning for these and it found a bunch more
bugs in the same file.

drivers/staging/vt6655/device_main.c:635 device_init_rd0_ring() warn: potential decrement underflow 'i' rl='s32min-(-1)' (iterator)
drivers/staging/vt6655/device_main.c:636 device_init_rd0_ring() warn: using underflowed offset 'i'
drivers/staging/vt6655/device_main.c:681 device_init_rd1_ring() warn: potential decrement underflow 'i' rl='s32min-(-1)' (iterator)
drivers/staging/vt6655/device_main.c:682 device_init_rd1_ring() warn: using underflowed offset 'i'
drivers/staging/vt6655/device_main.c:746 device_init_td0_ring() warn: potential decrement underflow 'i' rl='s32min-(-1)' (iterator)
drivers/staging/vt6655/device_main.c:747 device_init_td0_ring() warn: using underflowed offset 'i'
drivers/staging/vt6655/device_main.c:786 device_init_td1_ring() warn: potential decrement underflow 'i' rl='s32min-(-1)' (iterator)
drivers/staging/vt6655/device_main.c:787 device_init_td1_ring() warn: using underflowed offset 'i'

Could you fix those as well?  They're all the same bug and the same file
so I would do it all at once.  They were introduced in the same patch
as well so only one Fixes tag required.

regards,
dan carpenter

On 9/9/22 16:13, Nam Cao wrote:
> In function device_init_td0_ring, memory is allocated for member
> td_info of priv->apTD0Rings[i], with i increasing from 0. In case of
> allocation failure, the memory is freed in reversed order, with i
> decreasing to 0. However, the case i=0 is left out and thus memory is
> leaked.
> 
> Modify the memory freeing loop to include the case i=0.
> 
> Signed-off-by: Nam Cao <namcaov@gmail.com>
> ---
>   drivers/staging/vt6655/device_main.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c
> index 3397c78b975a..a65014195fdc 100644
> --- a/drivers/staging/vt6655/device_main.c
> +++ b/drivers/staging/vt6655/device_main.c
> @@ -743,7 +743,7 @@ static int device_init_td0_ring(struct vnt_private *priv)
>   	return 0;
>   
>   err_free_desc:
> -	while (--i) {
> +	while (i--) {
>   		desc = &priv->apTD0Rings[i];
>   		kfree(desc->td_info);
>   	}

Tested-by: Philipp Hortmann <philipp.g.hortmann@gmail.com>

On Fri, Sep 09, 2022 at 04:13:39PM +0200, Nam Cao wrote:
> In function device_init_td0_ring, memory is allocated for member
> td_info of priv->apTD0Rings[i], with i increasing from 0. In case of
> allocation failure, the memory is freed in reversed order, with i
> decreasing to 0. However, the case i=0 is left out and thus memory is
> leaked.
> 
> Modify the memory freeing loop to include the case i=0.
> 
> Signed-off-by: Nam Cao <namcaov@gmail.com>

Looks good.  Please add a Fixes tag, and CC all the people who were
involved with the original patch so they can review it.

Fixes: 5341ee0adb17 ("staging: vt6655: check for memory allocation failures")

I actually wrote that buggy code and Ji-Hun copied it from me, so my
bad.  Sorry!

regards,
dan carpenter