Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 24 Oct 2008 11:31:56 GMT
From:      Mateusz Guzik <mjguzik@gmail.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/128335: [patch][cpufreq] Missing call to sbuf_delete() in two sysctl handlers 
Message-ID:  <200810241131.m9OBVujn051028@www.freebsd.org>
Resent-Message-ID: <200810241140.m9OBe150034285@freefall.freebsd.org>
index | next in thread | raw e-mail 


>Number:         128335
>Category:       kern
>Synopsis:       [patch][cpufreq] Missing call to sbuf_delete() in two sysctl handlers
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct 24 11:40:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Mateusz Guzik
>Release:        8.0-CURRENT
>Organization:
>Environment:
FreeBSD eternal 8.0-CURRENT FreeBSD 8.0-CURRENT #14: Mon Sep 15 17:38:51 CEST 2008     f@eternal:/usr/obj/srv/build/CURRENT/src/sys/ETERNAL  i386

>Description:
cpufreq_levels_sysctl and cpufreq_settings_sysctl do the following:

sbuf_new(&sb, NULL, 128, SBUF_AUTOEXTEND);
[..]
sets = malloc(set_count * sizeof(*sets), M_TEMP, M_NOWAIT);
if (sets == NULL)
                return (ENOMEM);

So it's possible that these function will return without freeing sb.
>How-To-Repeat:

>Fix:
Patch is attached.

Patch attached with submission follows:

--- sys/kern/kern_cpu.c.orig	2008-10-23 22:59:45.000000000 +0200
+++ sys/kern/kern_cpu.c	2008-10-23 23:00:57.000000000 +0200
@@ -919,8 +919,10 @@
 	/* Get settings from the device and generate the output string. */
 	count = CF_MAX_LEVELS;
 	levels = malloc(count * sizeof(*levels), M_TEMP, M_NOWAIT);
-	if (levels == NULL)
+	if (levels == NULL) {
+		sbuf_delete(&sb);
 		return (ENOMEM);
+	}
 	error = CPUFREQ_LEVELS(sc->dev, levels, &count);
 	if (error) {
 		if (error == E2BIG)
@@ -958,8 +960,10 @@
 	/* Get settings from the device and generate the output string. */
 	set_count = MAX_SETTINGS;
 	sets = malloc(set_count * sizeof(*sets), M_TEMP, M_NOWAIT);
-	if (sets == NULL)
+	if (sets == NULL) {
+		sbuf_delete(&sb);
 		return (ENOMEM);
+	}
 	error = CPUFREQ_DRV_SETTINGS(dev, sets, &set_count);
 	if (error)
 		goto out;


>Release-Note:
>Audit-Trail:
>Unformatted:
help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810241131.m9OBVujn051028>