Date: Fri, 16 Jan 2004 16:01:31 -0800 (PST) From: Paul Twohey <twohey@CS.Stanford.EDU> To: freebsd-hackers@freebsd.org Subject: [CHECKER] bugs in FreeBSD Message-ID: <Pine.LNX.4.44.0401151659370.26554-100000@Xenon.Stanford.EDU>
next in thread | raw e-mail | index | archive | help
Hi, I'm with the Stanford Metacompilation research group. We have a suite of checkers that find bugs at compile time and we've had quite a bit of success checking the Linux kernel code for errors. Since our checkers can emit false alarms we filter the reports before we give them to the kernel developers. While some false alarms slip past us to the developers, our limited knowledge of the kernel allows us to recognize most of them. We are currently trying to extend our checker to automatically find functions which allocate resources and to make sure those resources are properly disposed of. Enclosed is a list of potential bugs in FreeBSD where a value is returned from a function (like malloc) that should be owned by the caller and the caller does not properly dispose of the value with the appropriate disposal routine (like free). Confirmation of these reports would be appreciated. Thanks Paul Twohey --------------------------------------------------------- [BUG] they do error checking at the end, so lose config. /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/ata/ata-raid.c:1222:ar_highpoint_write_conf:ERROR:LEAK:1222:1222: pointer=config from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=1.0] [success=6] microtime(×tamp); rdp->magic_0 = timestamp.tv_sec + 2; rdp->magic_1 = timestamp.tv_sec; for (disk = 0; disk < rdp->total_disks; disk++) { Error ---> if (!(config = (struct highpoint_raid_conf *) malloc(sizeof(struct highpoint_raid_conf), M_AR, M_NOWAIT | M_ZERO))) { printf("ar%d: Highpoint write conf failed\n", rdp->lun); --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/ppbus/vpo.c:187:vpo_cam_rescan:ERROR:LEAK:187:192: pointer=ccb from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=1.0] [success=4] static void vpo_cam_rescan(struct vpo_data *vpo) { struct cam_path *path; Start ---> union ccb *ccb = malloc(sizeof(union ccb), M_TEMP, M_WAITOK | M_ZERO); if (xpt_create_path(&path, xpt_periph, cam_sim_path(vpo->sim), 0, 0) != CAM_REQ_CMP) { /* A failure is benign as the user can do a manual rescan */ Error ---> return; } xpt_setup_ccb(&ccb->ccb_h, path, 5/*priority (low)*/); --------------------------------------------------------- [BUG] though we should demote things that are not locals. /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/ips/ips.c:148:ips_add_waiting_command:ERROR:LEAK:148:154: pointer=waiter from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=1.0] [success=5] ips_command_t *command; ips_wait_list_t *waiter; unsigned long memflags = 0; if(IPS_NOWAIT_FLAG & flags) memflags = M_NOWAIT; Start ---> waiter = malloc(sizeof(ips_wait_list_t), M_DEVBUF, memflags); if(!waiter) return ENOMEM; mask = splbio(); if(sc->state & IPS_OFFLINE){ splx(mask); Error ---> return EIO; } command = SLIST_FIRST(&sc->free_cmd_list); if(command && !(sc->state & IPS_TIMEOUT)){ --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/sio/sio.c:497:sioprobe:ERROR:LEAK:497:504: pointer=port from RO=bus_alloc_resource(-1) [s=65,pop=65,pr=1.00] [rank=med] leaked! [z=1.0] [success=3] u_int flags = device_get_flags(dev); int rid; struct resource *port; rid = xrid; Start ---> port = bus_alloc_resource(dev, SYS_RES_IOPORT, &rid, 0, ~0, IO_COMSIZE, RF_ACTIVE); if (!port) return (ENXIO); com = malloc(sizeof(*com), M_DEVBUF, M_NOWAIT | M_ZERO); if (com == NULL) Error ---> return (ENOMEM); device_set_softc(dev, com); com->bst = rman_get_bustag(port); com->bsh = rman_get_bushandle(port); --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/mly/mly.c:2023:mly_cam_rescan_btl:ERROR:LEAK:2023:2031: pointer=ccb from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=1.0] [success=4] { union ccb *ccb; debug_called(1); Start ---> if ((ccb = malloc(sizeof(union ccb), M_TEMP, M_WAITOK | M_ZERO)) == NULL) { mly_printf(sc, "rescan failed (can't allocate CCB)\n"); return; } if (xpt_create_path(&sc->mly_cam_path, xpt_periph, cam_sim_path(sc->mly_cam_sim[bus]), target, 0) != CAM_REQ_CMP) { mly_printf(sc, "rescan failed (can't create path)\n"); Error ---> return; } xpt_setup_ccb(&ccb->ccb_h, sc->mly_cam_path, 5/*priority (low)*/); ccb->ccb_h.func_code = XPT_SCAN_LUN; --------------------------------------------------------- [BUG] inferred bcopy. /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../cam/scsi/scsi_low.c:966:scsi_low_rescan_bus_cam:ERROR:LEAK:966:974: pointer=ccb from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=1.0] [success=5][passed through 1 nros][NCO=bzero(0), s=85, pop=85, pr=1.00] static void scsi_low_rescan_bus_cam(slp) struct scsi_low_softc *slp; { struct cam_path *path; Start ---> union ccb *ccb = malloc(sizeof(union ccb), M_DEVBUF, M_WAITOK); cam_status status; bzero(ccb, sizeof(union ccb)); status = xpt_create_path(&path, xpt_periph, cam_sim_path(slp->sl_si.sim), -1, 0); if (status != CAM_REQ_CMP) Error ---> return; xpt_setup_ccb(&ccb->ccb_h, path, 5); ccb->ccb_h.func_code = XPT_SCAN_BUS; --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/ciss/ciss.c:2130:ciss_cam_rescan_target:ERROR:LEAK:2130:2138: pointer=ccb from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=1.0] [success=4] { union ccb *ccb; debug_called(1); Start ---> if ((ccb = malloc(sizeof(union ccb), M_TEMP, M_WAITOK | M_ZERO)) == NULL) { ciss_printf(sc, "rescan failed (can't allocate CCB)\n"); return; } if (xpt_create_path(&sc->ciss_cam_path, xpt_periph, cam_sim_path(sc->ciss_cam_sim), target, 0) != CAM_REQ_CMP) { ciss_printf(sc, "rescan failed (can't create path)\n"); Error ---> return; } xpt_setup_ccb(&ccb->ccb_h, sc->ciss_cam_path, 5/*priority (low)*/); --------------------------------------------------------- [BUG] i think it got lost. /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../kern/uipc_socket.c:1608:soopt_getm:ERROR:LEAK:1608:1617: pointer=m from RO=m_get(-1) [s=46,pop=49,pr=1.00] [rank=med] leaked! [z=1.0] [success=2][passed through 1 nros][NCO=m_clget(0), s=54, pop=54, pr=1.00] sopt_size -= m->m_len; *mp = m; m_prev = m; while (sopt_size) { Start ---> MGET(m, sopt->sopt_td ? M_TRYWAIT : M_DONTWAIT, MT_DATA); if (m == 0) { m_freem(*mp); return ENOBUFS; } if (sopt_size > MLEN) { MCLGET(m, sopt->sopt_td ? M_TRYWAIT : M_DONTWAIT); if ((m->m_flags & M_EXT) == 0) { m_freem(*mp); Error ---> return ENOBUFS; } m->m_len = min(MCLBYTES, sopt_size); } else { --------------------------------------------------------- [BUG] indeed. /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../isa/pnp.c:657:pnp_read_bytes:ERROR:LEAK:657:669: pointer=resources from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=1.0] [success=7] int space = *spacep; int len = *lenp; if (space == 0) { space = 1024; Start ---> resources = malloc(space, M_TEMP, M_NOWAIT); if (!resources) return ENOMEM; } if (len + amount > space) { int extra = 1024; while (len + amount > space + extra) extra += 1024; newres = malloc(space + extra, M_TEMP, M_NOWAIT); if (!newres) { /* XXX: free resources */ Error ---> return ENOMEM; } bcopy(resources, newres, len); free(resources, M_TEMP); --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/firewire/fwohci.c:1188:fwohci_db_init:ERROR:LEAK:1188:1201: pointer=db_tr from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=1.0] [success=5] return; /* allocate DB entries and attach one to each DMA channels */ /* DB entry must start at 16 bytes bounary. */ STAILQ_INIT(&dbch->db_trq); Start ---> db_tr = (struct fwohcidb_tr *) malloc(sizeof(struct fwohcidb_tr) * dbch->ndb, M_FW, M_WAITOK | M_ZERO); if(db_tr == NULL){ printf("fwohci_db_init: malloc(1) failed\n"); return; } #define DB_SIZE(x) (sizeof(struct fwohcidb) * (x)->ndesc) dbch->am = fwdma_malloc_multiseg(&sc->fc, DB_SIZE(dbch), DB_SIZE(dbch), dbch->ndb, BUS_DMA_WAITOK); if (dbch->am == NULL) { printf("fwohci_db_init: fwdma_malloc_multiseg failed\n"); Error ---> return; } /* Attach DB to DMA ch. */ for(idb = 0 ; idb < dbch->ndb ; idb++){ --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/firewire/fwdev.c:579:fw_ioctl:ERROR:LEAK:579:593: pointer=fwb from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=1.0] [success=3] } if(bindreq->start.hi > 0xffff ){ err = EINVAL; break; } Start ---> fwb = (struct fw_bind *)malloc(sizeof (struct fw_bind), M_FW, M_NOWAIT); if(fwb == NULL){ err = ENOMEM; break; } fwb->start_hi = bindreq->start.hi; fwb->start_lo = bindreq->start.lo; fwb->addrlen = bindreq->len; fwb->sub = sub; fwb->act_type = FWACT_CH; xfer = fw_xfer_alloc(M_FWXFER); if(xfer == NULL){ err = ENOMEM; Error ---> return err; } xfer->fc = sc->fc; --------------------------------------------------------- [BUG] sure looks like an error, since they free it below. /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/an/if_an.c:913:an_rxeof:ERROR:LEAK:913:932: pointer=m from RO=m_gethdr(-1) [s=74,pop=78,pr=1.00] [rank=med] leaked! [z=1.0] [success=2][passed through 1 nros][NCO=m_clget(0), s=54, pop=54, pr=1.00] rx_frame.an_rx_payload_len); } /* dump raw 802.11 packet to bpf and skip ip stack */ BPF_TAP(ifp, bpf_buf, len); } else { Start ---> MGETHDR(m, M_DONTWAIT, MT_DATA); ... DELETED 13 lines ... #ifdef ANCACHE /* Read NIC frame header */ if (an_read_data(sc, id, 0, (caddr_t)&rx_frame, sizeof(rx_frame))) { ifp->if_ierrors++; Error ---> return; } #endif /* Read in the 802_3 frame header */ --------------------------------------------------------- [BUG] actually, i'm not sure if it labelled pnp_get_resource_info correctly. /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../isa/pnp.c:657:pnp_read_bytes:ERROR:LEAK:657:678: pointer=resources from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=1.0] [success=7] int space = *spacep; int len = *lenp; if (space == 0) { space = 1024; Start ---> resources = malloc(space, M_TEMP, M_NOWAIT); ... DELETED 15 lines ... resources = newres; space += extra; } if (pnp_get_resource_info(resources + len, amount) != amount) Error ---> return EINVAL; len += amount; *resourcesp = resources; --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/dpt/dpt_scsi.c:1542:dpt_attach:ERROR:LEAK:1542:1571: pointer=devq from RO=cam_simq_alloc(-1) [s=21,pop=21,pr=0.99] [rank=med] leaked! [z=1.0] [success=3] int i; /* * Create the device queue for our SIM. */ Start ---> devq = cam_simq_alloc(dpt->max_dccbs); ... DELETED 23 lines ... } if (i > 0) EVENTHANDLER_REGISTER(shutdown_final, dptshutdown, dpt, SHUTDOWN_PRI_DEFAULT); Error ---> return (i); } int --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/iir/iir.c:500:iir_attach:ERROR:LEAK:500:530: pointer=devq from RO=cam_simq_alloc(-1) [s=21,pop=21,pr=0.99] [rank=med] leaked! [z=1.0] [success=3] GDT_DPRINTF(GDT_D_INIT, ("iir_attach()\n")); /* * Create the device queue for our SIM. */ Start ---> devq = cam_simq_alloc(GDT_MAXCMDS); ... DELETED 24 lines ... if (i > 0) EVENTHANDLER_REGISTER(shutdown_final, iir_shutdown, gdt, SHUTDOWN_PRI_DEFAULT); /* iir_watchdog(gdt); */ gdt->sc_state = GDT_NORMAL; Error ---> } static void gdt_eval_mapping(u_int32_t size, int *cyls, int *heads, int *secs) --------------------------------------------------------- [BUG] they lose all sorts of stuff. /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/kbd/atkbd.c:361:atkbd_init:ERROR:LEAK:361:392: pointer=fkeymap from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=1.0] [success=10] } else if (*kbdp == NULL) { *kbdp = kbd = malloc(sizeof(*kbd), M_DEVBUF, M_NOWAIT | M_ZERO); state = malloc(sizeof(*state), M_DEVBUF, M_NOWAIT | M_ZERO); keymap = malloc(sizeof(key_map), M_DEVBUF, M_NOWAIT); accmap = malloc(sizeof(accent_map), M_DEVBUF, M_NOWAIT); Start ---> fkeymap = malloc(sizeof(fkey_tab), M_DEVBUF, M_NOWAIT); ... DELETED 25 lines ... } if (!KBD_IS_PROBED(kbd)) { state->kbdc = atkbdc_open(data[0]); if (state->kbdc == NULL) Error ---> return ENXIO; kbd_init_struct(kbd, ATKBD_DRIVER_NAME, KB_OTHER, unit, flags, 0, 0); bcopy(&key_map, keymap, sizeof(key_map)); --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/kbd/atkbd.c:360:atkbd_init:ERROR:LEAK:360:392: pointer=accmap from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=1.0] [success=10] sizeof(default_fkeytab)/sizeof(default_fkeytab[0]); } else if (*kbdp == NULL) { *kbdp = kbd = malloc(sizeof(*kbd), M_DEVBUF, M_NOWAIT | M_ZERO); state = malloc(sizeof(*state), M_DEVBUF, M_NOWAIT | M_ZERO); keymap = malloc(sizeof(key_map), M_DEVBUF, M_NOWAIT); Start ---> accmap = malloc(sizeof(accent_map), M_DEVBUF, M_NOWAIT); ... DELETED 26 lines ... } if (!KBD_IS_PROBED(kbd)) { state->kbdc = atkbdc_open(data[0]); if (state->kbdc == NULL) Error ---> return ENXIO; kbd_init_struct(kbd, ATKBD_DRIVER_NAME, KB_OTHER, unit, flags, 0, 0); bcopy(&key_map, keymap, sizeof(key_map)); --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/amr/amr_cam.c:143:amr_cam_attach:ERROR:LEAK:143:175: pointer=devq from RO=cam_simq_alloc(-1) [s=21,pop=21,pr=0.99] [rank=med] leaked! [z=1.0] [success=3] /* * Allocate a devq for all our channels combined. This should * allow for the maximum number of SCSI commands we will accept * at one time. */ Start ---> if ((devq = cam_simq_alloc(AMR_MAX_SCSI_CMDS)) == NULL) ... DELETED 26 lines ... } /* * XXX we should scan the config and work out which devices are actually * protected. */ Error ---> return(0); } /******************************************************************************** --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/kbd/atkbd.c:359:atkbd_init:ERROR:LEAK:359:392: pointer=keymap from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=1.0] [success=10] fkeymap_size = sizeof(default_fkeytab)/sizeof(default_fkeytab[0]); } else if (*kbdp == NULL) { *kbdp = kbd = malloc(sizeof(*kbd), M_DEVBUF, M_NOWAIT | M_ZERO); state = malloc(sizeof(*state), M_DEVBUF, M_NOWAIT | M_ZERO); Start ---> keymap = malloc(sizeof(key_map), M_DEVBUF, M_NOWAIT); ... DELETED 27 lines ... } if (!KBD_IS_PROBED(kbd)) { state->kbdc = atkbdc_open(data[0]); if (state->kbdc == NULL) Error ---> return ENXIO; kbd_init_struct(kbd, ATKBD_DRIVER_NAME, KB_OTHER, unit, flags, 0, 0); bcopy(&key_map, keymap, sizeof(key_map)); --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/kbd/atkbd.c:358:atkbd_init:ERROR:LEAK:358:392: pointer=state from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=1.0] [success=8] fkeymap = default_fkeytab; fkeymap_size = sizeof(default_fkeytab)/sizeof(default_fkeytab[0]); } else if (*kbdp == NULL) { *kbdp = kbd = malloc(sizeof(*kbd), M_DEVBUF, M_NOWAIT | M_ZERO); Start ---> state = malloc(sizeof(*state), M_DEVBUF, M_NOWAIT | M_ZERO); ... DELETED 28 lines ... } if (!KBD_IS_PROBED(kbd)) { state->kbdc = atkbdc_open(data[0]); if (state->kbdc == NULL) Error ---> return ENXIO; kbd_init_struct(kbd, ATKBD_DRIVER_NAME, KB_OTHER, unit, flags, 0, 0); bcopy(&key_map, keymap, sizeof(key_map)); --------------------------------------------------------- [BUG] probably minor: it can happen if uio_resid == 0 (the error checking just flags if its < 0). /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../net/if_tun.c:719:tunwrite:ERROR:LEAK:719:761: pointer=m from RO=m_gethdr(-1) [s=74,pop=78,pr=1.00] [rank=med] leaked! [z=1.0] [success=3] return (EIO); } tlen = uio->uio_resid; /* get a header mbuf */ Start ---> MGETHDR(m, M_DONTWAIT, MT_DATA); ... DELETED 36 lines ... * Conveniently, we already have a 4-byte address * family prepended to our packet ! * Inconveniently, it's in the wrong byte order ! */ if ((top = m_pullup(top, sizeof(family))) == NULL) Error ---> return (ENOBUFS); *mtod(top, u_int32_t *) = ntohl(*mtod(top, u_int32_t *)); BPF_MTAP(ifp, top); --------------------------------------------------------- [BUG] i'm getting less sure about these type of errors, but it sure looks like a bug. /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../kern/uipc_mbuf.c:656:m_devget:ERROR:LEAK:656:700: pointer=m from RO=m_gethdr(-1) [s=74,pop=78,pr=1.00] [rank=med] leaked! [z=1.0] [success=6] int len; if (off < 0 || off > MHLEN) return (NULL); Start ---> MGETHDR(m, M_DONTWAIT, MT_DATA); ... DELETED 38 lines ... buf += len; *mp = m; mp = &m->m_next; totlen -= len; } Error ---> return (top); } /* --------------------------------------------------------- [BUG] there are similar errors in dev/kbd/atkbd.c /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/usb/ukbd.c:522:ukbd_init:ERROR:LEAK:522:581: pointer=state from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=1.0] [success=8] } else if (*kbdp == NULL) { *kbdp = kbd = malloc(sizeof(*kbd), M_DEVBUF, M_NOWAIT); if (kbd == NULL) return ENOMEM; bzero(kbd, sizeof(*kbd)); Start ---> state = malloc(sizeof(*state), M_DEVBUF, M_NOWAIT); ... DELETED 53 lines ... } if (!KBD_IS_INITIALIZED(kbd) && !(flags & KB_CONF_PROBE_ONLY)) { if (KBD_HAS_DEVICE(kbd) && init_keyboard((ukbd_state_t *)kbd->kb_data, &kbd->kb_type, kbd->kb_flags)) Error ---> return ENXIO; ukbd_ioctl(kbd, KDSETLED, (caddr_t)&(state->ks_state)); KBD_INIT_DONE(kbd); } --------------------------------------------------------- [BUG] does lose on default. "impossible" though. /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/ata/ata-raid.c:704:arstrategy:ERROR:LEAK:704:829: pointer=buf1 from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=1.0] [success=15] bp->bio_error = EIO; biodone(bp); return; } Start ---> buf1 = malloc(sizeof(struct ar_buf), M_AR, M_NOWAIT | M_ZERO); ... DELETED 119 lines ... default: printf("ar%d: unknown array type in arstrategy\n", rdp->lun); } } Error ---> } static void ar_done(struct bio *bp) --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/pst/pst-iop.c:341:iop_get_util_params:ERROR:LEAK:341:347: pointer=param from RO=contigmalloc(-1) [s=4,pop=4,pr=0.57] [rank=med] leaked! [z=0.6] [success=3] struct i2o_util_get_param_message *msg; struct i2o_get_param_operation *param; struct i2o_get_param_reply *reply; int mfa; Start ---> if (!(param = contigmalloc(PAGE_SIZE, M_PSTIOP, M_NOWAIT | M_ZERO, 0x00010000, 0xFFFFFFFF, PAGE_SIZE, 0))) return NULL; if (!(reply = contigmalloc(PAGE_SIZE, M_PSTIOP, M_NOWAIT | M_ZERO, 0x00010000, 0xFFFFFFFF, PAGE_SIZE, 0))) Error ---> return NULL; mfa = iop_get_mfa(sc); msg = (struct i2o_util_get_param_message *)(sc->ibase + mfa); --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/mlx/mlx.c:1870:mlx_user_command:ERROR:LEAK:1870:1878: pointer=mc from RO=mlx_alloccmd(-1) [s=6,pop=8,pr=0.57] [rank=med] leaked! [z=0.6] [success=2] mc = NULL; dcdb = NULL; error = ENOMEM; /* get ourselves a command and copy in from user space */ Start ---> if ((mc = mlx_alloccmd(sc)) == NULL) goto out; bcopy(mu->mu_command, mc->mc_mailbox, sizeof(mc->mc_mailbox)); debug(0, "got command buffer"); /* if we need a buffer for data transfer, allocate one and copy in its initial contents */ if (mu->mu_datasize > 0) { if (mu->mu_datasize > MAXPHYS) Error ---> return (EINVAL); if (((kbuf = malloc(mu->mu_datasize, M_DEVBUF, M_WAITOK)) == NULL) || (error = copyin(mu->mu_buf, kbuf, mu->mu_datasize))) goto out; --------------------------------------------------------- [BUG] I think this is a bug. if command is null, it still fails out, and there is no other pointer to mc. /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/mlx/mlx.c:1467:mlx_enquire:ERROR:LEAK:1467:1512: pointer=mc from RO=mlx_alloccmd(-1) [s=6,pop=8,pr=0.57] [rank=med] leaked! [z=0.6] [success=2] debug_called(1); /* get ourselves a command buffer */ error = 1; result = NULL; Start ---> if ((mc = mlx_alloccmd(sc)) == NULL) ... DELETED 39 lines ... /* we got an error, and we allocated a result */ if ((error != 0) && (result != NULL)) { free(result, M_DEVBUF); result = NULL; } Error ---> return(result); } --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/usb/umass.c:2123:umass_cam_rescan:ERROR:LEAK:2123:2135: pointer=ccb from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=0.4] [success=5][passed through 1 nros][NCO=memset(0), s=3, pop=3, pr=0.43] Static void umass_cam_rescan(void *addr) { struct umass_softc *sc = (struct umass_softc *) addr; struct cam_path *path; Start ---> union ccb *ccb = malloc(sizeof(union ccb), M_USBDEV, M_WAITOK); memset(ccb, 0, sizeof(union ccb)); DPRINTF(UDMASS_SCSI, ("scbus%d: scanning for %s:%d:%d:%d\n", cam_sim_path(sc->umass_sim), USBDEVNAME(sc->sc_dev), cam_sim_path(sc->umass_sim), USBDEVUNIT(sc->sc_dev), CAM_LUN_WILDCARD)); if (xpt_create_path(&path, xpt_periph, cam_sim_path(sc->umass_sim), CAM_TARGET_WILDCARD, CAM_LUN_WILDCARD) != CAM_REQ_CMP) Error ---> return; xpt_setup_ccb(&ccb->ccb_h, path, 5/*priority (low)*/); ccb->ccb_h.func_code = XPT_SCAN_BUS; --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/usb/ukbd.c:525:ukbd_init:ERROR:LEAK:525:562: pointer=fkeymap from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=0.3] [success=9][passed through 2 nros][NCO=bcopy(1), s=61, pop=61, pr=1.00][NCO=kbd_set_maps(3), s=2, pop=2, pr=0.31] return ENOMEM; bzero(kbd, sizeof(*kbd)); state = malloc(sizeof(*state), M_DEVBUF, M_NOWAIT); keymap = malloc(sizeof(key_map), M_DEVBUF, M_NOWAIT); accmap = malloc(sizeof(accent_map), M_DEVBUF, M_NOWAIT); Start ---> fkeymap = malloc(sizeof(fkey_tab), M_DEVBUF, M_NOWAIT); ... DELETED 31 lines ... imin(fkeymap_size*sizeof(fkeymap[0]), sizeof(fkey_tab))); kbd_set_maps(kbd, keymap, accmap, fkeymap, fkeymap_size); kbd->kb_data = (void *)state; if (probe_keyboard(uaa, flags)) Error ---> return ENXIO; else KBD_FOUND_DEVICE(kbd); ukbd_clear_state(kbd); --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/usb/ukbd.c:524:ukbd_init:ERROR:LEAK:524:562: pointer=accmap from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=0.3] [success=9][passed through 2 nros][NCO=bcopy(1), s=61, pop=61, pr=1.00][NCO=kbd_set_maps(2), s=2, pop=2, pr=0.31] if (kbd == NULL) return ENOMEM; bzero(kbd, sizeof(*kbd)); state = malloc(sizeof(*state), M_DEVBUF, M_NOWAIT); keymap = malloc(sizeof(key_map), M_DEVBUF, M_NOWAIT); Start ---> accmap = malloc(sizeof(accent_map), M_DEVBUF, M_NOWAIT); ... DELETED 32 lines ... imin(fkeymap_size*sizeof(fkeymap[0]), sizeof(fkey_tab))); kbd_set_maps(kbd, keymap, accmap, fkeymap, fkeymap_size); kbd->kb_data = (void *)state; if (probe_keyboard(uaa, flags)) Error ---> return ENXIO; else KBD_FOUND_DEVICE(kbd); ukbd_clear_state(kbd); --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/usb/ukbd.c:523:ukbd_init:ERROR:LEAK:523:562: pointer=keymap from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=0.3] [success=9][passed through 2 nros][NCO=bcopy(1), s=61, pop=61, pr=1.00][NCO=kbd_set_maps(1), s=2, pop=2, pr=0.31] *kbdp = kbd = malloc(sizeof(*kbd), M_DEVBUF, M_NOWAIT); if (kbd == NULL) return ENOMEM; bzero(kbd, sizeof(*kbd)); state = malloc(sizeof(*state), M_DEVBUF, M_NOWAIT); Start ---> keymap = malloc(sizeof(key_map), M_DEVBUF, M_NOWAIT); ... DELETED 33 lines ... imin(fkeymap_size*sizeof(fkeymap[0]), sizeof(fkey_tab))); kbd_set_maps(kbd, keymap, accmap, fkeymap, fkeymap_size); kbd->kb_data = (void *)state; if (probe_keyboard(uaa, flags)) Error ---> return ENXIO; else KBD_FOUND_DEVICE(kbd); ukbd_clear_state(kbd); --------------------------------------------------------- [BUG] /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../dev/usb/ukbd.c:525:ukbd_init:ERROR:LEAK:525:581: pointer=fkeymap from RO=malloc(-1) [s=550,pop=551,pr=1.00] [rank=med] leaked! [z=0.3] [success=9][passed through 2 nros][NCO=bcopy(1), s=61, pop=61, pr=1.00][NCO=kbd_set_maps(3), s=2, pop=2, pr=0.31] return ENOMEM; bzero(kbd, sizeof(*kbd)); state = malloc(sizeof(*state), M_DEVBUF, M_NOWAIT); keymap = malloc(sizeof(key_map), M_DEVBUF, M_NOWAIT); accmap = malloc(sizeof(accent_map), M_DEVBUF, M_NOWAIT); Start ---> fkeymap = malloc(sizeof(fkey_tab), M_DEVBUF, M_NOWAIT); ... DELETED 50 lines ... } if (!KBD_IS_INITIALIZED(kbd) && !(flags & KB_CONF_PROBE_ONLY)) { if (KBD_HAS_DEVICE(kbd) && init_keyboard((ukbd_state_t *)kbd->kb_data, &kbd->kb_type, kbd->kb_flags)) Error ---> return ENXIO; ukbd_ioctl(kbd, KDSETLED, (caddr_t)&(state->ks_state)); KBD_INIT_DONE(kbd); } --------------------------------------------------------- [BUG] i'm not really sure --- m is a param, so if m_pullup returns something different, it gets lost. /u2/engler/mc/freebsd/sys/i386/compile/GENERIC/../../../netinet/ip_output.c:1286:in_delayed_cksum:ERROR:LEAK:1286:1289: pointer=m from RO=m_pullup(-1) [s=56,pop=57,pr=1.00] [rank=hard] leaked! [z=1.0] [success=0] * XXX * this shouldn't happen, but if it does, the * correct behavior may be to insert the checksum * in the existing chain instead of rearranging it. */ Start ---> m = m_pullup(m, offset + sizeof(u_short)); } *(u_short *)(m->m_data + offset) = csum; Error ---> } /* * Insert IP options into preformed packet.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.44.0401151659370.26554-100000>