From nobody@FreeBSD.org  Fri Oct 24 11:31:56 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E7094106567A
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 24 Oct 2008 11:31:56 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id D58558FC0A
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 24 Oct 2008 11:31:56 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id m9OBVu45051029
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 24 Oct 2008 11:31:56 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id m9OBVujn051028;
	Fri, 24 Oct 2008 11:31:56 GMT
	(envelope-from nobody)
Message-Id: <200810241131.m9OBVujn051028@www.freebsd.org>
Date: Fri, 24 Oct 2008 11:31:56 GMT
From: Mateusz Guzik <mjguzik@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch][cpufreq] Missing call to sbuf_delete() in two sysctl handlers 
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         128335
>Category:       kern
>Synopsis:       [patch] [cpufreq] Missing call to sbuf_delete() in two sysctl handlers
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    brueffer
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct 24 11:40:01 UTC 2008
>Closed-Date:    Fri Jan 22 18:08:57 CET 2010
>Last-Modified:  Fri Jan 22 18:08:57 CET 2010
>Originator:     Mateusz Guzik
>Release:        8.0-CURRENT
>Organization:
>Environment:
FreeBSD eternal 8.0-CURRENT FreeBSD 8.0-CURRENT #14: Mon Sep 15 17:38:51 CEST 2008     f@eternal:/usr/obj/srv/build/CURRENT/src/sys/ETERNAL  i386

>Description:
cpufreq_levels_sysctl and cpufreq_settings_sysctl do the following:

sbuf_new(&sb, NULL, 128, SBUF_AUTOEXTEND);
[..]
sets = malloc(set_count * sizeof(*sets), M_TEMP, M_NOWAIT);
if (sets == NULL)
                return (ENOMEM);

So it's possible that these function will return without freeing sb.
>How-To-Repeat:

>Fix:
Patch is attached.

Patch attached with submission follows:

--- sys/kern/kern_cpu.c.orig	2008-10-23 22:59:45.000000000 +0200
+++ sys/kern/kern_cpu.c	2008-10-23 23:00:57.000000000 +0200
@@ -919,8 +919,10 @@
 	/* Get settings from the device and generate the output string. */
 	count = CF_MAX_LEVELS;
 	levels = malloc(count * sizeof(*levels), M_TEMP, M_NOWAIT);
-	if (levels == NULL)
+	if (levels == NULL) {
+		sbuf_delete(&sb);
 		return (ENOMEM);
+	}
 	error = CPUFREQ_LEVELS(sc->dev, levels, &count);
 	if (error) {
 		if (error == E2BIG)
@@ -958,8 +960,10 @@
 	/* Get settings from the device and generate the output string. */
 	set_count = MAX_SETTINGS;
 	sets = malloc(set_count * sizeof(*sets), M_TEMP, M_NOWAIT);
-	if (sets == NULL)
+	if (sets == NULL) {
+		sbuf_delete(&sb);
 		return (ENOMEM);
+	}
 	error = CPUFREQ_DRV_SETTINGS(dev, sets, &set_count);
 	if (error)
 		goto out;


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->patched 
State-Changed-By: brueffer 
State-Changed-When: Fri Jan 8 23:59:14 CET 2010 
State-Changed-Why:  
Committed, thanks! 


Responsible-Changed-From-To: freebsd-bugs->brueffer 
Responsible-Changed-By: brueffer 
Responsible-Changed-When: Fri Jan 8 23:59:14 CET 2010 
Responsible-Changed-Why:  
MFC reminder. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=128335 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/128335: commit references a PR
Date: Fri,  8 Jan 2010 22:59:03 +0000 (UTC)

 Author: brueffer
 Date: Fri Jan  8 22:58:50 2010
 New Revision: 201848
 URL: http://svn.freebsd.org/changeset/base/201848
 
 Log:
   Free allocated sbufs before returning ENOMEM.
   
   PR:		128335
   Submitted by:	Mateusz Guzik <mjguzik@gmail.com>
   MFC after:	2 week
 
 Modified:
   head/sys/kern/kern_cpu.c
 
 Modified: head/sys/kern/kern_cpu.c
 ==============================================================================
 --- head/sys/kern/kern_cpu.c	Fri Jan  8 22:56:46 2010	(r201847)
 +++ head/sys/kern/kern_cpu.c	Fri Jan  8 22:58:50 2010	(r201848)
 @@ -935,8 +935,10 @@ cpufreq_levels_sysctl(SYSCTL_HANDLER_ARG
  	/* Get settings from the device and generate the output string. */
  	count = CF_MAX_LEVELS;
  	levels = malloc(count * sizeof(*levels), M_TEMP, M_NOWAIT);
 -	if (levels == NULL)
 +	if (levels == NULL) {
 +		sbuf_delete(&sb);
  		return (ENOMEM);
 +	}
  	error = CPUFREQ_LEVELS(sc->dev, levels, &count);
  	if (error) {
  		if (error == E2BIG)
 @@ -974,8 +976,10 @@ cpufreq_settings_sysctl(SYSCTL_HANDLER_A
  	/* Get settings from the device and generate the output string. */
  	set_count = MAX_SETTINGS;
  	sets = malloc(set_count * sizeof(*sets), M_TEMP, M_NOWAIT);
 -	if (sets == NULL)
 +	if (sets == NULL) {
 +		sbuf_delete(&sb);
  		return (ENOMEM);
 +	}
  	error = CPUFREQ_DRV_SETTINGS(dev, sets, &set_count);
  	if (error)
  		goto out;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: brueffer 
State-Changed-When: Fri Jan 22 18:08:42 CET 2010 
State-Changed-Why:  
MFCs done. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=128335 
>Unformatted:
