Hi,
we have a g++ extension that walks over kernel code checking for violations
of the following kmalloc/free rules
1. the pointer returned by kmalloc must be checked before use.
2. If a routine aborts with an error after an allocation, it
deallocates this memory before returning.
3. The size of the allocated object is at least as large
as the size of the object the assigned pointer holds.
4. It cannot use memory after it has been freed.
There were something like 100+ violations of the first rule (I've
enclosed some at the end of the message.) The single most frequent
source of violations was the CODA_ALLOC allocation macro, which has the
unfortunate (reformatted) code:
...
ptr = (cast)vmalloc((unsigned long) size);
}
if (ptr == 0)
printk("kernel malloc returns 0 at %s:%d\n",
__FILE__,__LINE__);
memset( ptr, 0, size );
} while (0)
While this prints a helpful message on every failed allocation, the
initialization of a possible null ptr using memset is asking for
excitement.
The most common pattern of violation was a kmalloc then memset:
--------------------------------------------
/u2/engler/ic/linux-2.3.99/drivers/net/pcmcia/ray_cs.c:336:
ray_attach: ERROR: memset of unchecked var 'link'!
link = kmalloc(sizeof(struct dev_link_t), GFP_KERNEL);
memset(link, 0, sizeof(struct dev_link_t));
--------------------------------------------
There were a fair number of violations for the second rule. Currently
the extension just treats paths that return a constant < 0 as an error
path --- any memory allocated along these paths must be explicitly
deallocated. Making this more intelligent would presumably up its
effectiveness. The following is a representative example:
--------------------------------------------
/* from drivers/char/tea6300.c */
static int tea6300_attach (struct i2c_adapter *adap, int addr,
unsigned short flags, int kind)
{
struct tea6300 *tea;
struct i2c_client *client;
/* GFP_KERNEL = can sleep */
client = kmalloc (sizeof *client, GFP_KERNEL);
if (!client)
return -ENOMEM;
...
tea = kmalloc (sizeof *tea, GFP_KERNEL);
if (!tea)
lost 'client' ---> return -ENOMEM;
...
MOD_INC_USE_COUNT;
...
}
--------------------------------------------
[This code also does a MOD_INC after potentially sleeping.]
The third rule only had two errors that we could detect, but they were
sort of cute. The first swaps GFP_KERNEL and the size value:
--------------------------------------------
/u2/engler/ic/linux-2.3.99/drivers/parport/daisy.c:50:add_dev:
ERROR: allocated 7 bytes for 'newdev' need 16
/* Add a device to the discovered topology. */
static void add_dev (int devnum, struct parport *port, int daisy)
{
struct daisydev *newdev;
newdev = kmalloc (GFP_KERNEL, sizeof (struct daisydev));
if (newdev) {
--------------------------------------------
The second has a typo for the type name:
--------------------------------------------
/u2/engler/ic/linux-2.3.99/net/atm/mpc.c:169:atm_mpoa_add_qos:
ERROR: allocated 84 bytes for 'entry' need 92
struct atm_mpoa_qos *atm_mpoa_add_qos(uint32_t dst_ip, struct atm_qos *qos)
{
struct atm_mpoa_qos *entry;
/* should be sizeof (struct atm_mpoa_qos) */
entry = kmalloc(sizeof(struct atm_qos), GFP_KERNEL);
--------------------------------------------
Both are currently harmless since it looks like kmalloc allocates bytes in
powers of two with a minimum of 32 bytes.
I've enclosed a subset of the errors that turned up. If this is
something that is interesting to people, we can send a more complete
list.
Dawson
##############################################################################
CONFIRMED [NOCHECK] they check and then memset it...
/u2/engler/ic/linux-2.3.99/drivers/char/epca.c:2197:post_fep_init: ERROR: memset of unchecked var 'ch'!
if (!(ch->tmp_buf))
{
printk(KERN_ERR "POST FEP INIT : kmalloc failed for port 0x%x\n",i);
}
memset((void *)ch->tmp_buf,0,ch->txbufsize);
----------------------------------------------------------------------------
CONFIRMED [NOCHECK]
/u2/engler/ic/linux-2.3.99/drivers/char/i2c-parport.c:77:i2c_parport_attach: ERROR: Unchecked use of malloc'd var 'b'
static void i2c_parport_attach(struct parport *port)
{
struct parport_i2c_bus *b = kmalloc(sizeof(struct parport_i2c_bus),
GFP_KERNEL);
b->i2c = parport_i2c_bus_template;
----------------------------------------------------------------------------
CONFIRMED [FREE]
CONFIRMED [FREE]
UNSURE [about the last one]
/u2/engler/ic/linux-2.3.99/drivers/block/floppy.c:3186:raw_cmd_copyin: ERROR: did not free ptr on error path
/u2/engler/ic/linux-2.3.99/drivers/block/floppy.c:3181:raw_cmd_copyin: ERROR: did not free ptr on error path
/u2/engler/ic/linux-2.3.99/drivers/block/floppy.c:3172:raw_cmd_copyin: ERROR: did not free ptr on error path
ptr = (struct floppy_raw_cmd *)
kmalloc(sizeof(struct floppy_raw_cmd), GFP_USER);
if (!ptr)
return -ENOMEM;
...
if (ptr->cmd_count > 33)
/* the command may now also take up the space
* initially intended for the reply & the
* reply count. Needed for long 82078 commands
* such as RESTORE, which takes ... 17 command
* bytes. Murphy's law #137: When you reserve
* 16 bytes for a structure, you'll one day
* discover that you really need 17...
*/
ptr still allocated ---> return -EINVAL;
...
if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
if (ptr->length <= 0)
ptr still allocated --> return -EINVAL;
ptr->kernel_data =(char*)fd_dma_mem_alloc(ptr->length);
fallback_on_nodma_alloc(&ptr->kernel_data, ptr->length);
if (!ptr->kernel_data)
ptr still allocted ---> return -ENOMEM;
----------------------------------------------------------------------------
CONFIRMED [FREE]
/u2/engler/ic/linux-2.3.99/drivers/block/lvm.c:2083:lvm_do_lv_create: ERROR: did not free lv_ptr on error path
always allocates it:
if ((lv_ptr = kmalloc(sizeof(lv_t),GFP_KERNEL)) == NULL) {;
printk(KERN_CRIT "%s -- LV_CREATE: kmalloc error LV at line %d\n",
lvm_name, __LINE__);
return -ENOMEM;
then can bail out without freeing it.
} else {
kfree(vg_ptr->lv[l]);
vg_ptr->lv[l] = NULL;
return -EINVAL;
}
----------------------------------------------------------------------------
CONFIRMED [UNCHECK]
/u2/engler/ic/linux-2.3.99/drivers/char/pcmcia/serial_cb.c:116:serial_attach: ERROR: Unchecked use of malloc'd var 'node'
dev_node_t *node = kmalloc(sizeof(dev_node_t), GFP_KERNEL);
sprintf(node->dev_name, "ttyS%d", line);
node->major = TTY_MAJOR; node->minor = 0x40 + line;
----------------------------------------------------------------------------
CONFIRMED [UNCHECK] (actually is checked, then ignored)
/u2/engler/ic/linux-2.3.99/drivers/char/bttv.c:1566:make_clip_tab: ERROR: memset of unchecked var 'clipmap'!
fails---> if ((clipmap=vmalloc(VIDEO_CLIPMAP_SIZE))==NULL) {
/* can't clip, don't generate any risc code */
*(ro++)=cpu_to_le32(BT848_RISC_JUMP);
*(ro++)=cpu_to_le32(btv->bus_vbi_even);
*(re++)=cpu_to_le32(BT848_RISC_JUMP);
*(re++)=cpu_to_le32(btv->bus_vbi_odd);
}
if (ncr < 0) { /* bitmap was pased */
memcpy(clipmap, (unsigned char *)cr, VIDEO_CLIPMAP_SIZE);
} else { /* convert rectangular clips to a bitmap */
still used ---> memset(clipmap, 0, VIDEO_CLIPMAP_SIZE); /* clear map */
----------------------------------------------------------------------------
CONFIRMED [FREE]
/u2/engler/ic/linux-2.3.99/drivers/char/buz.c:204:v4l_fbuffer_alloc: ERROR: did not free mem on error path
This is going to lose buffers if you bail because memory ran out and
then retry.
----------------------------------------------------------------------------
CONFIRMED [NOCHECK]
/u2/engler/ic/linux-2.3.99/drivers/char/pc_keyb.c:1009:psaux_init: ERROR: memset of unchecked var 'queue'!
boom:
queue = (struct aux_queue *) kmalloc(sizeof(*queue), GFP_KERNEL);
memset(queue, 0, sizeof(*queue));
----------------------------------------------------------------------------
CONFIRMED [NOCHECK]
/u2/engler/ic/linux-2.3.99/drivers/char/qpmouse.c:349:qpmouse_init: ERROR: memset of unchecked var 'queue'!
cut&paste = boom x 2:
queue = (struct qp_queue *) kmalloc(sizeof(*queue), GFP_KERNEL);
memset(queue, 0, sizeof(*queue));
----------------------------------------------------------------------------
CONFIRMED [FREE]
/u2/engler/ic/linux-2.3.99/drivers/char/zr36120.c:1198:zoran_ioctl: ERROR: did not free vcp on error path
lost:
vcp = vmalloc(sizeof(struct video_clip)*(vw.clipcount+4));
if (vcp==NULL)
return -ENOMEM;
if (vw.clipcount && copy_from_user(vcp,vw.clips,sizeof(struct video_clip)*vw.clipcount))
return -EFAULT;
---------------------------------------------------------------------
CONFIRMED [NOCHECK]
/u2/engler/ic/linux-2.3.99/drivers/net/pcmcia/ray_cs.c:336:ray_attach: ERROR: memset of unchecked var 'link'!
Our favorite pattern:
link = kmalloc(sizeof(struct dev_link_t), GFP_KERNEL);
memset(link, 0, sizeof(struct dev_link_t));
CONFIRMED [NOCHECK]
/u2/engler/ic/linux-2.3.99/drivers/net/pcmcia/ray_cs.c:360:ray_attach: ERROR: memset of unchecked var 'dev'!
For more practice:
/* Allocate space for private device-specific data */
dev = kmalloc(sizeof(struct net_device), GFP_KERNEL);
memset(dev, 0, sizeof(struct net_device));
----------------------------------------------------------------------------
CONFIRMED [NOCHECK]
/u2/engler/ic/linux-2.3.99/drivers/net/pcmcia/ray_cs.c:365:ray_attach: ERROR: memset of unchecked var 'local'!
local = kmalloc(sizeof(ray_dev_t), GFP_KERNEL);
memset(local, 0, sizeof(ray_dev_t));
----------------------------------------------------------------------------
CONFIRMED [NOCHECK]
CONFIRMED [NOCHECK]
/u2/engler/ic/linux-2.3.99/drivers/net/pcmcia/aironet4500_cs.c:180:awc_attach: ERROR: memset of unchecked var 'link'!
/u2/engler/ic/linux-2.3.99/drivers/net/pcmcia/aironet4500_cs.c:182:awc_attach: ERROR: memset of unchecked var 'link'!
link = kmalloc(sizeof(struct dev_link_t), GFP_KERNEL);
memset(link, 0, sizeof(struct dev_link_t));
link->dev = kmalloc(sizeof(struct dev_node_t), GFP_KERNEL);
memset(link->dev, 0, sizeof(struct dev_node_t));
CONFIRMED [NOCHECK]
/u2/engler/ic/linux-2.3.99/drivers/net/pcmcia/aironet4500_cs.c:202:awc_attach: ERROR: memset of unchecked var 'dev'!
dev = kmalloc(sizeof(struct net_device ), GFP_KERNEL);
memset(dev,0,sizeof(struct net_device));
----------------------------------------------------------------------------
CONFIRMED [NOCHECK]
/u2/engler/ic/linux-2.3.99/drivers/net/pcmcia/wavelan_cs.c:4427:wavelan_attach: ERROR: memset of unchecked var 'link'!
link = kmalloc(sizeof(struct dev_link_t), GFP_KERNEL);
memset(link, 0, sizeof(struct dev_link_t));
CONFIRMED [NOCHECK]
/u2/engler/ic/linux-2.3.99/drivers/net/pcmcia/wavelan_cs.c:4459:wavelan_attach: ERROR: memset of unchecked var 'dev'!
/* Allocate the generic data structure */
dev = kmalloc(sizeof(struct net_device), GFP_KERNEL);
memset(dev, 0x00, sizeof(struct net_device));
----------------------------------------------------------------------------
CONFIRMED [NOCHECK]
/u2/engler/ic/linux-2.3.99/drivers/net/pcmcia/wavelan_cs.c:4464:wavelan_attach: ERROR: memset of unchecked var 'lp'!
dev->priv = lp = (net_local *) kmalloc(sizeof(net_local), GFP_KERNEL);
memset(lp, 0x00, sizeof(net_local));
----------------------------------------------------------------------------
CONFIRMED [BUG]
/u2/engler/ic/linux-2.3.99/drivers/net/irda/irtty.c:255:irtty_open: ERROR: did not free self on error path
This looks like a bit of a disaster: we can bail out later in the routine
after setting tty->disc_data and self->magik to IRTTY_MAGIK but before
actually setting up the values correctly.
/* First make sure we're not already connected. */
self = (struct irtty_cb *) tty->disc_data;
check
---> if (self != NULL && self->magic == IRTTY_MAGIC)
return -EEXIST;
/*
* Allocate new instance of the driver
*/
self = kmalloc(sizeof(struct irtty_cb), GFP_KERNEL);
if (self == NULL) {
printk(KERN_ERR "IrDA: Can't allocate memory for "
"IrDA control block!\n");
return -ENOMEM;
}
memset(self, 0, sizeof(struct irtty_cb));
self->tty = tty;
set disc_data
----> tty->disc_data = self;
/* Give self a name */
sprintf(name, "%s%d", tty->driver.name,
MINOR(tty->device) - tty->driver.minor_start +
tty->driver.name_base);
hashbin_insert(irtty, (queue_t *) self, (int) self, NULL);
if (tty->driver.flush_buffer)
tty->driver.flush_buffer(tty);
if (tty->ldisc.flush_buffer)
tty->ldisc.flush_buffer(tty);
set magik
----> self->magic = IRTTY_MAGIC;
self->mode = IRDA_IRLAP;
/* Allocate memory if needed */
if (self->rx_buff.truesize > 0) {
bail without memory
----> self->rx_buff.head = (__u8 *) kmalloc(self->rx_buff.truesize,
GFP_KERNEL);
if (self->rx_buff.head == NULL)
return -ENOMEM;
memset(self->rx_buff.head, 0, self->rx_buff.truesize);
}
Here's the various escape points.
/u2/engler/ic/linux-2.3.99/drivers/net/irda/irtty.c:234:irtty_open: ERROR: did not free self on error path
/u2/engler/ic/linux-2.3.99/drivers/net/irda/irtty.c:255:irtty_open: ERROR: did not free self on error path
/u2/engler/ic/linux-2.3.99/drivers/net/irda/irtty.c:234:irtty_open: ERROR: did not free self on error path
/u2/engler/ic/linux-2.3.99/drivers/net/irda/irtty.c:222:irtty_open: ERROR: did not free self on error path
/u2/engler/ic/linux-2.3.99/drivers/net/irda/irtty.c:255:irtty_open: ERROR: did not free self on error path
/u2/engler/ic/linux-2.3.99/drivers/net/irda/irtty.c:234:irtty_open: ERROR: did not free self on error path
/u2/engler/ic/linux-2.3.99/drivers/net/irda/irtty.c:255:irtty_open: ERROR: did not free self on error path
/u2/engler/ic/linux-2.3.99/drivers/net/irda/irtty.c:234:irtty_open: ERROR: did not free self on error path
/u2/engler/ic/linux-2.3.99/drivers/net/irda/irtty.c:222:irtty_open: ERROR: did not free self on error path
/u2/engler/ic/linux-2.3.99/drivers/net/irda/irtty.c:214:irtty_open: ERROR: did not free self on error path
-------------------------------------------------------------------------
CONFIRMED [FREE] (Seems right)
/u2/engler/ic/linux-2.3.99/drivers/net/irda/nsc-ircc.c:354:nsc_ircc_open: ERROR: did not free self on error path
/u2/engler/ic/linux-2.3.99/drivers/net/irda/nsc-ircc.c:335:nsc_ircc_open: ERROR: did not free self on error path
this looks right
rtnl_lock();
err = register_netdevice(dev);
rtnl_unlock();
if (err) {
ERROR(__FUNCTION__ "(), register_netdev() failed!\n");
return -1;
}
-------------------------------------------------------------------------
CONFIRMED [FREE]
/u2/engler/ic/linux-2.3.99/drivers/net/irda/smc-ircc.c:210:ircc_open: ERROR: did not free self on error path
alloc-->self = kmalloc(sizeof(struct ircc_cb), GFP_KERNEL);
if (self == NULL) {
ERROR("%s, Can't allocate memory for control block!\n",
driver_name);
return -ENOMEM;
}
memset(self, 0, sizeof(struct ircc_cb));
spin_lock_init(&self->lock);
/* Need to store self somewhere */
dev_self[i] = self;
irport = irport_open(i, sir_base, config >> 4 & 0x0f);
if (!irport)
lost
---> return -ENODEV;
(it is stored in dev_self[i], but on the retry it will come in and reallocate)
-------------------------------------------------------------------------
CONFIRMED [FREE]
/u2/engler/ic/linux-2.3.99/drivers/net/irda/toshoboe.c:836:toshoboe_open: ERROR: did not free self on error path
if (!(dev = dev_alloc("irda%d", &err))) {
ERROR(__FUNCTION__ "(), dev_alloc() failed!\n");
[self alloced as are a bunch of buffers]
---> return -ENOMEM;
}
...
CONFIRMED [FREE]
/u2/engler/ic/linux-2.3.99/drivers/net/irda/toshoboe.c:854:toshoboe_open: ERROR: did not free self on error path
same case as nsc_ircc_open (above): you lose self and all the buffers
you allocated to it:
rtnl_lock();
err = register_netdevice(dev);
rtnl_unlock();
if (err) {
ERROR(__FUNCTION__ "(), register_netdev() failed!\n");
return -1;
}
-------------------------------------------------------------------
self = kmalloc(sizeof(struct w83977af_ir), GFP_KERNEL);
...
/* Allocate memory if needed */
self->rx_buff.head = (__u8 *) kmalloc(self->rx_buff.truesize,
GFP_KERNEL|GFP_DMA);
CONFIRMED [FREE]
/u2/engler/ic/linux-2.3.99/drivers/net/irda/w83977af_ir.c:198:w83977af_open: ERROR: did not free self on error path
if (ret < 0) {
IRDA_DEBUG(0, __FUNCTION__ "(), can't get iobase of 0x%03x\n",
self->io.fir_base);
/* w83977af_cleanup( self); */
return -ENODEV;
}
CONFIRMED [FREE]
/u2/engler/ic/linux-2.3.99/drivers/net/irda/w83977af_ir.c:225:w83977af_open: ERROR: did not free self on error path
if (self->rx_buff.head == NULL)
self alloced
---> return -ENOMEM;
...
self->tx_buff.head = (__u8 *) kmalloc(self->tx_buff.truesize,
GFP_KERNEL|GFP_DMA);
CONFIRMED [FREE]
/u2/engler/ic/linux-2.3.99/drivers/net/irda/w83977af_ir.c:233:w83977af_open: ERROR: did not free self on error path
CONFIRMED [FREE]
if (self->tx_buff.head == NULL) {
kfree(self->rx_buff.head);
self allocted
---> return -ENOMEM;
}
CONFIRMED [FREE]
/u2/engler/ic/linux-2.3.99/drivers/net/irda/w83977af_ir.c:244:w83977af_open: ERROR: did not free self on error path
Lost self, self->rx_buff.head and self->tx_buff.head (especially important:
DMA buffers)
if (!(dev = dev_alloc("irda%d", &err))) {
ERROR(__FUNCTION__ "(), dev_alloc() failed!\n");
---> return -ENOMEM;
}
....
CONFIRMED [FREE] Same as nsc_ircc_open
/u2/engler/ic/linux-2.3.99/drivers/net/irda/w83977af_ir.c:262:w83977af_open: ERROR: did not free self on error path
rtnl_lock();
err = register_netdev(dev);
rtnl_unlock();
if (err) {
ERROR(__FUNCTION__ "(), register_netdev() failed!\n");
return -1;
--------------------------------------------------------------------
UNSURE
/u2/engler/ic/linux-2.3.99/drivers/net/tokenring/lanstreamer.c:686:streamer_open: ERROR: did not free streamer_priv on error path
It looks bad, but not sure.
streamer_priv->streamer_rx_ring=
kmalloc( sizeof(struct streamer_rx_desc)*
STREAMER_RX_RING_SIZE,GFP_KERNEL);
...
if (i == 0) {
printk(KERN_WARNING "%s: Not enough memory to allocate rx buffers. Adapter disabled\n", dev->name);
free_irq(dev->irq, dev);
streamer_rx_ring alloced
---> return -EIO;
}
/u2/engler/ic/linux-2.3.99/drivers/net/tokenring/lanstreamer.c:669:streamer_open: ERROR: did not free streamer_priv on error path
--------------------------------------------------------------------
[RECHECK]
These all look very suspcious --- especially since freed on some paths, but
not others.
/u2/engler/ic/linux-2.3.99/drivers/block/lvm.c:1725:lvm_do_vg_create: ERROR: did not free vg_ptr on error path
/u2/engler/ic/linux-2.3.99/drivers/block/lvm.c:1720:lvm_do_vg_create: ERROR: did not free vg_ptr on error path
/u2/engler/ic/linux-2.3.99/drivers/block/lvm.c:1725:lvm_do_vg_create: ERROR: did not free vg_ptr on error path
/u2/engler/ic/linux-2.3.99/drivers/block/lvm.c:1720:lvm_do_vg_create: ERROR: did not free vg_ptr on error path
/u2/engler/ic/linux-2.3.99/drivers/block/lvm.c:1685:lvm_do_vg_create: ERROR: Unchecked use of malloc'd var 'vg_ptr'
/u2/engler/ic/linux-2.3.99/drivers/block/lvm.c:1725:lvm_do_vg_create: ERROR: did not free vg_ptr on error path
/u2/engler/ic/linux-2.3.99/drivers/block/lvm.c:1720:lvm_do_vg_create: ERROR: did not free vg_ptr on error path
/u2/engler/ic/linux-2.3.99/drivers/block/lvm.c:1696:lvm_do_vg_create: ERROR: did not free vg_ptr on error path
/u2/engler/ic/linux-2.3.99/drivers/block/lvm.c:1692:lvm_do_vg_create: ERROR: did not free vg_ptr on error path
/u2/engler/ic/linux-2.3.99/drivers/net/wan/lmc/lmc_main.c:518:lmc_ioctl: ERROR: did not free data on error path
----------------------------------------------------------------------
/u2/engler/ic/linux-2.3.99/drivers/net/wan/lmc/lmc_proto.c:106:lmc_proto_init: ERROR: Unchecked use of malloc'd var 'sc'
/u2/engler/ic/linux-2.3.99/drivers/net/wan/comx.c:508:comx_init_dev: ERROR: did not free ch on error path
/u2/engler/ic/linux-2.3.99/drivers/net/wan/comx.c:899:comx_mkdir: ERROR: did not free dev on error path
/u2/engler/ic/linux-2.3.99/drivers/net/wan/comx.c:889:comx_mkdir: ERROR: did not free dev on error path
/u2/engler/ic/linux-2.3.99/drivers/net/wan/comx.c:884:comx_mkdir: ERROR: did not free dev on error path
/u2/engler/ic/linux-2.3.99/drivers/net/wan/syncppp.c:1130:sppp_lcp_conf_parse_options: ERROR: Unchecked use of malloc'd var 'r'
/u2/engler/ic/linux-2.3.99/drivers/net/wan/comx-hw-comx.c:1064:comxhw_write_proc: ERROR: did not free hw on error path
/u2/engler/ic/linux-2.3.99/drivers/net/wan/comx-hw-comx.c:1299:COMX_init: ERROR: did not free ch on error path
/u2/engler/ic/linux-2.3.99/drivers/net/wan/comx-hw-comx.c:1289:COMX_init: ERROR: did not free ch on error path
/u2/engler/ic/linux-2.3.99/drivers/net/wan/lapbether.c:444:lapbeth_new_device: ERROR: Unchecked use of malloc'd var 'buf'
/u2/engler/ic/linux-2.3.99/drivers/net/wan/lapbether.c:434:lapbeth_new_device: ERROR: Unchecked use of malloc'd var 'buf'
/u2/engler/ic/linux-2.3.99/drivers/net/wan/sdla.c:1215:sdla_xfer: ERROR: did not free temp on error path
/u2/engler/ic/linux-2.3.99/drivers/net/wan/sdla.c:1206:sdla_xfer: ERROR: did not free temp on error path
/u2/engler/ic/linux-2.3.99/drivers/net/appletalk/ipddp.c:245:ipddp_create: ERROR: did not free rt on error path
/u2/engler/ic/linux-2.3.99/drivers/net/skfp/skfddi.c:690:skfp_driver_init: ERROR: memset of unchecked var 'bp'!
/u2/engler/ic/linux-2.3.99/drivers/parport/daisy.c:50:add_dev: ERROR: allocated 7 bytes for 'newdev' need 16
/u2/engler/ic/linux-2.3.99/drivers/parport/probe.c:60:parse_data: ERROR: Unchecked use of malloc'd var 'txt'
/u2/engler/ic/linux-2.3.99/drivers/sound/es1370.c:2576:es1370_probe: ERROR: did not free s on error path
/u2/engler/ic/linux-2.3.99/drivers/sound/es1371.c:2775:es1371_probe: ERROR: did not free s on error path
/u2/engler/ic/linux-2.3.99/drivers/sound/esssolo1.c:2306:solo1_probe: ERROR: did not free s on error path
/u2/engler/ic/linux-2.3.99/drivers/sound/softoss.c:1117:softsyn_load_patch: ERROR: did not free patch on error path
/u2/engler/ic/linux-2.3.99/drivers/sound/sonicvibes.c:2604:sv_probe: ERROR: did not free s on error path
/u2/engler/ic/linux-2.3.99/drivers/pcmcia/cs.c:337:register_ss_entry: ERROR: memset of unchecked var 's'!
/u2/engler/ic/linux-2.3.99/drivers/pcmcia/cs.c:1411:pcmcia_register_client: ERROR: memset of unchecked var 's'!
/u2/engler/ic/linux-2.3.99/drivers/pcmcia/ds.c:414:bind_request: ERROR: Unchecked use of malloc'd var 'b'
/u2/engler/ic/linux-2.3.99/drivers/pcmcia/ds.c:414:bind_request: ERROR: Unchecked use of malloc'd var 'b'
/u2/engler/ic/linux-2.3.99/drivers/pcmcia/ds.c:424:bind_request: ERROR: did not free driver on error path
/u2/engler/ic/linux-2.3.99/drivers/pcmcia/ds.c:408:bind_request: ERROR: did not free driver on error path
/u2/engler/ic/linux-2.3.99/drivers/pcmcia/ds.c:397:bind_request: ERROR: did not free driver on error path
/u2/engler/ic/linux-2.3.99/drivers/pcmcia/bulkmem.c:232:setup_erase_request: ERROR: Unchecked use of malloc'd var 'busy'
/u2/engler/ic/linux-2.3.99/drivers/pcmcia/bulkmem.c:363:setup_regions: ERROR: Unchecked use of malloc'd var 'r'
/u2/engler/ic/linux-2.3.99/drivers/pcmcia/rsrc_mgr.c:193:do_io_probe: ERROR: memset of unchecked var 'b'!
/u2/engler/ic/linux-2.3.99/drivers/video/matrox/matroxfb_crtc2.c:638:matroxfb_dh_regit: ERROR: memset of unchecked var 'd'!
/u2/engler/ic/linux-2.3.99/drivers/usb/usb.c:686:usb_request_bulk: ERROR: Unchecked use of malloc'd var 'awd'
/u2/engler/ic/linux-2.3.99/drivers/usb/usb.c:779:usb_request_irq: ERROR: Unchecked use of malloc'd var 'wd'
/u2/engler/ic/linux-2.3.99/drivers/usb/plusb.c:391:plusb_alloc: ERROR: did not free skb on error path
/u2/engler/ic/linux-2.3.99/drivers/usb/plusb.c:391:plusb_alloc: ERROR: did not free skb on error path
/u2/engler/ic/linux-2.3.99/drivers/usb/plusb.c:391:plusb_alloc: ERROR: did not free skb on error path
/u2/engler/ic/linux-2.3.99/drivers/usb/usb-ohci.c:487:sohci_submit_urb: ERROR: did not free urb_priv on error path
/u2/engler/ic/linux-2.3.99/drivers/usb/usb-uhci.c:653:init_skel: ERROR: did not free s on error path
/u2/engler/ic/linux-2.3.99/drivers/telephony/ixj.c:1841:ixj_record_start: ERROR: did not free j on error path
/u2/engler/ic/linux-2.3.99/drivers/telephony/ixj.c:3407:ixj_build_cadence: ERROR: did not free lcp on error path
/u2/engler/ic/linux-2.3.99/drivers/i2o/i2o_config.c:502:ioctl_html: ERROR: did not free query on error path
/u2/engler/ic/linux-2.3.99/drivers/i2o/i2o_core.c:1532:i2o_reset_controller: ERROR: did not free status on error path
/u2/engler/ic/linux-2.3.99/drivers/i2o/i2o_core.c:1615:i2o_status_get: ERROR: did not free c on error path
/u2/engler/ic/linux-2.3.99/drivers/i2o/i2o_core.c:1591:i2o_status_get: ERROR: did not free c on error path
/u2/engler/ic/linux-2.3.99/drivers/ide/ide-cd.c:1636:cdrom_read_toc: ERROR: Unchecked use of malloc'd var 'toc'
/u2/engler/ic/linux-2.3.99/drivers/ide/ide-probe.c:626:init_irq: ERROR: memset of unchecked var 'hwgroup'!
/u2/engler/ic/linux-2.3.99/drivers/ide/ide-probe.c:725:init_gendisk: ERROR: memset of unchecked var 'gd'!
/u2/engler/ic/linux-2.3.99/drivers/ide/ide-probe.c:728:init_gendisk: ERROR: Unchecked use of malloc'd var 'bs'
/u2/engler/ic/linux-2.3.99/drivers/ide/ide-probe.c:729:init_gendisk: ERROR: Unchecked use of malloc'd var 'max_sect'
/u2/engler/ic/linux-2.3.99/drivers/ide/ide-probe.c:730:init_gendisk: ERROR: Unchecked use of malloc'd var 'max_ra'
/u2/engler/ic/linux-2.3.99/drivers/ide/ide-probe.c:744:init_gendisk: ERROR: Unchecked use of malloc'd var 'gd'
/u2/engler/ic/linux-2.3.99/drivers/ide/ide-probe.c:742:init_gendisk: ERROR: Unchecked use of malloc'd var 'gd'
/u2/engler/ic/linux-2.3.99/drivers/scsi/scsi.c:1428:scsi_build_commandblocks: ERROR: memset of unchecked var 'SCpnt'!
/u2/engler/ic/linux-2.3.99/drivers/scsi/scsi.c:2715:scsi_get_host_dev: ERROR: memset of unchecked var 'SDpnt'!
/u2/engler/ic/linux-2.3.99/drivers/scsi/eata_dma.c:917:get_board_data: ERROR: memset of unchecked var 'cp'!
/u2/engler/ic/linux-2.3.99/drivers/scsi/eata_dma.c:918:get_board_data: ERROR: memset of unchecked var 'sp'!
/u2/engler/ic/linux-2.3.99/drivers/scsi/hosts.c:740:scsi_register: ERROR: memset of unchecked var 'retval'!
/u2/engler/ic/linux-2.3.99/drivers/scsi/hosts.c:766:scsi_register: ERROR: Unchecked use of malloc'd var 'shn'
/u2/engler/ic/linux-2.3.99/drivers/scsi/hosts.c:767:scsi_register: ERROR: Unchecked use of malloc'd var 'shn'
/u2/engler/ic/linux-2.3.99/drivers/scsi/hosts.c:768:scsi_register: ERROR: Unchecked use of malloc'd var 'shn'
/u2/engler/ic/linux-2.3.99/drivers/scsi/ide-scsi.c:670:idescsi_kmalloc_bh: ERROR: memset of unchecked var 'bh'!
/u2/engler/ic/linux-2.3.99/drivers/scsi/ini9100u.c:367:i91u_detect: ERROR: memset of unchecked var 'tul_scb'!
/u2/engler/ic/linux-2.3.99/drivers/scsi/ips.c:3237:ips_allocatescbs: ERROR: memset of unchecked var 'ha'!
/u2/engler/ic/linux-2.3.99/drivers/scsi/scsi_dma.c:369:scsi_resize_dma_pool: ERROR: Using 'new_dma_malloc_freelist' after free!
/u2/engler/ic/linux-2.3.99/drivers/scsi/scsi_scan.c:302:scan_scsis: ERROR: Using 'SDpnt' illegally!
/u2/engler/ic/linux-2.3.99/drivers/scsi/sd.c:1024:sd_init: ERROR: memset of unchecked var 'rscsi_disks'!
/u2/engler/ic/linux-2.3.99/drivers/scsi/sd.c:1028:sd_init: ERROR: memset of unchecked var 'sd_sizes'!
/u2/engler/ic/linux-2.3.99/drivers/scsi/sd.c:1045:sd_init: ERROR: memset of unchecked var 'sd'!
/u2/engler/ic/linux-2.3.99/drivers/scsi/sd.c:1055:sd_init: ERROR: memset of unchecked var 'sd_gendisks'!
/u2/engler/ic/linux-2.3.99/drivers/scsi/sd.c:1059:sd_init: ERROR: memset of unchecked var 'sd_gendisks'!
/u2/engler/ic/linux-2.3.99/drivers/scsi/sd.c:1055:sd_init: ERROR: memset of unchecked var 'sd_gendisks'!
/u2/engler/ic/linux-2.3.99/drivers/scsi/sd.c:1072:sd_init: ERROR: Unchecked use of malloc'd var 'sd_gendisks'
/u2/engler/ic/linux-2.3.99/drivers/scsi/sd.c:1051:sd_init: ERROR: Unchecked use of malloc'd var 'sd_gendisks'
/u2/engler/ic/linux-2.3.99/drivers/scsi/sd.c:1039:sd_init: ERROR: Unchecked use of malloc'd var 'sd_blocksizes'
/u2/engler/ic/linux-2.3.99/drivers/scsi/sd.c:1040:sd_init: ERROR: Unchecked use of malloc'd var 'sd_hardsizes'
/u2/engler/ic/linux-2.3.99/drivers/scsi/sd.c:1045:sd_init: ERROR: memset of unchecked var 'sd'!
/u2/engler/ic/linux-2.3.99/drivers/isdn/avmb1/b1pcmcia.c:211:b1pcmcia_add_card: ERROR: did not free cinfo on error path
/u2/engler/ic/linux-2.3.99/drivers/isdn/eicon/eicon_isa.c:421:eicon_isa_load: ERROR: did not free code on error path
/u2/engler/ic/linux-2.3.99/drivers/atm/iphase.c:1639:rx_init: ERROR: did not free dle_addr on error path
/u2/engler/ic/linux-2.3.99/drivers/atm/iphase.c:2129:tx_init: ERROR: Unchecked use of malloc'd var 'iadev'
/u2/engler/ic/linux-2.3.99/drivers/atm/iphase.c:2121:tx_init: ERROR: did not free dle_addr on error path
/u2/engler/ic/linux-2.3.99/drivers/atm/iphase.c:2129:tx_init: ERROR: Unchecked use of malloc'd var 'iadev'
/u2/engler/ic/linux-2.3.99/drivers/atm/iphase.c:2121:tx_init: ERROR: did not free dle_addr on error path
/u2/engler/ic/linux-2.3.99/drivers/atm/iphase.c:3229:ia_detect: ERROR: did not free iadev on error path
/u2/engler/ic/linux-2.3.99/drivers/atm/zatm.c:1816:zatm_detect: ERROR: Using 'zatm_dev' illegally!
/u2/engler/ic/linux-2.3.99/fs/coda/cache.c:89:coda_cache_create: ERROR: memset of unchecked var 'cc'!
/u2/engler/ic/linux-2.3.99/fs/coda/dir.c:684:coda_venus_readdir: ERROR: did not free buff on error path
/u2/engler/ic/linux-2.3.99/fs/coda/dir.c:681:coda_venus_readdir: ERROR: memset of unchecked var 'buff'!
/u2/engler/ic/linux-2.3.99/fs/coda/psdev.c:137:coda_psdev_write: ERROR: memset of unchecked var 'dcbuf'!
/u2/engler/ic/linux-2.3.99/fs/coda/psdev.c:137:coda_psdev_write: ERROR: Unchecked use of malloc'd var 'dcbuf'
------------------------------------------------------------
[These are all basically the same: snipped ~50-100 messages]
/u2/engler/ic/linux-2.3.99/fs/coda/upcall.c:80:venus_rootfid: ERROR: Unchecked use of malloc'd var 'inp'
/u2/engler/ic/linux-2.3.99/fs/coda/upcall.c:80:venus_rootfid: ERROR: Unchecked use of malloc'd var 'inp'
/u2/engler/ic/linux-2.3.99/fs/coda/upcall.c:80:venus_rootfid: ERROR: memset of unchecked var 'inp'!
/u2/engler/ic/linux-2.3.99/fs/coda/upcall.c:92:venus_rootfid: ERROR: Using 'inp' after free!
/u2/engler/ic/linux-2.3.99/fs/coda/upcall.c:92:venus_rootfid: ERROR: Using 'inp' after free!
/u2/engler/ic/linux-2.3.99/fs/coda/upcall.c:270:venus_rename: ERROR: Unchecked use of malloc'd var 'inp'
----------------------------------------------------------------------
/u2/engler/ic/linux-2.3.99/fs/isofs/rock.c:541:rock_ridge_symlink_readpage: ERROR: did not free buffer on error path
/u2/engler/ic/linux-2.3.99/fs/ncpfs/ioctl.c:495:ncp_ioctl: ERROR: did not free __new on error path
/u2/engler/ic/linux-2.3.99/fs/ncpfs/ioctl.c:429:ncp_ioctl: ERROR: did not free newname on error path
/u2/engler/ic/linux-2.3.99/fs/ntfs/super.c:414:ntfs_set_bitrange: ERROR: Unchecked use of malloc'd var 'bits'
/u2/engler/ic/linux-2.3.99/fs/ufs/super.c:345:ufs_read_cylinder_structures: ERROR: Unchecked use of malloc'd var 'space'
/u2/engler/ic/linux-2.3.99/fs/udf/partition.c:165:udf_fill_spartable: ERROR: Unchecked use of malloc'd var 'sdata'
/u2/engler/ic/linux-2.3.99/fs/udf/super.c:849:udf_load_logicalvol: ERROR: memset of unchecked var 'sb'!
/u2/engler/ic/linux-2.3.99/net/core/dev_mcast.c:174:dev_mc_add: ERROR: Unchecked use of malloc'd var 'dmi1'
/u2/engler/ic/linux-2.3.99/net/core/scm.c:94:scm_fp_copy: ERROR: did not free fpl on error path
/u2/engler/ic/linux-2.3.99/net/core/scm.c:82:scm_fp_copy: ERROR: did not free fpl on error path
/u2/engler/ic/linux-2.3.99/net/sched/cls_fw.c:242:fw_change: ERROR: did not free head on error path
/u2/engler/ic/linux-2.3.99/net/sched/cls_route.c:425:route4_change: ERROR: did not free head on error path
/u2/engler/ic/linux-2.3.99/net/sched/cls_tcindex.c:293:tcindex_change: ERROR: did not free p on error path
/u2/engler/ic/linux-2.3.99/net/sched/cls_tcindex.c:293:tcindex_change: ERROR: did not free p on error path
/u2/engler/ic/linux-2.3.99/net/sched/sch_gred.c:442:gred_change: ERROR: memset of unchecked var 'table'!
/u2/engler/ic/linux-2.3.99/net/sched/sch_gred.c:374:gred_change: ERROR: memset of unchecked var 'table'!
/u2/engler/ic/linux-2.3.99/net/sched/sch_gred.c:442:gred_change: ERROR: memset of unchecked var 'table'!
/u2/engler/ic/linux-2.3.99/net/sched/sch_gred.c:524:gred_dump: ERROR: did not free opt on error path
/u2/engler/ic/linux-2.3.99/net/ipv4/fib_semantics.c:563:fib_create_info: ERROR: Using 'fi' illegally!
/u2/engler/ic/linux-2.3.99/net/ipv4/ip_options.c:513:ip_options_get: ERROR: did not free opt on error path
/u2/engler/ic/linux-2.3.99/net/ipv4/ip_options.c:502:ip_options_get: ERROR: did not free opt on error path
/u2/engler/ic/linux-2.3.99/net/ipv4/ipconfig.c:160:ic_open_devs: ERROR: did not free d on error path
/u2/engler/ic/linux-2.3.99/net/netlink/af_netlink.c:799:netlink_dump_start: ERROR: did not free cb on error path
/u2/engler/ic/linux-2.3.99/net/netlink/af_netlink.c:791:netlink_dump_start: ERROR: did not free cb on error path
/u2/engler/ic/linux-2.3.99/net/wanrouter/wanproc.c:255:router_proc_read: ERROR: did not free page on error path
/u2/engler/ic/linux-2.3.99/net/netrom/nr_route.c:142:nr_add_node: ERROR: did not free nr_neigh on error path
/u2/engler/ic/linux-2.3.99/net/netrom/nr_route.c:142:nr_add_node: ERROR: did not free nr_neigh on error path
/u2/engler/ic/linux-2.3.99/net/rose/rose_route.c:147:rose_add_node: ERROR: did not free rose_neigh on error path
/u2/engler/ic/linux-2.3.99/net/rose/rose_route.c:147:rose_add_node: ERROR: did not free rose_neigh on error path
/u2/engler/ic/linux-2.3.99/net/ax25/af_ax25.c:1261:ax25_connect: ERROR: did not free digi on error path
/u2/engler/ic/linux-2.3.99/net/ax25/af_ax25.c:1252:ax25_connect: ERROR: did not free digi on error path
/u2/engler/ic/linux-2.3.99/net/ax25/af_ax25.c:1211:ax25_connect: ERROR: did not free digi on error path
/u2/engler/ic/linux-2.3.99/net/ax25/af_ax25.c:1206:ax25_connect: ERROR: did not free digi on error path
/u2/engler/ic/linux-2.3.99/net/irda/ircomm/ircomm_tty.c:457:ircomm_tty_open: ERROR: did not free self on error path
/u2/engler/ic/linux-2.3.99/net/irda/af_irda.c:993:irda_create: ERROR: did not free self on error path
/u2/engler/ic/linux-2.3.99/net/irda/af_irda.c:989:irda_create: ERROR: did not free self on error path
/u2/engler/ic/linux-2.3.99/net/irda/irttp.c:95:irttp_init: ERROR: did not free irttp on error path
/u2/engler/ic/linux-2.3.99/net/atm/common.c:560:atm_ioctl: ERROR: did not free tmp_buf on error path
/u2/engler/ic/linux-2.3.99/net/atm/lec.c:280:lec_send_packet: ERROR: Unchecked use of malloc'd var 'nb'
/u2/engler/ic/linux-2.3.99/net/atm/mpc.c:169:atm_mpoa_add_qos: ERROR: allocated 84 bytes for 'entry' need 92
/u2/engler/ic/linux-2.3.99/net/decnet/dn_fib.c:364:dn_fib_create_info: ERROR: Using 'fi' illegally!
/u2/engler/ic/linux-2.3.99/ipc/util.c:169:ipc_alloc: ERROR: Unchecked use of malloc'd var 'out'
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Aug 15 2000 - 21:00:17 EST