From: Pan Bian <[email protected]>
Function usb_autopm_get_interface() will return a negative errno on
failure, and function usb_autopm_put_interface() should not be called if
it fails. However, in function usb_remove_device(), the return value of
function usb_autopm_get_interface() is not validated before calling
usb_autopm_put_interface().
Signed-off-by: Pan Bian <[email protected]>
---
drivers/usb/core/hub.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 5286bf6..9627175 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -940,16 +940,18 @@ int usb_remove_device(struct usb_device *udev)
{
struct usb_hub *hub;
struct usb_interface *intf;
+ int if_err;
if (!udev->parent) /* Can't remove a root hub */
return -EINVAL;
hub = usb_hub_to_struct_hub(udev->parent);
intf = to_usb_interface(hub->intfdev);
- usb_autopm_get_interface(intf);
+ if_err = usb_autopm_get_interface(intf);
set_bit(udev->portnum, hub->removed_bits);
hub_port_logical_disconnect(hub, udev->portnum);
- usb_autopm_put_interface(intf);
+ if (!if_err)
+ usb_autopm_put_interface(intf);
return 0;
}
--
1.9.1
On Sun, Apr 23, 2017 at 4:52 PM, Pan Bian <[email protected]> wrote:
> From: Pan Bian <[email protected]>
>
> Function usb_autopm_get_interface() will return a negative errno on
> failure, and function usb_autopm_put_interface() should not be called if
> it fails. However, in function usb_remove_device(), the return value of
> function usb_autopm_get_interface() is not validated before calling
> usb_autopm_put_interface().
>
> Signed-off-by: Pan Bian <[email protected]>
> ---
> drivers/usb/core/hub.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
> index 5286bf6..9627175 100644
> --- a/drivers/usb/core/hub.c
> +++ b/drivers/usb/core/hub.c
> @@ -940,16 +940,18 @@ int usb_remove_device(struct usb_device *udev)
> {
> struct usb_hub *hub;
> struct usb_interface *intf;
> + int if_err;
>
> if (!udev->parent) /* Can't remove a root hub */
> return -EINVAL;
> hub = usb_hub_to_struct_hub(udev->parent);
> intf = to_usb_interface(hub->intfdev);
>
> - usb_autopm_get_interface(intf);
> + if_err = usb_autopm_get_interface(intf);
Why shouldn't we return right from here ?
> set_bit(udev->portnum, hub->removed_bits);
> hub_port_logical_disconnect(hub, udev->portnum);
> - usb_autopm_put_interface(intf);
> + if (!if_err)
> + usb_autopm_put_interface(intf);
> return 0;
> }
>
> --
> 1.9.1
>
>