We allocate memory for 'req' with usb_alloc_urb() and then test
'if (!req || rx_submit(pnd, req, GFP_KERNEL | __GFP_COLD))'.
If we enter that branch due to '!req' then there is no problem. But if
we enter the branch due to 'req' being != 0 and the 'rx_submit()' call
being false, then we'll leak the memory we allocated.
Deal with the leak by always calling 'usb_free_urb(req)' when entering
the branch. If 'req' happens to be 0 then the call is harmless, if it
is not 0 then we free the memory we allocated but don't need.
Signed-off-by: Jesper Juhl <[email protected]>
---
drivers/net/usb/cdc-phonet.c | 1 +
1 file changed, 1 insertion(+)
Only compile tested due to lack of hardware.
diff --git a/drivers/net/usb/cdc-phonet.c b/drivers/net/usb/cdc-phonet.c
index 6461004..7d78669 100644
--- a/drivers/net/usb/cdc-phonet.c
+++ b/drivers/net/usb/cdc-phonet.c
@@ -232,6 +232,7 @@ static int usbpn_open(struct net_device *dev)
struct urb *req = usb_alloc_urb(0, GFP_KERNEL);
if (!req || rx_submit(pnd, req, GFP_KERNEL | __GFP_COLD)) {
+ usb_free_urb(req);
usbpn_close(dev);
return -ENOMEM;
}
--
1.7.11.4
--
Jesper Juhl <[email protected]> http://www.chaosbits.net/
Don't top-post http://www.catb.org/jargon/html/T/top-post.html
Plain text mails only, please.
Le mercredi 8 ao?t 2012 00:56:26 Jesper Juhl, vous avez ?crit :
> We allocate memory for 'req' with usb_alloc_urb() and then test
> 'if (!req || rx_submit(pnd, req, GFP_KERNEL | __GFP_COLD))'.
> If we enter that branch due to '!req' then there is no problem. But if
> we enter the branch due to 'req' being != 0 and the 'rx_submit()' call
> being false, then we'll leak the memory we allocated.
> Deal with the leak by always calling 'usb_free_urb(req)' when entering
> the branch. If 'req' happens to be 0 then the call is harmless, if it
> is not 0 then we free the memory we allocated but don't need.
>
> Signed-off-by: Jesper Juhl <[email protected]>
Acked-by: R?mi Denis-Courmont <[email protected]>
> ---
> drivers/net/usb/cdc-phonet.c | 1 +
> 1 file changed, 1 insertion(+)
>
> Only compile tested due to lack of hardware.
Hardware won't help you much with testing the error case anyway.
--
R?mi Denis-Courmont, looking for a job
http://www.remlab.net/
http://fi.linkedin.com/in/remidenis
From: "R?mi Denis-Courmont" <[email protected]>
Date: Wed, 8 Aug 2012 10:12:06 +0300
> Le mercredi 8 ao?t 2012 00:56:26 Jesper Juhl, vous avez ?crit :
>> We allocate memory for 'req' with usb_alloc_urb() and then test
>> 'if (!req || rx_submit(pnd, req, GFP_KERNEL | __GFP_COLD))'.
>> If we enter that branch due to '!req' then there is no problem. But if
>> we enter the branch due to 'req' being != 0 and the 'rx_submit()' call
>> being false, then we'll leak the memory we allocated.
>> Deal with the leak by always calling 'usb_free_urb(req)' when entering
>> the branch. If 'req' happens to be 0 then the call is harmless, if it
>> is not 0 then we free the memory we allocated but don't need.
>>
>> Signed-off-by: Jesper Juhl <[email protected]>
>
> Acked-by: R?mi Denis-Courmont <[email protected]>
Applied.