Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753280AbcCZAUi (ORCPT <rfc822;w@1wt.eu>);
	Fri, 25 Mar 2016 20:20:38 -0400
Received: from mleia.com ([178.79.152.223]:34626 "EHLO mail.mleia.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751475AbcCZAUh (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Fri, 25 Mar 2016 20:20:37 -0400
Subject: Re: [PATCH] USB: whci-hcd: add more checks for dma mapping error
To: Alexey Khoroshilov <khoroshilov@ispras.ru>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
References: <1458937421-18120-1-git-send-email-khoroshilov@ispras.ru>
 <56F5B59C.3050001@mleia.com> <56F5C234.3070606@ispras.ru>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
        ldv-project@linuxtesting.org
From: Vladimir Zapolskiy <vz@mleia.com>
Message-ID: <56F5D5D0.8020505@mleia.com>
Date: Sat, 26 Mar 2016 02:20:32 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101
 Icedove/38.5.0
MIME-Version: 1.0
In-Reply-To: <56F5C234.3070606@ispras.ru>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-49551924 
X-CRM114-CacheID: sfid-20160326_002449_203942_F307FAA4 
X-CRM114-Status: GOOD (  18.97  )
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2130
Lines: 52

On 26.03.2016 00:56, Alexey Khoroshilov wrote:
> On 26.03.2016 01:03, Vladimir Zapolskiy wrote:
>> On 25.03.2016 22:23, Alexey Khoroshilov wrote:
>>> Fixing checks for dma mapping error in qset_fill_page_list(),
>>> I have missed two similar problems in qset_add_urb_sg() and
>>> in qset_add_urb_sg_linearize().
>>>
>>> Found by Linux Driver Verification project (linuxtesting.org).
>>>
>>> Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
>>> ---
>>>   drivers/usb/host/whci/qset.c | 6 +++++-
>>>   1 file changed, 5 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/usb/host/whci/qset.c b/drivers/usb/host/whci/qset.c
>>> index 1a8e960d073b..a8e9b618e643 100644
>>> --- a/drivers/usb/host/whci/qset.c
>>> +++ b/drivers/usb/host/whci/qset.c
>>> @@ -535,9 +535,11 @@ static int qset_add_urb_sg(struct whc *whc, struct whc_qset *qset, struct urb *u
>>>   	list_for_each_entry(std, &qset->stds, list_node) {
>>>   		if (std->ntds_remaining == -1) {
>>>   			pl_len = std->num_pointers * sizeof(struct whc_page_list_entry);
>>> -			std->ntds_remaining = ntds--;
>>>   			std->dma_addr = dma_map_single(whc->wusbhc.dev, std->pl_virt,
>>>   						       pl_len, DMA_TO_DEVICE);
>>> +			if (dma_mapping_error(whc->wusbhc.dev, std->dma_addr))
>>> +				return -EFAULT;
>>
>> Resources are leaked on error path:
>> * std->pl_virt  -- most probably, at least it is freed on error path above,
>> * dma mappings done in a loop before met error,
>>
> 
> As far as I can see, it is not the case.
> If qset_add_urb_sg() returns error code, the caller (qset_add_urb()) 
> invokes qset_free_stds() that performs all resource deallocations.

Ok, but qset_free_std() lacks dma_mapping_error() check for mappings,
will it try to unmap a nonexistent/invalid mapping?

> As for the error path above, I consider it as a typical krealloc() 
> pattern, since it does not frees memory allocated at previous iterations 
> of the cycle.
> 

The dynamically (re-)allocated memory is freed by qset_free_std(),
that said kfree() and pointer assignment to NULL in qset_add_urb_sg()
error path may be removed IMHO.

--
With best wishes,
Vladimir