The f_dev in _request_firmware() is allocated via the fw_setup_device()
and fw_register_device() calls and its class set to firmware_class (the
class release function is fw_dev_release).
Commit 6acf70f078ca replaced the kfree(dev) in fw_dev_release() with a
put_device() call but my understanding is that the release function is
called via put_device -> kobject_put -> kref_put -> koject_release etc.
and it should call kfree since it's the last to see this device
structure alive.
Because of that, the _request_firmware() function on its -ENOENT error
path only calls device_unregister(f_dev) which would eventually call
fw_dev_release() but there is no kfree (the subsequent put_device call
would just make the kref negative).
Signed-off-by: Catalin Marinas <[email protected]>
Cc: Cornelia Huck <[email protected]>
Acked-by: Ming Lei <[email protected]>
---
drivers/base/firmware_class.c | 6 ++----
1 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
index ddeb819..fc46653 100644
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -357,7 +357,7 @@ static void fw_dev_release(struct device *dev)
kfree(fw_priv->pages);
kfree(fw_priv->fw_id);
kfree(fw_priv);
- put_device(dev);
+ kfree(dev);
module_put(THIS_MODULE);
}
@@ -408,13 +408,11 @@ static int fw_register_device(struct device **dev_p, const char *fw_name,
if (retval) {
dev_err(device, "%s: device_register failed\n", __func__);
put_device(f_dev);
- goto error_kfree_fw_id;
+ return retval;
}
*dev_p = f_dev;
return 0;
-error_kfree_fw_id:
- kfree(fw_priv->fw_id);
error_kfree:
kfree(f_dev);
kfree(fw_priv);
On Wed, 08 Jul 2009 11:17:40 +0100,
Catalin Marinas <[email protected]> wrote:
> The f_dev in _request_firmware() is allocated via the fw_setup_device()
> and fw_register_device() calls and its class set to firmware_class (the
> class release function is fw_dev_release).
>
> Commit 6acf70f078ca replaced the kfree(dev) in fw_dev_release() with a
> put_device() call but my understanding is that the release function is
> called via put_device -> kobject_put -> kref_put -> koject_release etc.
> and it should call kfree since it's the last to see this device
> structure alive.
>
> Because of that, the _request_firmware() function on its -ENOENT error
> path only calls device_unregister(f_dev) which would eventually call
> fw_dev_release() but there is no kfree (the subsequent put_device call
> would just make the kref negative).
>
> Signed-off-by: Catalin Marinas <[email protected]>
> Cc: Cornelia Huck <[email protected]>
Acked-by: Cornelia Huck <[email protected]>
> Acked-by: Ming Lei <[email protected]>
> ---
> drivers/base/firmware_class.c | 6 ++----
> 1 files changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
> index ddeb819..fc46653 100644
> --- a/drivers/base/firmware_class.c
> +++ b/drivers/base/firmware_class.c
> @@ -357,7 +357,7 @@ static void fw_dev_release(struct device *dev)
> kfree(fw_priv->pages);
> kfree(fw_priv->fw_id);
> kfree(fw_priv);
> - put_device(dev);
> + kfree(dev);
>
> module_put(THIS_MODULE);
> }
> @@ -408,13 +408,11 @@ static int fw_register_device(struct device **dev_p, const char *fw_name,
> if (retval) {
> dev_err(device, "%s: device_register failed\n", __func__);
> put_device(f_dev);
> - goto error_kfree_fw_id;
> + return retval;
> }
> *dev_p = f_dev;
> return 0;
>
> -error_kfree_fw_id:
> - kfree(fw_priv->fw_id);
> error_kfree:
> kfree(f_dev);
> kfree(fw_priv);
>