carl9170_usb_probe() does not handle request_firmware_nowait() failure
that leads to several leaks in this case.
The patch adds all required deallocations.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <[email protected]>
---
drivers/net/wireless/ath/carl9170/usb.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/carl9170/usb.c b/drivers/net/wireless/ath/carl9170/usb.c
index 307bc0d..3c76de1 100644
--- a/drivers/net/wireless/ath/carl9170/usb.c
+++ b/drivers/net/wireless/ath/carl9170/usb.c
@@ -1076,8 +1076,14 @@ static int carl9170_usb_probe(struct usb_interface *intf,
carl9170_set_state(ar, CARL9170_STOPPED);
- return request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
+ err = request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
&ar->udev->dev, GFP_KERNEL, ar, carl9170_usb_firmware_step2);
+ if (err) {
+ usb_put_dev(udev);
+ usb_put_dev(udev);
+ carl9170_free(ar);
+ }
+ return err;
}
static void carl9170_usb_disconnect(struct usb_interface *intf)
--
1.8.1.2
On Sat, Sep 28, 2013 at 12:51 AM, Alexey Khoroshilov
<[email protected]> wrote:
> - return request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
> + err = request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
> &ar->udev->dev, GFP_KERNEL, ar, carl9170_usb_firmware_step2);
> + if (err) {
> + usb_put_dev(udev);
> + usb_put_dev(udev);
You are doing the same free twice.
I guess you meant to also free: usb_put_dev(ar->udev)
On 28.09.2013 00:17, Fabio Estevam wrote:
> On Sat, Sep 28, 2013 at 12:51 AM, Alexey Khoroshilov
> <[email protected]> wrote:
>
>> - return request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
>> + err = request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
>> &ar->udev->dev, GFP_KERNEL, ar, carl9170_usb_firmware_step2);
>> + if (err) {
>> + usb_put_dev(udev);
>> + usb_put_dev(udev);
> You are doing the same free twice.
Yes, because it was get twice.
> I guess you meant to also free: usb_put_dev(ar->udev)
udev and ar->udev are equal, so technically the patch is correct.
I agree that there is some inconsistency, but I would prefer to fix it
at usb_get_dev() side with a comment about reasons for the double get.
--
Alexey
On Thursday, October 10, 2013 01:59:52 PM John W. Linville wrote:
> On Sat, Sep 28, 2013 at 01:16:20AM -0400, Alexey Khoroshilov wrote:
> > On 28.09.2013 00:17, Fabio Estevam wrote:
> > >On Sat, Sep 28, 2013 at 12:51 AM, Alexey Khoroshilov
> > ><[email protected]> wrote:
> > >
> > >>- return request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
> > >>+ err = request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
> > >> &ar->udev->dev, GFP_KERNEL, ar, carl9170_usb_firmware_step2);
> > >>+ if (err) {
> > >>+ usb_put_dev(udev);
> > >>+ usb_put_dev(udev);
> > >You are doing the same free twice.
> > Yes, because it was get twice.
> > >I guess you meant to also free: usb_put_dev(ar->udev)
> > udev and ar->udev are equal, so technically the patch is correct.
> >
> > I agree that there is some inconsistency, but I would prefer to fix
> > it at usb_get_dev() side with a comment about reasons for the double
> > get.
>
> What is the reason for the double get?
The idea is:
One (extra) reference protects the asynchronous firmware loader callback
from disappearing "udev".
Regards,
Chr
On Sat, Sep 28, 2013 at 01:16:20AM -0400, Alexey Khoroshilov wrote:
> On 28.09.2013 00:17, Fabio Estevam wrote:
> >On Sat, Sep 28, 2013 at 12:51 AM, Alexey Khoroshilov
> ><[email protected]> wrote:
> >
> >>- return request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
> >>+ err = request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
> >> &ar->udev->dev, GFP_KERNEL, ar, carl9170_usb_firmware_step2);
> >>+ if (err) {
> >>+ usb_put_dev(udev);
> >>+ usb_put_dev(udev);
> >You are doing the same free twice.
> Yes, because it was get twice.
> >I guess you meant to also free: usb_put_dev(ar->udev)
> udev and ar->udev are equal, so technically the patch is correct.
>
> I agree that there is some inconsistency, but I would prefer to fix
> it at usb_get_dev() side with a comment about reasons for the double
> get.
What is the reason for the double get?
--
John W. Linville Someday the world will need a hero, and you
[email protected] might be all we have. Be ready.