If p54u_load_firmware() fails, p54u_probe() does not deallocate
already allocated resources. The patch adds proper failure handling.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <[email protected]>
---
drivers/net/wireless/p54/p54usb.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/p54/p54usb.c b/drivers/net/wireless/p54/p54usb.c
index 6e635cfa24c8..5df74503fd4f 100644
--- a/drivers/net/wireless/p54/p54usb.c
+++ b/drivers/net/wireless/p54/p54usb.c
@@ -1053,6 +1053,10 @@ static int p54u_probe(struct usb_interface *intf,
priv->upload_fw = p54u_upload_firmware_net2280;
}
err = p54u_load_firmware(dev, intf);
+ if (err) {
+ usb_put_dev(udev);
+ p54_free_common(dev);
+ }
return err;
}
--
1.8.3.2
On 09.03.2014 02:44, Krishna Chaitanya wrote:
> On Sat, Mar 8, 2014 at 2:41 AM, Alexey Khoroshilov
> <[email protected]> wrote:
>> If p54u_load_firmware() fails, p54u_probe() does not deallocate
>> already allocated resources. The patch adds proper failure handling.
>>
>> Found by Linux Driver Verification project (linuxtesting.org).
>>
>> Signed-off-by: Alexey Khoroshilov <[email protected]>
>> ---
>> drivers/net/wireless/p54/p54usb.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/drivers/net/wireless/p54/p54usb.c b/drivers/net/wireless/p54/p54usb.c
>> index 6e635cfa24c8..5df74503fd4f 100644
>> --- a/drivers/net/wireless/p54/p54usb.c
>> +++ b/drivers/net/wireless/p54/p54usb.c
>> @@ -1053,6 +1053,10 @@ static int p54u_probe(struct usb_interface *intf,
>> priv->upload_fw = p54u_upload_firmware_net2280;
>> }
>> err = p54u_load_firmware(dev, intf);
>> + if (err) {
>> + usb_put_dev(udev);
>> + p54_free_common(dev);
>> + }
>> return err;
>> }
> The load_firmware puts down the reference
> in case of error. Only free is required here.
No, p54u_load_firmware() puts down reference that was got up by itself.
So we still have to put down reference got up in p54u_probe().
--
Alexey
On Sat, Mar 8, 2014 at 2:41 AM, Alexey Khoroshilov
<[email protected]> wrote:
> If p54u_load_firmware() fails, p54u_probe() does not deallocate
> already allocated resources. The patch adds proper failure handling.
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Alexey Khoroshilov <[email protected]>
> ---
> drivers/net/wireless/p54/p54usb.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/net/wireless/p54/p54usb.c b/drivers/net/wireless/p54/p54usb.c
> index 6e635cfa24c8..5df74503fd4f 100644
> --- a/drivers/net/wireless/p54/p54usb.c
> +++ b/drivers/net/wireless/p54/p54usb.c
> @@ -1053,6 +1053,10 @@ static int p54u_probe(struct usb_interface *intf,
> priv->upload_fw = p54u_upload_firmware_net2280;
> }
> err = p54u_load_firmware(dev, intf);
> + if (err) {
> + usb_put_dev(udev);
> + p54_free_common(dev);
> + }
> return err;
> }
The load_firmware puts down the reference
in case of error. Only free is required here.
On Sun, Mar 9, 2014 at 4:38 AM, Christian Lamparter
<[email protected]> wrote:
> On Sunday, March 09, 2014 04:14:32 AM Krishna Chaitanya wrote:
>> On Sat, Mar 8, 2014 at 2:41 AM, Alexey Khoroshilov
>> <[email protected]> wrote:
>> > If p54u_load_firmware() fails, p54u_probe() does not deallocate
>> > already allocated resources. The patch adds proper failure handling.
>> >
>> > Found by Linux Driver Verification project (linuxtesting.org).
>> >
>> > Signed-off-by: Alexey Khoroshilov <[email protected]>
>> > ---
>> > drivers/net/wireless/p54/p54usb.c | 4 ++++
>> > 1 file changed, 4 insertions(+)
>> >
>> > diff --git a/drivers/net/wireless/p54/p54usb.c b/drivers/net/wireless/p54/p54usb.c
>> > index 6e635cfa24c8..5df74503fd4f 100644
>> > --- a/drivers/net/wireless/p54/p54usb.c
>> > +++ b/drivers/net/wireless/p54/p54usb.c
>> > @@ -1053,6 +1053,10 @@ static int p54u_probe(struct usb_interface *intf,
>> > priv->upload_fw = p54u_upload_firmware_net2280;
>> > }
>> > err = p54u_load_firmware(dev, intf);
>> > + if (err) {
>> > + usb_put_dev(udev);
>> > + p54_free_common(dev);
>> > + }
>> > return err;
>> > }
>> The load_firmware puts down the reference
>> in case of error. Only free is required here.
> No, the put is required too... But let me explain:
>
> p54u_load_firmware calls usb_get_dev(udev) before it requests the firmware
> load. The Reason is: the firmware callback is usually run in another thread
> (usually it's pretty quick, but due to timeouts it could take up to 60 seconds
> - or at least it did when I wrote it). Therefore I found it appropriate to give
> that request callback its "reference++" as it needs the "udev" too (e.g.: for
> dev_info, dev_err and releasing the driver if the device couldn't be
> initialized).
>
Thanks Christian and Alexey, you answered my next question as well :-).
On Saturday, March 08, 2014 01:11:49 AM Alexey Khoroshilov wrote:
> If p54u_load_firmware() fails, p54u_probe() does not deallocate
> already allocated resources. The patch adds proper failure handling.
>
> Found by Linux Driver Verification project (linuxtesting.org).
>
> Signed-off-by: Alexey Khoroshilov <[email protected]>
Acked-by: Christian Lamparter <[email protected]>
On Sunday, March 09, 2014 04:14:32 AM Krishna Chaitanya wrote:
> On Sat, Mar 8, 2014 at 2:41 AM, Alexey Khoroshilov
> <[email protected]> wrote:
> > If p54u_load_firmware() fails, p54u_probe() does not deallocate
> > already allocated resources. The patch adds proper failure handling.
> >
> > Found by Linux Driver Verification project (linuxtesting.org).
> >
> > Signed-off-by: Alexey Khoroshilov <[email protected]>
> > ---
> > drivers/net/wireless/p54/p54usb.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/drivers/net/wireless/p54/p54usb.c b/drivers/net/wireless/p54/p54usb.c
> > index 6e635cfa24c8..5df74503fd4f 100644
> > --- a/drivers/net/wireless/p54/p54usb.c
> > +++ b/drivers/net/wireless/p54/p54usb.c
> > @@ -1053,6 +1053,10 @@ static int p54u_probe(struct usb_interface *intf,
> > priv->upload_fw = p54u_upload_firmware_net2280;
> > }
> > err = p54u_load_firmware(dev, intf);
> > + if (err) {
> > + usb_put_dev(udev);
> > + p54_free_common(dev);
> > + }
> > return err;
> > }
> The load_firmware puts down the reference
> in case of error. Only free is required here.
No, the put is required too... But let me explain:
p54u_load_firmware calls usb_get_dev(udev) before it requests the firmware
load. The Reason is: the firmware callback is usually run in another thread
(usually it's pretty quick, but due to timeouts it could take up to 60 seconds
- or at least it did when I wrote it). Therefore I found it appropriate to give
that request callback its "reference++" as it needs the "udev" too (e.g.: for
dev_info, dev_err and releasing the driver if the device couldn't be
initialized).
Regards,
Christian