| Message ID | 20190312061628.13869-1-kjlu@umn.edu (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Jiri Kosina |
| Headers | show |
| Series | [v2] hid: logitech: check the return value of create_singlethread_workqueue | expand |
On Tue, 12 Mar 2019 01:16:28 -0500 Kangjie Lu <kjlu@umn.edu> wrote: > create_singlethread_workqueue may fail and return NULL. The fix > checks if it is NULL to avoid NULL pointer dereference. > Also, the fix moves the call of create_singlethread_workqueue > earlier to avoid resource-release issues. > > Signed-off-by: Kangjie Lu <kjlu@umn.edu> So I don't know this code at all, but... > drivers/hid/hid-logitech-hidpp.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c > index 15ed6177a7a3..1b7c336cae6d 100644 > --- a/drivers/hid/hid-logitech-hidpp.c > +++ b/drivers/hid/hid-logitech-hidpp.c > @@ -2106,6 +2106,12 @@ static int hidpp_ff_init(struct hidpp_device *hidpp, u8 feature_index) > data = kzalloc(sizeof(*data), GFP_KERNEL); > if (!data) > return -ENOMEM; > + > + /* init the hardware command queue */ > + data->wq = create_singlethread_workqueue("hidpp-ff-sendqueue"); > + if (!data->wq) > + return -ENOMEM; It's clear just from the diff that this return will leak 'data'. You also break the error handling just below: > data->effect_ids = kcalloc(num_slots, sizeof(int), GFP_KERNEL); > if (!data->effect_ids) { > kfree(data); It's also worth asking: how are you testing these error path changes? Thanks, jon
diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c index 15ed6177a7a3..1b7c336cae6d 100644 --- a/drivers/hid/hid-logitech-hidpp.c +++ b/drivers/hid/hid-logitech-hidpp.c @@ -2106,6 +2106,12 @@ static int hidpp_ff_init(struct hidpp_device *hidpp, u8 feature_index) data = kzalloc(sizeof(*data), GFP_KERNEL); if (!data) return -ENOMEM; + + /* init the hardware command queue */ + data->wq = create_singlethread_workqueue("hidpp-ff-sendqueue"); + if (!data->wq) + return -ENOMEM; + data->effect_ids = kcalloc(num_slots, sizeof(int), GFP_KERNEL); if (!data->effect_ids) { kfree(data); @@ -2154,8 +2160,6 @@ static int hidpp_ff_init(struct hidpp_device *hidpp, u8 feature_index) data->gain = error ? 0xffff : get_unaligned_be16(&response.fap.params[0]); /* ignore boost value at response.fap.params[2] */ - /* init the hardware command queue */ - data->wq = create_singlethread_workqueue("hidpp-ff-sendqueue"); atomic_set(&data->workqueue_size, 0); /* initialize with zero autocenter to get wheel in usable state */
create_singlethread_workqueue may fail and return NULL. The fix checks if it is NULL to avoid NULL pointer dereference. Also, the fix moves the call of create_singlethread_workqueue earlier to avoid resource-release issues. Signed-off-by: Kangjie Lu <kjlu@umn.edu> --- drivers/hid/hid-logitech-hidpp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)