carl9170: fix leaks at failure path in carl9170_usb_probe()

Commit Message

Alexey Khoroshilov Sept. 28, 2013, 3:51 a.m. UTC

carl9170_usb_probe() does not handle request_firmware_nowait() failure
that leads to several leaks in this case.
The patch adds all required deallocations.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
---
 drivers/net/wireless/ath/carl9170/usb.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Comments

Fabio Estevam Sept. 28, 2013, 4:17 a.m. UTC | #1

On Sat, Sep 28, 2013 at 12:51 AM, Alexey Khoroshilov
<khoroshilov@ispras.ru> wrote:

> -       return request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
> +       err = request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
>                 &ar->udev->dev, GFP_KERNEL, ar, carl9170_usb_firmware_step2);
> +       if (err) {
> +               usb_put_dev(udev);
> +               usb_put_dev(udev);

You are doing the same free twice.

I guess you meant to also free: usb_put_dev(ar->udev)
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Alexey Khoroshilov Sept. 28, 2013, 5:16 a.m. UTC | #2

On 28.09.2013 00:17, Fabio Estevam wrote:
> On Sat, Sep 28, 2013 at 12:51 AM, Alexey Khoroshilov
> <khoroshilov@ispras.ru> wrote:
>
>> -       return request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
>> +       err = request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
>>                  &ar->udev->dev, GFP_KERNEL, ar, carl9170_usb_firmware_step2);
>> +       if (err) {
>> +               usb_put_dev(udev);
>> +               usb_put_dev(udev);
> You are doing the same free twice.
Yes, because it was get twice.
> I guess you meant to also free: usb_put_dev(ar->udev)
udev and ar->udev are equal, so technically the patch is correct.

I agree that there is some inconsistency, but I would prefer to fix it 
at usb_get_dev() side with a comment about reasons for the double get.

--
Alexey

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

John W. Linville Oct. 10, 2013, 5:59 p.m. UTC | #3

On Sat, Sep 28, 2013 at 01:16:20AM -0400, Alexey Khoroshilov wrote:
> On 28.09.2013 00:17, Fabio Estevam wrote:
> >On Sat, Sep 28, 2013 at 12:51 AM, Alexey Khoroshilov
> ><khoroshilov@ispras.ru> wrote:
> >
> >>-       return request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
> >>+       err = request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
> >>                 &ar->udev->dev, GFP_KERNEL, ar, carl9170_usb_firmware_step2);
> >>+       if (err) {
> >>+               usb_put_dev(udev);
> >>+               usb_put_dev(udev);
> >You are doing the same free twice.
> Yes, because it was get twice.
> >I guess you meant to also free: usb_put_dev(ar->udev)
> udev and ar->udev are equal, so technically the patch is correct.
> 
> I agree that there is some inconsistency, but I would prefer to fix
> it at usb_get_dev() side with a comment about reasons for the double
> get.

What is the reason for the double get?

Christian Lamparter Oct. 10, 2013, 6:17 p.m. UTC | #4

On Thursday, October 10, 2013 01:59:52 PM John W. Linville wrote:
> On Sat, Sep 28, 2013 at 01:16:20AM -0400, Alexey Khoroshilov wrote:
> > On 28.09.2013 00:17, Fabio Estevam wrote:
> > >On Sat, Sep 28, 2013 at 12:51 AM, Alexey Khoroshilov
> > ><khoroshilov@ispras.ru> wrote:
> > >
> > >>-       return request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
> > >>+       err = request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
> > >>                 &ar->udev->dev, GFP_KERNEL, ar, carl9170_usb_firmware_step2);
> > >>+       if (err) {
> > >>+               usb_put_dev(udev);
> > >>+               usb_put_dev(udev);
> > >You are doing the same free twice.
> > Yes, because it was get twice.
> > >I guess you meant to also free: usb_put_dev(ar->udev)
> > udev and ar->udev are equal, so technically the patch is correct.
> > 
> > I agree that there is some inconsistency, but I would prefer to fix
> > it at usb_get_dev() side with a comment about reasons for the double
> > get.
> 
> What is the reason for the double get?

The idea is:
One (extra) reference protects the asynchronous firmware loader callback
from disappearing "udev".

Regards,
Chr
 
 
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/drivers/net/wireless/ath/carl9170/usb.c b/drivers/net/wireless/ath/carl9170/usb.c
index 307bc0d..3c76de1 100644
--- a/drivers/net/wireless/ath/carl9170/usb.c
+++ b/drivers/net/wireless/ath/carl9170/usb.c
@@ -1076,8 +1076,14 @@  static int carl9170_usb_probe(struct usb_interface *intf,
 
 	carl9170_set_state(ar, CARL9170_STOPPED);
 
-	return request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
+	err = request_firmware_nowait(THIS_MODULE, 1, CARL9170FW_NAME,
 		&ar->udev->dev, GFP_KERNEL, ar, carl9170_usb_firmware_step2);
+	if (err) {
+		usb_put_dev(udev);
+		usb_put_dev(udev);
+		carl9170_free(ar);
+	}
+	return err;
 }
 
 static void carl9170_usb_disconnect(struct usb_interface *intf)