[PATCH] USB: gadget: f_mass_storage: fix in error recovery

From: Michal Nazarewicz
Date: Wed May 12 2010 - 06:51:00 EST

Next message: Tvrtko Ursulin: "Re: 2.6.33.2 kmalloc-8 slab leaks ~512 objects per second"
Previous message: Srikar Dronamraju: "Re: [PATCH v2 7/11] Uprobes Implementation"
In reply to: Viral Mehta: "RE: [PATCH] USB: gadget: f_mass_storage: fix in fsg_common_init()error recovery"
Next in thread: Viral Mehta: "RE: [PATCH] USB: gadget: f_mass_storage: fix in error recovery"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In to places in fsg_common_init() an unconditional call to kfree()
on common was performed in error recovery which is not a valid
behaviour since fsg_common structure is not always allocated by
fsg_common_init().

To fix, the calls has been replaced with a goto to a proper error
recovery which does the correct thing.

Also, refactored fsg_common_release() function.

Signed-off-by: Michal Nazarewicz <mina86@xxxxxxxxxx>
---
On Wed, 12 May 2010 12:33:43 +0200, Viral Mehta <Viral.Mehta@xxxxxxxxxxxxxxx> wrote:
> In that case, in addition to your previous patch, below hunk is needed
>
> diff --git a/drivers/usb/gadget/f_mass_storage.c b/drivers/usb/gadget/f_mass_storage.c
> index f4911c0..b1648fc 100644
> --- a/drivers/usb/gadget/f_mass_storage.c
> +++ b/drivers/usb/gadget/f_mass_storage.c
> @@ -2883,15 +2883,16 @@ static void fsg_common_release(struct kref *ref)
>
> /* Beware tempting for -> do-while optimization: when in error
> * recovery nluns may be zero. */
> + if(common->luns) {
> + for (; i; --i, ++lun) {
> + device_remove_file(&lun->dev, &dev_attr_ro);
> + device_remove_file(&lun->dev, &dev_attr_file);
> + fsg_lun_close(lun);
> + device_unregister(&lun->dev);
> + }
>
> - for (; i; --i, ++lun) {
> - device_remove_file(&lun->dev, &dev_attr_ro);
> - device_remove_file(&lun->dev, &dev_attr_file);
> - fsg_lun_close(lun);
> - device_unregister(&lun->dev);
> + kfree(common->luns);
> }
> -
> - kfree(common->luns);
> if (common->free_storage_on_release)
> kfree(common);
> }

This is not entairly true but if you insist, attached is a bit
different version of your proposed chang.

drivers/usb/gadget/f_mass_storage.c | 51 +++++++++++++++++------------------
1 files changed, 25 insertions(+), 26 deletions(-)

diff --git a/drivers/usb/gadget/f_mass_storage.c b/drivers/usb/gadget/f_mass_storage.c
index 6cfd2f4..7d05a0b 100644
--- a/drivers/usb/gadget/f_mass_storage.c
+++ b/drivers/usb/gadget/f_mass_storage.c
@@ -2742,10 +2742,8 @@ static struct fsg_common *fsg_common_init(struct fsg_common *common,
/* Maybe allocate device-global string IDs, and patch descriptors */
if (fsg_strings[FSG_STRING_INTERFACE].id == 0) {
rc = usb_string_id(cdev);
- if (rc < 0) {
- kfree(common);
- return ERR_PTR(rc);
- }
+ if (unlikely(rc < 0))
+ goto error_release;
fsg_strings[FSG_STRING_INTERFACE].id = rc;
fsg_intf_desc.iInterface = rc;
}
@@ -2753,9 +2751,9 @@ static struct fsg_common *fsg_common_init(struct fsg_common *common,
/* Create the LUNs, open their backing files, and register the
* LUN devices in sysfs. */
curlun = kzalloc(nluns * sizeof *curlun, GFP_KERNEL);
- if (!curlun) {
- kfree(common);
- return ERR_PTR(-ENOMEM);
+ if (unlikely(!curlun)) {
+ rc = -ENOMEM;
+ goto error_release;
}
common->luns = curlun;

@@ -2914,11 +2912,7 @@ error_release:

static void fsg_common_release(struct kref *ref)
{
- struct fsg_common *common =
- container_of(ref, struct fsg_common, ref);
- unsigned i = common->nluns;
- struct fsg_lun *lun = common->luns;
- struct fsg_buffhd *bh;
+ struct fsg_common *common = container_of(ref, struct fsg_common, ref);

/* If the thread isn't already dead, tell it to exit now */
if (common->state != FSG_STATE_TERMINATED) {
@@ -2929,23 +2923,28 @@ static void fsg_common_release(struct kref *ref)
complete(&common->thread_notifier);
}

- /* Beware tempting for -> do-while optimization: when in error
- * recovery nluns may be zero. */
+ if (likely(common->luns)) {
+ struct fsg_lun *lun = common->luns;
+ unsigned i = common->nluns;

- for (; i; --i, ++lun) {
- device_remove_file(&lun->dev, &dev_attr_ro);
- device_remove_file(&lun->dev, &dev_attr_file);
- fsg_lun_close(lun);
- device_unregister(&lun->dev);
- }
+ /* In error recovery common->nluns may be zero. */
+ for (; i; --i, ++lun) {
+ device_remove_file(&lun->dev, &dev_attr_ro);
+ device_remove_file(&lun->dev, &dev_attr_file);
+ fsg_lun_close(lun);
+ device_unregister(&lun->dev);
+ }

- kfree(common->luns);
+ kfree(common->luns);
+ }

- i = FSG_NUM_BUFFERS;
- bh = common->buffhds;
- do {
- kfree(bh->buf);
- } while (++bh, --i);
+ {
+ struct fsg_buffhd *bh = common->buffhds;
+ unsigned i = FSG_NUM_BUFFERS;
+ do {
+ kfree(bh->buf);
+ } while (++bh, --i);
+ }

if (common->free_storage_on_release)
kfree(common);
--
1.7.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Tvrtko Ursulin: "Re: 2.6.33.2 kmalloc-8 slab leaks ~512 objects per second"
Previous message: Srikar Dronamraju: "Re: [PATCH v2 7/11] Uprobes Implementation"
In reply to: Viral Mehta: "RE: [PATCH] USB: gadget: f_mass_storage: fix in fsg_common_init()error recovery"
Next in thread: Viral Mehta: "RE: [PATCH] USB: gadget: f_mass_storage: fix in error recovery"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]