[PATCH 3.16.y-ckt 115/142] can: gs_usb: fixed disconnect bug by removing erroneous use of kfree()

From: Luis Henriques
Date: Tue Mar 22 2016 - 06:53:14 EST

Next message: Luis Henriques: "[PATCH 3.16.y-ckt 108/142] ubi: Fix out of bounds write in volume update code"
Previous message: Luis Henriques: "[PATCH 3.16.y-ckt 116/142] ASoC: wm8958: Fix enum ctl accesses in a wrong type"
In reply to: Luis Henriques: "[PATCH 3.16.y-ckt 116/142] ASoC: wm8958: Fix enum ctl accesses in a wrong type"
Next in thread: Luis Henriques: "[PATCH 3.16.y-ckt 108/142] ubi: Fix out of bounds write in volume update code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

3.16.7-ckt26 -stable review patch. If anyone has any objections, please let me know.

---8<------------------------------------------------------------

From: Maximilain Schneider <max@xxxxxxxxxxxxxxxxx>

commit e9a2d81b1761093386a0bb8a4f51642ac785ef63 upstream.

gs_destroy_candev() erroneously calls kfree() on a struct gs_can *, which is
allocated through alloc_candev() and should instead be freed using
free_candev() alone.

The inappropriate use of kfree() causes the kernel to hang when
gs_destroy_candev() is called.

Only the struct gs_usb * which is allocated through kzalloc() should be freed
using kfree() when the device is disconnected.

Signed-off-by: Maximilian Schneider <max@xxxxxxxxxxxxxxxxx>
Signed-off-by: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx>
Signed-off-by: Luis Henriques <luis.henriques@xxxxxxxxxxxxx>
---
drivers/net/can/usb/gs_usb.c | 24 +++++++++++-------------
1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c
index 04b0f84612f0..047b63caa3b7 100644
--- a/drivers/net/can/usb/gs_usb.c
+++ b/drivers/net/can/usb/gs_usb.c
@@ -825,9 +825,8 @@ static struct gs_can *gs_make_candev(unsigned int channel, struct usb_interface
static void gs_destroy_candev(struct gs_can *dev)
{
unregister_candev(dev->netdev);
- free_candev(dev->netdev);
usb_kill_anchored_urbs(&dev->tx_submitted);
- kfree(dev);
+ free_candev(dev->netdev);
}

static int gs_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
@@ -910,12 +909,15 @@ static int gs_usb_probe(struct usb_interface *intf, const struct usb_device_id *
for (i = 0; i < icount; i++) {
dev->canch[i] = gs_make_candev(i, intf);
if (IS_ERR_OR_NULL(dev->canch[i])) {
+ /* save error code to return later */
+ rc = PTR_ERR(dev->canch[i]);
+
/* on failure destroy previously created candevs */
icount = i;
- for (i = 0; i < icount; i++) {
+ for (i = 0; i < icount; i++)
gs_destroy_candev(dev->canch[i]);
- dev->canch[i] = NULL;
- }
+
+ usb_kill_anchored_urbs(&dev->rx_submitted);
kfree(dev);
return rc;
}
@@ -936,16 +938,12 @@ static void gs_usb_disconnect(struct usb_interface *intf)
return;
}

- for (i = 0; i < GS_MAX_INTF; i++) {
- struct gs_can *can = dev->canch[i];
-
- if (!can)
- continue;
-
- gs_destroy_candev(can);
- }
+ for (i = 0; i < GS_MAX_INTF; i++)
+ if (dev->canch[i])
+ gs_destroy_candev(dev->canch[i]);

usb_kill_anchored_urbs(&dev->rx_submitted);
+ kfree(dev);
}

static const struct usb_device_id gs_usb_table[] = {

Next message: Luis Henriques: "[PATCH 3.16.y-ckt 108/142] ubi: Fix out of bounds write in volume update code"
Previous message: Luis Henriques: "[PATCH 3.16.y-ckt 116/142] ASoC: wm8958: Fix enum ctl accesses in a wrong type"
In reply to: Luis Henriques: "[PATCH 3.16.y-ckt 116/142] ASoC: wm8958: Fix enum ctl accesses in a wrong type"
Next in thread: Luis Henriques: "[PATCH 3.16.y-ckt 108/142] ubi: Fix out of bounds write in volume update code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]