| Message ID | 20200902184207.479525-1-alex.dewar90@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | staging: media: atomisp: Fix error path in lm3554_probe() | expand |
On Wed, Sep 02, 2020 at 07:41:50PM +0100, Alex Dewar wrote: > The error path for lm3554_probe() contains a number of bugs, including: > * resource leaks > * jumping to error labels out of sequence > * not setting the return value appropriately > > Fix it up and give the labels more memorable names. > > This issue has existed since the code was originally contributed in > commit a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2"), > although the code was subsequently removed altogether and then > reinstated with commit ad85094b293e ("Revert "media: staging: atomisp: Remove driver""). > Almost perfect! Just a couple other leaks we should fix as well. > + ret = media_entity_pads_init(&flash->sd.entity, 0, NULL); > + if (ret) { > + dev_err(&client->dev, "error initializing media entity"); > + goto err_free_ctrl_handler; > } > > flash->sd.entity.function = MEDIA_ENT_F_FLASH; > @@ -881,20 +882,22 @@ static int lm3554_probe(struct i2c_client *client) > > timer_setup(&flash->flash_off_delay, lm3554_flash_off_delay, 0); We need to delete this timer. > > - err = lm3554_gpio_init(client); > - if (err) { > + ret = lm3554_gpio_init(client); > + if (ret) { > dev_err(&client->dev, "gpio request/direction_output fail"); > - goto fail2; > + goto err_cleanup_entity; > } > return atomisp_register_i2c_module(&flash->sd, NULL, LED_FLASH); If atomisp_register_i2c_module() fails then we need to call lm3554_gpio_uninit(client) and do other cleanup. > -fail2: > + > +err_cleanup_entity: > media_entity_cleanup(&flash->sd.entity); > +err_free_ctrl_handler: > v4l2_ctrl_handler_free(&flash->ctrl_handler); regards, dan carpenter
Good point about the timer! > > > > - err = lm3554_gpio_init(client); > > - if (err) { > > + ret = lm3554_gpio_init(client); > > + if (ret) { > > dev_err(&client->dev, "gpio request/direction_output fail"); > > - goto fail2; > > + goto err_cleanup_entity; > > } > > return atomisp_register_i2c_module(&flash->sd, NULL, LED_FLASH); > > If atomisp_register_i2c_module() fails then we need to call > lm3554_gpio_uninit(client) and do other cleanup. I'm probably showing my ignorance here, but I can't see what cleanup we need. Inside lm3554_gpio_init we have: ret = gpiod_direction_output(pdata->gpio_reset, 0); if (ret < 0) return ret; dev_info(&client->dev, "flash led reset successfully\n"); if (!pdata->gpio_strobe) return -EINVAL; ret = gpiod_direction_output(pdata->gpio_strobe, 0); if (ret < 0) return ret; I'm not sure how you "undo" a call to gpiod_direction_output, but I'm thinking you won't need to do anything because it should be ok to leave a gpio to output 0... right? Alex > > > -fail2: > > + > > +err_cleanup_entity: > > media_entity_cleanup(&flash->sd.entity); > > +err_free_ctrl_handler: > > v4l2_ctrl_handler_free(&flash->ctrl_handler); > > regards, > dan carpenter >
On Thu, Sep 03, 2020 at 04:48:41PM +0100, Alex Dewar wrote: > Good point about the timer! > > > > > > > - err = lm3554_gpio_init(client); > > > - if (err) { > > > + ret = lm3554_gpio_init(client); > > > + if (ret) { > > > dev_err(&client->dev, "gpio request/direction_output fail"); > > > - goto fail2; > > > + goto err_cleanup_entity; > > > } > > > return atomisp_register_i2c_module(&flash->sd, NULL, LED_FLASH); > > > > If atomisp_register_i2c_module() fails then we need to call > > lm3554_gpio_uninit(client) and do other cleanup. > > I'm probably showing my ignorance here, but I can't see what cleanup we > need. Inside lm3554_gpio_init we have: > > ret = gpiod_direction_output(pdata->gpio_reset, 0); > if (ret < 0) > return ret; > dev_info(&client->dev, "flash led reset successfully\n"); > > if (!pdata->gpio_strobe) > return -EINVAL; > > ret = gpiod_direction_output(pdata->gpio_strobe, 0); > if (ret < 0) > return ret; > > I'm not sure how you "undo" a call to gpiod_direction_output, but I'm > thinking you won't need to do anything because it should be ok to leave > a gpio to output 0... right? You're right. I wonder if there is really any need for the lm3554_gpio_uninit() function at all? It's basically the same as lm3554_gpio_init() except for the order of function calls. Probably we could just rename lm3554_gpio_init() to something like lm3554_gpio_set_default() and use it in both the probe() and remove functions()... But I don't know the code and can't test it so let's leave that for another day. We still do need to clean up if atomisp_register_i2c_module() fails though, and the timer as well so could you resend a v2? regards, dan carpenter
> You're right. I wonder if there is really any need for the > lm3554_gpio_uninit() function at all? It's basically the same as > lm3554_gpio_init() except for the order of function calls. Probably > we could just rename lm3554_gpio_init() to something like > lm3554_gpio_set_default() and use it in both the probe() and remove > functions()... I think you probably also don't want to return error values from lm3554_gpio_uninit() as it is only called on module removal, so it'd probably make more sense to just print a warning and carry on. I'll do this as a separate patch and send it to the list, though. v2 to follow... > > But I don't know the code and can't test it so let's leave that for > another day. > > We still do need to clean up if atomisp_register_i2c_module() fails > though, and the timer as well so could you resend a v2? > > regards, > dan carpenter >
diff --git a/drivers/staging/media/atomisp/i2c/atomisp-lm3554.c b/drivers/staging/media/atomisp/i2c/atomisp-lm3554.c index 7ca7378b1859..9aad6721fc84 100644 --- a/drivers/staging/media/atomisp/i2c/atomisp-lm3554.c +++ b/drivers/staging/media/atomisp/i2c/atomisp-lm3554.c @@ -833,7 +833,6 @@ static void *lm3554_platform_data_func(struct i2c_client *client) static int lm3554_probe(struct i2c_client *client) { - int err = 0; struct lm3554 *flash; unsigned int i; int ret; @@ -843,36 +842,38 @@ static int lm3554_probe(struct i2c_client *client) return -ENOMEM; flash->pdata = lm3554_platform_data_func(client); - if (IS_ERR(flash->pdata)) - return PTR_ERR(flash->pdata); + if (IS_ERR(flash->pdata)) { + ret = PTR_ERR(flash->pdata); + goto err_free_flash; + } v4l2_i2c_subdev_init(&flash->sd, client, &lm3554_ops); flash->sd.internal_ops = &lm3554_internal_ops; flash->sd.flags |= V4L2_SUBDEV_FL_HAS_DEVNODE; flash->mode = ATOMISP_FLASH_MODE_OFF; flash->timeout = LM3554_MAX_TIMEOUT / LM3554_TIMEOUT_STEPSIZE - 1; - ret = - v4l2_ctrl_handler_init(&flash->ctrl_handler, - ARRAY_SIZE(lm3554_controls)); + ret = v4l2_ctrl_handler_init(&flash->ctrl_handler, + ARRAY_SIZE(lm3554_controls)); if (ret) { - dev_err(&client->dev, "error initialize a ctrl_handler.\n"); - goto fail2; + dev_err(&client->dev, "error initializing ctrl_handler"); + goto err_unregister_sd; } for (i = 0; i < ARRAY_SIZE(lm3554_controls); i++) v4l2_ctrl_new_custom(&flash->ctrl_handler, &lm3554_controls[i], NULL); - if (flash->ctrl_handler.error) { - dev_err(&client->dev, "ctrl_handler error.\n"); - goto fail2; + ret = flash->ctrl_handler.error; + if (ret) { + dev_err(&client->dev, "ctrl_handler error"); + goto err_free_ctrl_handler; } flash->sd.ctrl_handler = &flash->ctrl_handler; - err = media_entity_pads_init(&flash->sd.entity, 0, NULL); - if (err) { - dev_err(&client->dev, "error initialize a media entity.\n"); - goto fail1; + ret = media_entity_pads_init(&flash->sd.entity, 0, NULL); + if (ret) { + dev_err(&client->dev, "error initializing media entity"); + goto err_free_ctrl_handler; } flash->sd.entity.function = MEDIA_ENT_F_FLASH; @@ -881,20 +882,22 @@ static int lm3554_probe(struct i2c_client *client) timer_setup(&flash->flash_off_delay, lm3554_flash_off_delay, 0); - err = lm3554_gpio_init(client); - if (err) { + ret = lm3554_gpio_init(client); + if (ret) { dev_err(&client->dev, "gpio request/direction_output fail"); - goto fail2; + goto err_cleanup_entity; } return atomisp_register_i2c_module(&flash->sd, NULL, LED_FLASH); -fail2: + +err_cleanup_entity: media_entity_cleanup(&flash->sd.entity); +err_free_ctrl_handler: v4l2_ctrl_handler_free(&flash->ctrl_handler); -fail1: +err_unregister_sd: v4l2_device_unregister_subdev(&flash->sd); +err_free_flash: kfree(flash); - - return err; + return ret; } static int lm3554_remove(struct i2c_client *client)
The error path for lm3554_probe() contains a number of bugs, including: * resource leaks * jumping to error labels out of sequence * not setting the return value appropriately Fix it up and give the labels more memorable names. This issue has existed since the code was originally contributed in commit a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2"), although the code was subsequently removed altogether and then reinstated with commit ad85094b293e ("Revert "media: staging: atomisp: Remove driver""). Addresses-Coverity: ("Resource leak") Fixes: a49d25364dfb ("staging/atomisp: Add support for the Intel IPU v2") Signed-off-by: Alex Dewar <alex.dewar90@gmail.com> --- .../media/atomisp/i2c/atomisp-lm3554.c | 47 ++++++++++--------- 1 file changed, 25 insertions(+), 22 deletions(-)