diff mbox

USB: input: gtco.c: fix usb_dev leak

Message ID 1390087466-9898-1-git-send-email-khoroshilov@ispras.ru (mailing list archive)
State New, archived
Headers show

Commit Message

Alexey Khoroshilov Jan. 18, 2014, 11:24 p.m. UTC 
There is usb_get_dev() in gtco_probe(), but there is no usb_put_dev()
anywhere in the driver.

The patch adds usb_get_dev() to failure handling code of gtco_probe()
and to gtco_disconnect(().

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
---
 drivers/input/tablet/gtco.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Dmitry Torokhov Jan. 21, 2014, 7:59 p.m. UTC | #1 
On Sun, Jan 19, 2014 at 03:24:26AM +0400, Alexey Khoroshilov wrote:
> There is usb_get_dev() in gtco_probe(), but there is no usb_put_dev()
> anywhere in the driver.
> 
> The patch adds usb_get_dev() to failure handling code of gtco_probe()
> and to gtco_disconnect(().

Hmm, I think gtco should simply not use usb_get_dev() in the first
place.

Thanks.
Alexey Khoroshilov Jan. 27, 2014, 6:31 a.m. UTC | #2 
On 21.01.2014 23:59, Dmitry Torokhov wrote:
> On Sun, Jan 19, 2014 at 03:24:26AM +0400, Alexey Khoroshilov wrote:
>> There is usb_get_dev() in gtco_probe(), but there is no usb_put_dev()
>> anywhere in the driver.
>>
>> The patch adds usb_get_dev() to failure handling code of gtco_probe()
>> and to gtco_disconnect(().
> Hmm, I think gtco should simply not use usb_get_dev() in the first
> place.
>
> Thanks.
Dear Dmitry,

Could you please clarify why usb_get_dev() not needed here?
We store reference to usb_dev in gtco structure, so we should refcount it.
What is wrong in this reasoning?

Thanks,
Alexey
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Dmitry Torokhov Jan. 27, 2014, 6:54 a.m. UTC | #3 
Hi Alexey,

On Mon, Jan 27, 2014 at 10:31:36AM +0400, Alexey Khoroshilov wrote:
> On 21.01.2014 23:59, Dmitry Torokhov wrote:
> > On Sun, Jan 19, 2014 at 03:24:26AM +0400, Alexey Khoroshilov wrote:
> >> There is usb_get_dev() in gtco_probe(), but there is no usb_put_dev()
> >> anywhere in the driver.
> >>
> >> The patch adds usb_get_dev() to failure handling code of gtco_probe()
> >> and to gtco_disconnect(().
> > Hmm, I think gtco should simply not use usb_get_dev() in the first
> > place.
> >
> > Thanks.
> Dear Dmitry,
> 
> Could you please clarify why usb_get_dev() not needed here?
> We store reference to usb_dev in gtco structure, so we should refcount it.
> What is wrong in this reasoning?

The lifetime of gtco structure is already directly tied to lifetime of
usb_dev: when destroying usb_dev driver core will call remove() function
of currently bound driver (in our case gtco) which will destroy gtco
memory.

Taking additional reference is not needed here.

Hope this helps.
Alexey Khoroshilov Jan. 27, 2014, 10:29 a.m. UTC | #4 
On 27.01.2014 10:54, Dmitry Torokhov wrote:
> Hi Alexey,
>
> On Mon, Jan 27, 2014 at 10:31:36AM +0400, Alexey Khoroshilov wrote:
>> On 21.01.2014 23:59, Dmitry Torokhov wrote:
>>> On Sun, Jan 19, 2014 at 03:24:26AM +0400, Alexey Khoroshilov wrote:
>>>> There is usb_get_dev() in gtco_probe(), but there is no usb_put_dev()
>>>> anywhere in the driver.
>>>>
>>>> The patch adds usb_get_dev() to failure handling code of gtco_probe()
>>>> and to gtco_disconnect(().
>>> Hmm, I think gtco should simply not use usb_get_dev() in the first
>>> place.
>>>
>>> Thanks.
>> Dear Dmitry,
>>
>> Could you please clarify why usb_get_dev() not needed here?
>> We store reference to usb_dev in gtco structure, so we should refcount it.
>> What is wrong in this reasoning?
> The lifetime of gtco structure is already directly tied to lifetime of
> usb_dev: when destroying usb_dev driver core will call remove() function
> of currently bound driver (in our case gtco) which will destroy gtco
> memory.
>
> Taking additional reference is not needed here.
>
> Hope this helps.
Thank you, that helps a lot.

By the way, usb_skeleton suggests to use usb_get_dev()/usb_put_dev()
nevertheless.

Greg, may be it makes sense to fix usb_skeleton as well?

--
Alexey
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Greg Kroah-Hartman Jan. 27, 2014, 1:17 p.m. UTC | #5 
On Mon, Jan 27, 2014 at 02:29:23PM +0400, Alexey Khoroshilov wrote:
> On 27.01.2014 10:54, Dmitry Torokhov wrote:
> > Hi Alexey,
> >
> > On Mon, Jan 27, 2014 at 10:31:36AM +0400, Alexey Khoroshilov wrote:
> >> On 21.01.2014 23:59, Dmitry Torokhov wrote:
> >>> On Sun, Jan 19, 2014 at 03:24:26AM +0400, Alexey Khoroshilov wrote:
> >>>> There is usb_get_dev() in gtco_probe(), but there is no usb_put_dev()
> >>>> anywhere in the driver.
> >>>>
> >>>> The patch adds usb_get_dev() to failure handling code of gtco_probe()
> >>>> and to gtco_disconnect(().
> >>> Hmm, I think gtco should simply not use usb_get_dev() in the first
> >>> place.
> >>>
> >>> Thanks.
> >> Dear Dmitry,
> >>
> >> Could you please clarify why usb_get_dev() not needed here?
> >> We store reference to usb_dev in gtco structure, so we should refcount it.
> >> What is wrong in this reasoning?
> > The lifetime of gtco structure is already directly tied to lifetime of
> > usb_dev: when destroying usb_dev driver core will call remove() function
> > of currently bound driver (in our case gtco) which will destroy gtco
> > memory.
> >
> > Taking additional reference is not needed here.
> >
> > Hope this helps.
> Thank you, that helps a lot.
> 
> By the way, usb_skeleton suggests to use usb_get_dev()/usb_put_dev()
> nevertheless.
> 
> Greg, may be it makes sense to fix usb_skeleton as well?

Patches are always welcome.
--
To unsubscribe from this list: send the line "unsubscribe linux-input" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
index 29e01ab6859f..6ec8a3a04672 100644
--- a/drivers/input/tablet/gtco.c
+++ b/drivers/input/tablet/gtco.c
@@ -858,7 +858,7 @@  static int gtco_probe(struct usb_interface *usbinterface,
 	if (!gtco->buffer) {
 		dev_err(&usbinterface->dev, "No more memory for us buffers\n");
 		error = -ENOMEM;
-		goto err_free_devs;
+		goto err_put_usb;
 	}
 
 	/* Allocate URB for reports */
@@ -990,6 +990,8 @@  static int gtco_probe(struct usb_interface *usbinterface,
  err_free_buf:
 	usb_free_coherent(gtco->usbdev, REPORT_MAX_SIZE,
 			  gtco->buffer, gtco->buf_dma);
+ err_put_usb:
+	usb_put_dev(gtco->usbdev);
  err_free_devs:
 	input_free_device(input_dev);
 	kfree(gtco);
@@ -1013,6 +1015,7 @@  static void gtco_disconnect(struct usb_interface *interface)
 		usb_free_urb(gtco->urbinfo);
 		usb_free_coherent(gtco->usbdev, REPORT_MAX_SIZE,
 				  gtco->buffer, gtco->buf_dma);
+		usb_put_dev(gtco->usbdev);
 		kfree(gtco);
 	}