From patchwork Thu Jun 13 22:12:44 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave X-Patchwork-Id: 2718701 Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id EAA6D9F472 for ; Thu, 13 Jun 2013 22:12:58 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 76CE82029F for ; Thu, 13 Jun 2013 22:12:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 8A35D2029B for ; Thu, 13 Jun 2013 22:12:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759364Ab3FMWMy (ORCPT ); Thu, 13 Jun 2013 18:12:54 -0400 Received: from mail-ea0-f177.google.com ([209.85.215.177]:47180 "EHLO mail-ea0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757884Ab3FMWMx (ORCPT ); Thu, 13 Jun 2013 18:12:53 -0400 Received: by mail-ea0-f177.google.com with SMTP id j14so8018028eak.22 for ; Thu, 13 Jun 2013 15:12:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=fy6T9HBSzi3NoUNVnzzPtEZhhyYLSlhti1LxLLuonfA=; b=yGNOjZyhH/F9vVGCIjI3AFqOYOit94Q0tU3PrKAPdSjUb+5ijhTdT8CXjEnWWzJwXV O+Fj/jC/ETXiyQhue3xot4U3FXiTt7ptVFnnxhDxgP+QoGjJD3ueWFdUB5J9MX4OFIaK birQMS/jAh8IQG2xuukr7tl0zJQNTyrZKG52G0N7OB7aVr2sVxalck8I2QsuNdifmKCO GkKlWIhz1sHbn9Yfsdx8gMFPft48hLFK3rmFQebvg66W01INnB/ur/ZcO2ImemPi0Kjm 1PjPfugDNus6XZUw/EBRhQTKczWaXH3JHdkfYXDvinq/8obC8EoGPPH33lEB8znk1wty 6syA== X-Received: by 10.14.38.198 with SMTP id a46mr3456292eeb.42.1371161571597; Thu, 13 Jun 2013 15:12:51 -0700 (PDT) Received: from [192.168.0.2] ([2.223.210.39]) by mx.google.com with ESMTPSA id m1sm37251419eex.17.2013.06.13.15.12.48 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 13 Jun 2013 15:12:49 -0700 (PDT) Message-ID: <51BA43DC.7050805@gmail.com> Date: Thu, 13 Jun 2013 23:12:44 +0100 From: Dave Kilroy User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6 MIME-Version: 1.0 To: Alexey Khoroshilov CC: "John W. Linville" , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org Subject: Re: [PATCH] orinoco_usb: fix memory leak in ezusb_access_ltv() when device disconnected References: <1371155171-15398-1-git-send-email-khoroshilov@ispras.ru> In-Reply-To: <1371155171-15398-1-git-send-email-khoroshilov@ispras.ru> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Spam-Status: No, score=-7.2 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On 13/06/2013 21:26, Alexey Khoroshilov wrote: > If "device is disconnected" check occurs to be true in ezusb_access_ltv(), > it just return -ENODEV. But that means request_context is leaked since > there are no any references to it anymore. > The patch adds a call to ezusb_request_context_put() before return. > > Found by Linux Driver Verification project (linuxtesting.org). > > Signed-off-by: Alexey Khoroshilov > --- > drivers/net/wireless/orinoco/orinoco_usb.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/orinoco/orinoco_usb.c b/drivers/net/wireless/orinoco/orinoco_usb.c > index 1f9cb55..bdfe637 100644 > --- a/drivers/net/wireless/orinoco/orinoco_usb.c > +++ b/drivers/net/wireless/orinoco/orinoco_usb.c > @@ -881,7 +881,8 @@ static int ezusb_access_ltv(struct ezusb_priv *upriv, > > if (!upriv->udev) { > dbg("Device disconnected"); > - return -ENODEV; > + retval = -ENODEV; > + goto exit; > } > > if (upriv->read_urb->status != -EINPROGRESS) It looks like there is also loss of a request_context in ezusb_xmit after orinoco_process_xmit_skb fails. Something like the following should resolve it. The remaining request_context allocations look ok to me. Dave. --- Apologies, this is cut+paste from an old tree and mangled to be diff-like. Untested. Uncompiled. __le16 *tx_cntl = (__le16 *)buf; -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff a/drivers/net/wireless/orinoco/orinoco_usb.c b/drivers/net/wireless/orinoco/orinoco_usb.c --- a/drivers/net/wireless/orinoco/orinoco_usb.c +++ b/drivers/net/wireless/orinoco/orinoco_usb.c @@ -1194,8 +1194,10 @@ static netdev_tx_t ezusb_xmit(struct sk_buff *skb, struct net_device *dev) err = orinoco_process_xmit_skb(skb, dev, priv, &tx_control, &mic[0]); - if (err) + if (err) { + ezusb_request_context_put(ctx); goto drop; + } {