From: Alexey Khoroshilov <khoroshilov@ispras.ru>
To: Vladimir Zapolskiy <vz@mleia.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
ldv-project@linuxtesting.org
Subject: Re: [PATCH] USB: whci-hcd: add more checks for dma mapping error
Date: Sat, 26 Mar 2016 01:56:52 +0300 [thread overview]
Message-ID: <56F5C234.3070606@ispras.ru> (raw)
In-Reply-To: <56F5B59C.3050001@mleia.com>
On 26.03.2016 01:03, Vladimir Zapolskiy wrote:
> On 25.03.2016 22:23, Alexey Khoroshilov wrote:
>> Fixing checks for dma mapping error in qset_fill_page_list(),
>> I have missed two similar problems in qset_add_urb_sg() and
>> in qset_add_urb_sg_linearize().
>>
>> Found by Linux Driver Verification project (linuxtesting.org).
>>
>> Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
>> ---
>> drivers/usb/host/whci/qset.c | 6 +++++-
>> 1 file changed, 5 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/usb/host/whci/qset.c b/drivers/usb/host/whci/qset.c
>> index 1a8e960d073b..a8e9b618e643 100644
>> --- a/drivers/usb/host/whci/qset.c
>> +++ b/drivers/usb/host/whci/qset.c
>> @@ -535,9 +535,11 @@ static int qset_add_urb_sg(struct whc *whc, struct whc_qset *qset, struct urb *u
>> list_for_each_entry(std, &qset->stds, list_node) {
>> if (std->ntds_remaining == -1) {
>> pl_len = std->num_pointers * sizeof(struct whc_page_list_entry);
>> - std->ntds_remaining = ntds--;
>> std->dma_addr = dma_map_single(whc->wusbhc.dev, std->pl_virt,
>> pl_len, DMA_TO_DEVICE);
>> + if (dma_mapping_error(whc->wusbhc.dev, std->dma_addr))
>> + return -EFAULT;
>
> Resources are leaked on error path:
> * std->pl_virt -- most probably, at least it is freed on error path above,
> * dma mappings done in a loop before met error,
>
As far as I can see, it is not the case.
If qset_add_urb_sg() returns error code, the caller (qset_add_urb())
invokes qset_free_stds() that performs all resource deallocations.
As for the error path above, I consider it as a typical krealloc()
pattern, since it does not frees memory allocated at previous iterations
of the cycle.
Thank you,
Alexey
next prev parent reply other threads:[~2016-03-25 22:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-25 20:23 [PATCH] USB: whci-hcd: add more checks for dma mapping error Alexey Khoroshilov
2016-03-25 22:03 ` Vladimir Zapolskiy
2016-03-25 22:56 ` Alexey Khoroshilov [this message]
2016-03-26 0:20 ` Vladimir Zapolskiy
2016-03-26 19:42 ` [PATCH v2] " Alexey Khoroshilov
2016-03-30 7:48 ` Vladimir Zapolskiy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56F5C234.3070606@ispras.ru \
--to=khoroshilov@ispras.ru \
--cc=gregkh@linuxfoundation.org \
--cc=ldv-project@linuxtesting.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=vz@mleia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.