[bug report] dmaengine: driver for the iop32x, iop33x, and iop13xx raid engines

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Dan Williams,

The patch c211092313b9: "dmaengine: driver for the iop32x, iop33x,
and iop13xx raid engines" from Jan 2, 2007, leads to the following
static checker warning:

	drivers/dma/iop-adma.c:1425 iop_adma_probe()
	warn: '&iop_chan->common.device_node' not removed from list

drivers/dma/iop-adma.c
  1377          spin_lock_init(&iop_chan->lock);
  1378          INIT_LIST_HEAD(&iop_chan->chain);
  1379          INIT_LIST_HEAD(&iop_chan->all_slots);
  1380          iop_chan->common.device = dma_dev;
  1381          dma_cookie_init(&iop_chan->common);
  1382          list_add_tail(&iop_chan->common.device_node, &dma_dev->channels);
                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
We add this to the dma_dev channels list but

  1383  
  1384          if (dma_has_cap(DMA_MEMCPY, dma_dev->cap_mask)) {
  1385                  ret = iop_adma_memcpy_self_test(adev);
  1386                  dev_dbg(&pdev->dev, "memcpy self test returned %d\n", ret);
  1387                  if (ret)
  1388                          goto err_free_iop_chan;

if there is an error

  1389          }
  1390  
  1391          if (dma_has_cap(DMA_XOR, dma_dev->cap_mask)) {
  1392                  ret = iop_adma_xor_val_self_test(adev);
  1393                  dev_dbg(&pdev->dev, "xor self test returned %d\n", ret);
  1394                  if (ret)
  1395                          goto err_free_iop_chan;
  1396          }
  1397  
  1398          if (dma_has_cap(DMA_PQ, dma_dev->cap_mask) &&
  1399              dma_has_cap(DMA_PQ_VAL, dma_dev->cap_mask)) {
  1400                  #ifdef CONFIG_RAID6_PQ
  1401                  ret = iop_adma_pq_zero_sum_self_test(adev);
  1402                  dev_dbg(&pdev->dev, "pq self test returned %d\n", ret);
  1403                  #else
  1404                  /* can not test raid6, so do not publish capability */
  1405                  dma_cap_clear(DMA_PQ, dma_dev->cap_mask);
  1406                  dma_cap_clear(DMA_PQ_VAL, dma_dev->cap_mask);
  1407                  ret = 0;
  1408                  #endif
  1409                  if (ret)
  1410                          goto err_free_iop_chan;
  1411          }
  1412  
  1413          dev_info(&pdev->dev, "Intel(R) IOP: ( %s%s%s%s%s%s)\n",
  1414                   dma_has_cap(DMA_PQ, dma_dev->cap_mask) ? "pq " : "",
  1415                   dma_has_cap(DMA_PQ_VAL, dma_dev->cap_mask) ? "pq_val " : "",
  1416                   dma_has_cap(DMA_XOR, dma_dev->cap_mask) ? "xor " : "",
  1417                   dma_has_cap(DMA_XOR_VAL, dma_dev->cap_mask) ? "xor_val " : "",
  1418                   dma_has_cap(DMA_MEMCPY, dma_dev->cap_mask) ? "cpy " : "",
  1419                   dma_has_cap(DMA_INTERRUPT, dma_dev->cap_mask) ? "intr " : "");
  1420  
  1421          dma_async_device_register(dma_dev);
  1422          goto out;
  1423  
  1424   err_free_iop_chan:
  1425          kfree(iop_chan);

Then there is a freed pointer still on the list leading to a use after
free.

  1426   err_free_dma:
  1427          dma_free_coherent(&adev->pdev->dev, plat_data->pool_size,
  1428                          adev->dma_desc_pool_virt, adev->dma_desc_pool);
  1429   err_free_adev:
  1430          kfree(adev);
  1431   out:
  1432          return ret;
  1433  }

regards,
dan carpenter
[Index of Archives]     [Linux Kernel]     [Linux ARM (vger)]     [Linux ARM MSM]     [Linux Omap]     [Linux Arm]     [Linux Tegra]     [Fedora ARM]     [Linux for Samsung SOC]     [eCos]     [Linux PCI]     [Linux Fastboot]     [Gcc Help]     [Git]     [DCCP]     [IETF Announce]     [Security]     [Linux MIPS]     [Yosemite Campsites]

  Powered by Linux