Re: [staging:staging-next 115/274] drivers/staging/ced1401/usb1401.c:1065 Handle1401Esc() error: double unlock 'spin_lock:&pdx->stagedLock'

Alois Schloegl <alois.schloegl@xxxxxxxxx> · Mon, 22 Oct 2012 12:42:49 +0200

Hi,


Please include (Greg Smith <greg@xxxxxxxxx>) into any communication.
Greg Smith from CED noticed that there is no kfree, causing a memory 
leak, and memset() has been removed, thus tx->used was not cleared.

The patch below should fix this.

  Alois

diff --git a/ced_ioc.c b/ced_ioc.c
index 4a13c10..fe15c44 100644
--- a/ced_ioc.c
+++ b/ced_ioc.c
@@ -895,15 +895,23 @@ int GetTransfer(DEVICE_EXTENSION *pdx, 
TGET_TX_BLOCK __user *pTX)
     else
     {
         // Return the best information we have - we don't have 
physical addresses
-        TGET_TX_BLOCK tx;
-        memset(&tx, 0, sizeof(tx));         // clean out local work 
structure
-        tx.size = pdx->rTransDef[dwIdent].dwLength;
-        tx.linear = (long long)((long)pdx->rTransDef[dwIdent].lpvBuff);
-        tx.avail = GET_TX_MAXENTRIES;       // how many blocks we could 
return
-        tx.used = 1;                        // number we actually return
-        tx.entries[0].physical = (long long)(tx.linear+pdx->StagedOffset);
-        tx.entries[0].size = tx.size;
-        copy_to_user(pTX, &tx, sizeof(tx));
+        TGET_TX_BLOCK *tx;
+        tx = kzalloc(sizeof(*tx), GFP_KERNEL);
+        if (!tx) {
+                mutex_unlock(&pdx->io_mutex);
+                return -ENOMEM;
+        }
+
+        memset(tx, 0, sizeof(*tx));         // clean out local work 
structure
+        tx->size = pdx->rTransDef[dwIdent].dwLength;
+        tx->linear = (long long)((long)pdx->rTransDef[dwIdent].lpvBuff);
+        tx->avail = GET_TX_MAXENTRIES;       // how many blocks we 
could return
+        tx->used = 1;                        // number we actually return
+        tx->entries[0].physical = (long 
long)(tx->linear+pdx->StagedOffset);
+        tx->entries[0].size = tx->size;
+        iReturn = copy_to_user(pTX, tx, sizeof(*tx));
+        kfree(tx);
+        return (iReturn);
     }
     mutex_unlock(&pdx->io_mutex);
     return iReturn;




On 10/07/2012 02:56 PM, devendra.aaru wrote:
Hi, Fengguang,

On Sun, Oct 7, 2012 at 7:07 AM, Fengguang Wu<fengguang.wu@xxxxxxxxx>  wrote:
Hi Alois,

FYI, there are new smatch warnings show up in

tree:   git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git staging-next
head:   e1878957b4676a17cf398f7f5723b365e9a2ca48
commit: 2eae6bdc12f4e49b7f94f032b82d664dcf3881bc [115/274] Staging: add ced1401 USB driver


+ drivers/staging/ced1401/ced_ioc.c:898 GetTransfer() warn: 'tx' puts 3104 bytes on stack

I have a following patch to send to Greg, when the merge window closes:


 From 7d9b8485ab837bf9e0f960d090f90c6518f7e2db Mon Sep 17 00:00:00 2001
From: Devendra Naga<devendra.aaru@xxxxxxxxx>
Date: Sat, 6 Oct 2012 02:57:42 -0400
Subject: [PATCH 1/4] staging: ced1401: fix a frame size warning

gcc/sparse complain about the following:

drivers/staging/ced1401/ced_ioc.c:931:1: warning: the frame size of
4144 bytes is larger than 2048 bytes [-Wframe-larger-than=]

fix it by using a pointer of the TGET_TX_BLOCK struct

Signed-off-by: Devendra Naga<devendra.aaru@xxxxxxxxx>
---
  drivers/staging/ced1401/ced_ioc.c |   28 +++++++++++++++++-----------
  1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/drivers/staging/ced1401/ced_ioc.c
b/drivers/staging/ced1401/ced_ioc.c
index c9492ed..a136ca3 100644
--- a/drivers/staging/ced1401/ced_ioc.c
+++ b/drivers/staging/ced1401/ced_ioc.c
@@ -913,17 +913,23 @@ int GetTransfer(DEVICE_EXTENSION * pdx,
TGET_TX_BLOCK __user * pTX)
                 iReturn = U14ERR_BADAREA;
         else {
                 // Return the best information we have - we don't have
physical addresses
-               TGET_TX_BLOCK tx;
-               memset(&tx, 0, sizeof(tx));     // clean out local
work structure
-               tx.size = pdx->rTransDef[dwIdent].dwLength;
-               tx.linear = (long long)((long)pdx->rTransDef[dwIdent].lpvBuff);
-               tx.avail = GET_TX_MAXENTRIES;   // how many blocks we
could return
-               tx.used = 1;    // number we actually return
-               tx.entries[0].physical =
-                   (long long)(tx.linear + pdx->StagedOffset);
-               tx.entries[0].size = tx.size;
-
-               if (copy_to_user(pTX,&tx, sizeof(tx)))
+               TGET_TX_BLOCK *tx;
+
+               tx = kzalloc(sizeof(*tx), GFP_KERNEL);
+               if (!tx) {
+                       mutex_unlock(&pdx->io_mutex);
+                       return -ENOMEM;

+               }
+
+               tx->size = pdx->rTransDef[dwIdent].dwLength;
+               tx->linear = (long long)((long)pdx->rTransDef[dwIdent].lpvBuff);
+               tx->avail = GET_TX_MAXENTRIES;  // how many blocks we
could return
+               tx->used = 1;   // number we actually return
+               tx->entries[0].physical =
+                   (long long)(tx->linear + pdx->StagedOffset);
+               tx->entries[0].size = tx->size;
+
+               if (copy_to_user(pTX, tx, sizeof(*tx)))
                         iReturn = -EFAULT;
         }
         mutex_unlock(&pdx->io_mutex);

0-DAY kernel build testing backend         Open Source Technology Center
Fengguang Wu, Yuanhan Liu                              Intel Corporation

_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel


Thanks,

--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html





