From 0f2f2221b4ad816567394a52643963428fd353cd Mon Sep 17 00:00:00 2001 From: Catalin Marinas Date: Wed, 8 Jul 2009 11:17:40 +0100 Subject: Free struct device in fw_dev_release() The f_dev in _request_firmware() is allocated via the fw_setup_device() and fw_register_device() calls and its class set to firmware_class (the class release function is fw_dev_release). Commit 6acf70f078ca replaced the kfree(dev) in fw_dev_release() with a put_device() call but my understanding is that the release function is called via put_device -> kobject_put -> kref_put -> koject_release etc. and it should call kfree since it's the last to see this device structure alive. Because of that, the _request_firmware() function on its -ENOENT error path only calls device_unregister(f_dev) which would eventually call fw_dev_release() but there is no kfree (the subsequent put_device call would just make the kref negative). Signed-off-by: Catalin Marinas Acked-by: Cornelia Huck Acked-by: Ming Lei Signed-off-by: Linus Torvalds --- drivers/base/firmware_class.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'drivers/base/firmware_class.c') diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c index ddeb819c8f8..fc466531260 100644 --- a/drivers/base/firmware_class.c +++ b/drivers/base/firmware_class.c @@ -357,7 +357,7 @@ static void fw_dev_release(struct device *dev) kfree(fw_priv->pages); kfree(fw_priv->fw_id); kfree(fw_priv); - put_device(dev); + kfree(dev); module_put(THIS_MODULE); } @@ -408,13 +408,11 @@ static int fw_register_device(struct device **dev_p, const char *fw_name, if (retval) { dev_err(device, "%s: device_register failed\n", __func__); put_device(f_dev); - goto error_kfree_fw_id; + return retval; } *dev_p = f_dev; return 0; -error_kfree_fw_id: - kfree(fw_priv->fw_id); error_kfree: kfree(f_dev); kfree(fw_priv); -- cgit v1.2.3-70-g09d2 From 308975fa7ab2a8e0b91186158128668c823790ce Mon Sep 17 00:00:00 2001 From: Jiri Slaby Date: Sun, 21 Jun 2009 23:57:31 +0200 Subject: Firmware: firmware_class, fix lock imbalance Add omitted unlock in firmware_data_read. Signed-off-by: Jiri Slaby Signed-off-by: Greg Kroah-Hartman --- drivers/base/firmware_class.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'drivers/base/firmware_class.c') diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c index fc466531260..f285f441fab 100644 --- a/drivers/base/firmware_class.c +++ b/drivers/base/firmware_class.c @@ -217,8 +217,10 @@ firmware_data_read(struct kobject *kobj, struct bin_attribute *bin_attr, ret_count = -ENODEV; goto out; } - if (offset > fw->size) - return 0; + if (offset > fw->size) { + ret_count = 0; + goto out; + } if (count > fw->size - offset) count = fw->size - offset; -- cgit v1.2.3-70-g09d2 From 3b4418c67a70278964b063b5e1f56dcb3d0a41f3 Mon Sep 17 00:00:00 2001 From: Ming Lei Date: Sat, 11 Jul 2009 11:11:10 +0800 Subject: driver core: firmware_class:fix memory leak of page pointers array The page pointers array is allocated in fw_realloc_buffer() called by firmware_data_write(), and should be freed in release function of firmware device. Signed-off-by: Ming Lei Reported-by: Catalin Marinas Acked-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman --- drivers/base/firmware_class.c | 1 - 1 file changed, 1 deletion(-) (limited to 'drivers/base/firmware_class.c') diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c index f285f441fab..7376367bcb8 100644 --- a/drivers/base/firmware_class.c +++ b/drivers/base/firmware_class.c @@ -180,7 +180,6 @@ static ssize_t firmware_loading_store(struct device *dev, goto err; } /* Pages will be freed by vfree() */ - fw_priv->pages = NULL; fw_priv->page_array_size = 0; fw_priv->nr_pages = 0; complete(&fw_priv->completion); -- cgit v1.2.3-70-g09d2