tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

firewire: avoid memleak after phy config transmit failure

Use only statically allocated data for PHY config packet transmission.
With the previous incarnation, some data wouldn't be freed if the packet
transmit callback was never called.

A theoretical drawback now is that, in PCs with more than one card,
card A may complete() for a waiter on card B. But this is highly
unlikely and its impact not serious. Bus manager B may reset bus B
before the PHY config went out, but the next phy config on B should be
fine. However, with a timeout of 100ms, this situation is close to
impossible.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>

Stefan Richter c0220d68 95984f62

+19 -35
unified split
+19 -35
drivers/firewire/fw-transaction.c
··· 22 22 #include <linux/kernel.h> 23 23 #include <linux/kref.h> 24 24 #include <linux/module.h> 25 + #include <linux/mutex.h> 25 26 #include <linux/init.h> 26 27 #include <linux/interrupt.h> 27 28 #include <linux/pci.h> ··· 296 295 } 297 296 EXPORT_SYMBOL(fw_send_request); 298 297 299 - struct fw_phy_packet { 300 - struct fw_packet packet; 301 - struct completion done; 302 - struct kref kref; 303 - }; 304 - 305 - static void phy_packet_release(struct kref *kref) 306 - { 307 - struct fw_phy_packet *p = 308 - container_of(kref, struct fw_phy_packet, kref); 309 - kfree(p); 310 - } 298 + static DEFINE_MUTEX(phy_config_mutex); 299 + static DECLARE_COMPLETION(phy_config_done); 311 300 312 301 static void transmit_phy_packet_callback(struct fw_packet *packet, 313 302 struct fw_card *card, int status) 314 303 { 315 - struct fw_phy_packet *p = 316 - container_of(packet, struct fw_phy_packet, packet); 317 - 318 - complete(&p->done); 319 - kref_put(&p->kref, phy_packet_release); 304 + complete(&phy_config_done); 320 305 } 306 + 307 + static struct fw_packet phy_config_packet = { 308 + .header_length = 8, 309 + .payload_length = 0, 310 + .speed = SCODE_100, 311 + .callback = transmit_phy_packet_callback, 312 + }; 321 313 322 314 void fw_send_phy_config(struct fw_card *card, 323 315 int node_id, int generation, int gap_count) 324 316 { 325 - struct fw_phy_packet *p; 326 317 long timeout = DIV_ROUND_UP(HZ, 10); 327 318 u32 data = PHY_IDENTIFIER(PHY_PACKET_CONFIG) | 328 319 PHY_CONFIG_ROOT_ID(node_id) | 329 320 PHY_CONFIG_GAP_COUNT(gap_count); 330 321 331 - p = kmalloc(sizeof(*p), GFP_KERNEL); 332 - if (p == NULL) 333 - return; 322 + mutex_lock(&phy_config_mutex); 334 323 335 - p->packet.header[0] = data; 336 - p->packet.header[1] = ~data; 337 - p->packet.header_length = 8; 338 - p->packet.payload_length = 0; 339 - p->packet.speed = SCODE_100; 340 - p->packet.generation = generation; 341 - p->packet.callback = transmit_phy_packet_callback; 342 - init_completion(&p->done); 343 - kref_set(&p->kref, 2); 324 + phy_config_packet.header[0] = data; 325 + phy_config_packet.header[1] = ~data; 326 + phy_config_packet.generation = generation; 327 + INIT_COMPLETION(phy_config_done); 344 328 345 - card->driver->send_request(card, &p->packet); 346 - timeout = wait_for_completion_timeout(&p->done, timeout); 347 - kref_put(&p->kref, phy_packet_release); 329 + card->driver->send_request(card, &phy_config_packet); 330 + wait_for_completion_timeout(&phy_config_done, timeout); 348 331 349 - /* will leak p if the callback is never executed */ 350 - WARN_ON(timeout == 0); 332 + mutex_unlock(&phy_config_mutex); 351 333 } 352 334 353 335 void fw_flush_transactions(struct fw_card *card)