| Message ID | 20200512110930.2550-1-srinivas.kandagatla@linaro.org |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] misc: fastrpc: fix potential fastrpc_invoke_ctx leak | expand |
On Tue 12 May 04:09 PDT 2020, Srinivas Kandagatla wrote: > fastrpc_invoke_ctx can have refcount of 2 in error path where > rpmsg_send() fails to send invoke message. decrement the refcount > properly in the error path to fix this leak. > > This also fixes below static checker warning: > > drivers/misc/fastrpc.c:990 fastrpc_internal_invoke() > warn: 'ctx->refcount.refcount.ref.counter' not decremented on lines: 990. > > Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context") > Reported-by: Dan Carpenter <dan.carpenter@oracle.com> > Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Thanks, that looks better. Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> Regards, Bjorn > --- > Changes since v1: > moved fastrpc_context_put to fastrpc_invoke_send() > > drivers/misc/fastrpc.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c > index 9065d3e71ff7..7939c55daceb 100644 > --- a/drivers/misc/fastrpc.c > +++ b/drivers/misc/fastrpc.c > @@ -904,6 +904,7 @@ static int fastrpc_invoke_send(struct fastrpc_session_ctx *sctx, > struct fastrpc_channel_ctx *cctx; > struct fastrpc_user *fl = ctx->fl; > struct fastrpc_msg *msg = &ctx->msg; > + int ret; > > cctx = fl->cctx; > msg->pid = fl->tgid; > @@ -919,7 +920,13 @@ static int fastrpc_invoke_send(struct fastrpc_session_ctx *sctx, > msg->size = roundup(ctx->msg_sz, PAGE_SIZE); > fastrpc_context_get(ctx); > > - return rpmsg_send(cctx->rpdev->ept, (void *)msg, sizeof(*msg)); > + ret = rpmsg_send(cctx->rpdev->ept, (void *)msg, sizeof(*msg)); > + > + if (ret) > + fastrpc_context_put(ctx); > + > + return ret; > + > } > > static int fastrpc_internal_invoke(struct fastrpc_user *fl, u32 kernel, > -- > 2.21.0 >
diff --git a/drivers/misc/fastrpc.c b/drivers/misc/fastrpc.c index 9065d3e71ff7..7939c55daceb 100644 --- a/drivers/misc/fastrpc.c +++ b/drivers/misc/fastrpc.c @@ -904,6 +904,7 @@ static int fastrpc_invoke_send(struct fastrpc_session_ctx *sctx, struct fastrpc_channel_ctx *cctx; struct fastrpc_user *fl = ctx->fl; struct fastrpc_msg *msg = &ctx->msg; + int ret; cctx = fl->cctx; msg->pid = fl->tgid; @@ -919,7 +920,13 @@ static int fastrpc_invoke_send(struct fastrpc_session_ctx *sctx, msg->size = roundup(ctx->msg_sz, PAGE_SIZE); fastrpc_context_get(ctx); - return rpmsg_send(cctx->rpdev->ept, (void *)msg, sizeof(*msg)); + ret = rpmsg_send(cctx->rpdev->ept, (void *)msg, sizeof(*msg)); + + if (ret) + fastrpc_context_put(ctx); + + return ret; + } static int fastrpc_internal_invoke(struct fastrpc_user *fl, u32 kernel,
fastrpc_invoke_ctx can have refcount of 2 in error path where rpmsg_send() fails to send invoke message. decrement the refcount properly in the error path to fix this leak. This also fixes below static checker warning: drivers/misc/fastrpc.c:990 fastrpc_internal_invoke() warn: 'ctx->refcount.refcount.ref.counter' not decremented on lines: 990. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> --- Changes since v1: moved fastrpc_context_put to fastrpc_invoke_send() drivers/misc/fastrpc.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)