USB: gadget: f_mass_storage: fix in error recovery
authorMichal Nazarewicz <m.nazarewicz@samsung.com>
Wed, 12 May 2010 10:51:13 +0000 (12:51 +0200)
committerGreg Kroah-Hartman <gregkh@suse.de>
Thu, 20 May 2010 20:21:45 +0000 (13:21 -0700)
In to places in fsg_common_init() an unconditional call to kfree()
on common was performed in error recovery which is not a valid
behaviour since fsg_common structure is not always allocated by
fsg_common_init().

To fix, the calls has been replaced with a goto to a proper error
recovery which does the correct thing.

Also, refactored fsg_common_release() function.

Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Reviewed-by: Viral Mehta <viral.mehta@lntinfotech.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
drivers/usb/gadget/f_mass_storage.c

index 6cfd2f428d38cbadc25dc35af84ea11aee207cd7..7d05a0be5c600c0bc6e3b2beaae8e25298aa7ea2 100644 (file)
@@ -2742,10 +2742,8 @@ static struct fsg_common *fsg_common_init(struct fsg_common *common,
        /* Maybe allocate device-global string IDs, and patch descriptors */
        if (fsg_strings[FSG_STRING_INTERFACE].id == 0) {
                rc = usb_string_id(cdev);
-               if (rc < 0) {
-                       kfree(common);
-                       return ERR_PTR(rc);
-               }
+               if (unlikely(rc < 0))
+                       goto error_release;
                fsg_strings[FSG_STRING_INTERFACE].id = rc;
                fsg_intf_desc.iInterface = rc;
        }
@@ -2753,9 +2751,9 @@ static struct fsg_common *fsg_common_init(struct fsg_common *common,
        /* Create the LUNs, open their backing files, and register the
         * LUN devices in sysfs. */
        curlun = kzalloc(nluns * sizeof *curlun, GFP_KERNEL);
-       if (!curlun) {
-               kfree(common);
-               return ERR_PTR(-ENOMEM);
+       if (unlikely(!curlun)) {
+               rc = -ENOMEM;
+               goto error_release;
        }
        common->luns = curlun;
 
@@ -2914,11 +2912,7 @@ error_release:
 
 static void fsg_common_release(struct kref *ref)
 {
-       struct fsg_common *common =
-               container_of(ref, struct fsg_common, ref);
-       unsigned i = common->nluns;
-       struct fsg_lun *lun = common->luns;
-       struct fsg_buffhd *bh;
+       struct fsg_common *common = container_of(ref, struct fsg_common, ref);
 
        /* If the thread isn't already dead, tell it to exit now */
        if (common->state != FSG_STATE_TERMINATED) {
@@ -2929,23 +2923,28 @@ static void fsg_common_release(struct kref *ref)
                complete(&common->thread_notifier);
        }
 
-       /* Beware tempting for -> do-while optimization: when in error
-        * recovery nluns may be zero. */
+       if (likely(common->luns)) {
+               struct fsg_lun *lun = common->luns;
+               unsigned i = common->nluns;
 
-       for (; i; --i, ++lun) {
-               device_remove_file(&lun->dev, &dev_attr_ro);
-               device_remove_file(&lun->dev, &dev_attr_file);
-               fsg_lun_close(lun);
-               device_unregister(&lun->dev);
-       }
+               /* In error recovery common->nluns may be zero. */
+               for (; i; --i, ++lun) {
+                       device_remove_file(&lun->dev, &dev_attr_ro);
+                       device_remove_file(&lun->dev, &dev_attr_file);
+                       fsg_lun_close(lun);
+                       device_unregister(&lun->dev);
+               }
 
-       kfree(common->luns);
+               kfree(common->luns);
+       }
 
-       i = FSG_NUM_BUFFERS;
-       bh = common->buffhds;
-       do {
-               kfree(bh->buf);
-       } while (++bh, --i);
+       {
+               struct fsg_buffhd *bh = common->buffhds;
+               unsigned i = FSG_NUM_BUFFERS;
+               do {
+                       kfree(bh->buf);
+               } while (++bh, --i);
+       }
 
        if (common->free_storage_on_release)
                kfree(common);