mtd: nxp-spifi: decrement flash_np refcnt on error paths

Message ID	1525812456-25877-1-git-send-email-khoroshilov@ispras.ru
State	Changes Requested
Headers	show Return-Path: <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Alexey Khoroshilov <khoroshilov@ispras.ru> To: Joachim Eastwood <manabian@gmail.com>, Marek Vasut <marek.vasut@gmail.com>, David Woodhouse <dwmw2@infradead.org>, Brian Norris <computersforpeace@gmail.com>, Boris Brezillon <boris.brezillon@bootlin.com> Subject: [PATCH] mtd: nxp-spifi: decrement flash_np refcnt on error paths Date: Tue, 8 May 2018 23:47:36 +0300 Message-Id: <1525812456-25877-1-git-send-email-khoroshilov@ispras.ru> summary: Content analysis details: (-0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [83.149.199.45 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record Precedence: list Cc: ldv-project@linuxtesting.org, sil2review@lists.osadl.org, Richard Weinberger <richard@nod.at>, linux-kernel@vger.kernel.org, Julia Lawall <julia.lawall@lip6.fr>, linux-mtd@lists.infradead.org, Alexey Khoroshilov <khoroshilov@ispras.ru>, linux-arm-kernel@lists.infradead.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-mtd" <linux-mtd-bounces@lists.infradead.org> Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org
Series	mtd: nxp-spifi: decrement flash_np refcnt on error paths \| expand mtd: nxp-spifi: decrement flash_np refcnt on error paths

Message ID

1525812456-25877-1-git-send-email-khoroshilov@ispras.ru

State

Changes Requested

Headers

From: Alexey Khoroshilov <khoroshilov@ispras.ru>
To: Joachim Eastwood <manabian@gmail.com>,
	Marek Vasut <marek.vasut@gmail.com>, 
	David Woodhouse <dwmw2@infradead.org>,
	Brian Norris <computersforpeace@gmail.com>,
	Boris Brezillon <boris.brezillon@bootlin.com>
Subject: [PATCH] mtd: nxp-spifi: decrement flash_np refcnt on error paths
Date: Tue,  8 May 2018 23:47:36 +0300
Message-Id: <1525812456-25877-1-git-send-email-khoroshilov@ispras.ru>
Precedence: list
Cc: ldv-project@linuxtesting.org, sil2review@lists.osadl.org,
	Richard Weinberger <richard@nod.at>, linux-kernel@vger.kernel.org,
	Julia Lawall <julia.lawall@lip6.fr>, linux-mtd@lists.infradead.org,
	Alexey Khoroshilov <khoroshilov@ispras.ru>,
	linux-arm-kernel@lists.infradead.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-mtd" <linux-mtd-bounces@lists.infradead.org>
Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Series

mtd: nxp-spifi: decrement flash_np refcnt on error paths | expand

Commit Message

Alexey Khoroshilov May 8, 2018, 8:47 p.m. UTC

nxp_spifi_probe() increments refcnt of SPI flash device node by
of_get_next_available_child() and then it passes the node
to mtd device in nxp_spifi_setup_flash().
But if a failure happens before mtd_device_register() succeed,
the refcnt is left undecremented.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
---
 drivers/mtd/spi-nor/nxp-spifi.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

Comments

Boris Brezillon May 9, 2018, 9:42 a.m. UTC | #1

On Tue,  8 May 2018 23:47:36 +0300
Alexey Khoroshilov <khoroshilov@ispras.ru> wrote:

> nxp_spifi_probe() increments refcnt of SPI flash device node by
> of_get_next_available_child() and then it passes the node
> to mtd device in nxp_spifi_setup_flash().
> But if a failure happens before mtd_device_register() succeed,
> the refcnt is left undecremented.

Why not doing that in the error path of the probe function? Also, you
probably want to call of_node_put() in the ->remove() function.

> 
> Found by Linux Driver Verification project (linuxtesting.org).
> 
> Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
> ---
>  drivers/mtd/spi-nor/nxp-spifi.c | 16 +++++++++++-----
>  1 file changed, 11 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/mtd/spi-nor/nxp-spifi.c b/drivers/mtd/spi-nor/nxp-spifi.c
> index 15374216d4d9..8919e31f2ab8 100644
> --- a/drivers/mtd/spi-nor/nxp-spifi.c
> +++ b/drivers/mtd/spi-nor/nxp-spifi.c
> @@ -294,7 +294,8 @@ static int nxp_spifi_setup_flash(struct nxp_spifi *spifi,
>  			break;
>  		default:
>  			dev_err(spifi->dev, "unsupported rx-bus-width\n");
> -			return -EINVAL;
> +			ret = -EINVAL;
> +			goto err_node_put;
>  		}
>  	}
>  
> @@ -328,7 +329,8 @@ static int nxp_spifi_setup_flash(struct nxp_spifi *spifi,
>  		break;
>  	default:
>  		dev_err(spifi->dev, "only mode 0 and 3 supported\n");
> -		return -EINVAL;
> +		ret = -EINVAL;
> +		goto err_node_put;
>  	}
>  
>  	writel(ctrl, spifi->io_base + SPIFI_CTRL);
> @@ -356,22 +358,26 @@ static int nxp_spifi_setup_flash(struct nxp_spifi *spifi,
>  	ret = spi_nor_scan(&spifi->nor, NULL, &hwcaps);
>  	if (ret) {
>  		dev_err(spifi->dev, "device scan failed\n");
> -		return ret;
> +		goto err_node_put;
>  	}
>  
>  	ret = nxp_spifi_setup_memory_cmd(spifi);
>  	if (ret) {
>  		dev_err(spifi->dev, "memory command setup failed\n");
> -		return ret;
> +		goto err_node_put;
>  	}
>  
>  	ret = mtd_device_register(&spifi->nor.mtd, NULL, 0);
>  	if (ret) {
>  		dev_err(spifi->dev, "mtd device parse failed\n");
> -		return ret;
> +		goto err_node_put;
>  	}
>  
>  	return 0;
> +
> +err_node_put:
> +	of_node_put(np);
> +	return ret;
>  }
>  
>  static int nxp_spifi_probe(struct platform_device *pdev)

Alexey Khoroshilov May 9, 2018, 2:35 p.m. UTC | #2

On 09.05.2018 12:42, Boris Brezillon wrote:
> On Tue,  8 May 2018 23:47:36 +0300
> Alexey Khoroshilov <khoroshilov@ispras.ru> wrote:
> 
>> nxp_spifi_probe() increments refcnt of SPI flash device node by
>> of_get_next_available_child() and then it passes the node
>> to mtd device in nxp_spifi_setup_flash().
>> But if a failure happens before mtd_device_register() succeed,
>> the refcnt is left undecremented.
> 
> Why not doing that in the error path of the probe function? Also, you
> probably want to call of_node_put() in the ->remove() function.
> 

You are right.

I believed that after successful mtd_device_register()
the node is managed by mtd device. I missed that it calls of_node_get()
in add_mtd_device() by itself.

I will prepare v2.
But I guess there is no need to have of_node_put() in ->remove(), since
probe() finishes its own usage of flash_np, while mtd_device incremented
refcnt by itself and will decrement it in ->remove() in
mtd_device_unregister(&spifi->nor.mtd). So, I would propose
of_node_put() on both successful and error path.

Thank you,
Alexey

Boris Brezillon May 9, 2018, 2:39 p.m. UTC | #3

On Wed, 9 May 2018 17:35:41 +0300
Alexey Khoroshilov <khoroshilov@ispras.ru> wrote:

> On 09.05.2018 12:42, Boris Brezillon wrote:
> > On Tue,  8 May 2018 23:47:36 +0300
> > Alexey Khoroshilov <khoroshilov@ispras.ru> wrote:
> >   
> >> nxp_spifi_probe() increments refcnt of SPI flash device node by
> >> of_get_next_available_child() and then it passes the node
> >> to mtd device in nxp_spifi_setup_flash().
> >> But if a failure happens before mtd_device_register() succeed,
> >> the refcnt is left undecremented.  
> > 
> > Why not doing that in the error path of the probe function? Also, you
> > probably want to call of_node_put() in the ->remove() function.
> >   
> 
> 
> You are right.
> 
> I believed that after successful mtd_device_register()
> the node is managed by mtd device. I missed that it calls of_node_get()
> in add_mtd_device() by itself.
> 
> I will prepare v2.
> But I guess there is no need to have of_node_put() in ->remove(), since
> probe() finishes its own usage of flash_np, while mtd_device incremented
> refcnt by itself and will decrement it in ->remove() in
> mtd_device_unregister(&spifi->nor.mtd). So, I would propose
> of_node_put() on both successful and error path.

Sounds good.

diff --git a/drivers/mtd/spi-nor/nxp-spifi.c b/drivers/mtd/spi-nor/nxp-spifi.c
index 15374216d4d9..8919e31f2ab8 100644
--- a/drivers/mtd/spi-nor/nxp-spifi.c
+++ b/drivers/mtd/spi-nor/nxp-spifi.c
@@ -294,7 +294,8 @@  static int nxp_spifi_setup_flash(struct nxp_spifi *spifi,
 			break;
 		default:
 			dev_err(spifi->dev, "unsupported rx-bus-width\n");
-			return -EINVAL;
+			ret = -EINVAL;
+			goto err_node_put;
 		}
 	}
 
@@ -328,7 +329,8 @@  static int nxp_spifi_setup_flash(struct nxp_spifi *spifi,
 		break;
 	default:
 		dev_err(spifi->dev, "only mode 0 and 3 supported\n");
-		return -EINVAL;
+		ret = -EINVAL;
+		goto err_node_put;
 	}
 
 	writel(ctrl, spifi->io_base + SPIFI_CTRL);
@@ -356,22 +358,26 @@  static int nxp_spifi_setup_flash(struct nxp_spifi *spifi,
 	ret = spi_nor_scan(&spifi->nor, NULL, &hwcaps);
 	if (ret) {
 		dev_err(spifi->dev, "device scan failed\n");
-		return ret;
+		goto err_node_put;
 	}
 
 	ret = nxp_spifi_setup_memory_cmd(spifi);
 	if (ret) {
 		dev_err(spifi->dev, "memory command setup failed\n");
-		return ret;
+		goto err_node_put;
 	}
 
 	ret = mtd_device_register(&spifi->nor.mtd, NULL, 0);
 	if (ret) {
 		dev_err(spifi->dev, "mtd device parse failed\n");
-		return ret;
+		goto err_node_put;
 	}
 
 	return 0;
+
+err_node_put:
+	of_node_put(np);
+	return ret;
 }
 
 static int nxp_spifi_probe(struct platform_device *pdev)

mtd: nxp-spifi: decrement flash_np refcnt on error paths

Commit Message

Comments

Patch