Marcel Holtmann 36010ff678 [Bluetooth] Fix double frees on error paths of btusb and bpa10x drivers
The transfer buffer of an URB will be automatically freed when using
the URB_FREE_BUFFER transfer_flag. So the extra calls to kfree() will
cause a double free.

Reported-by: Justin Mattock <justinmattock@gmail.com>
Signed-off-by: Rabin Vincent <rabin@rab.in>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2008-10-06 12:22:51 +02:00

546 lines
11 KiB
C

/*
*
* Digianswer Bluetooth USB driver
*
* Copyright (C) 2004-2007 Marcel Holtmann <marcel@holtmann.org>
*
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
*/
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/init.h>
#include <linux/slab.h>
#include <linux/types.h>
#include <linux/sched.h>
#include <linux/errno.h>
#include <linux/skbuff.h>
#include <linux/usb.h>
#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#ifndef CONFIG_BT_HCIBPA10X_DEBUG
#undef BT_DBG
#define BT_DBG(D...)
#endif
#define VERSION "0.10"
static struct usb_device_id bpa10x_table[] = {
/* Tektronix BPA 100/105 (Digianswer) */
{ USB_DEVICE(0x08fd, 0x0002) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, bpa10x_table);
struct bpa10x_data {
struct hci_dev *hdev;
struct usb_device *udev;
struct usb_anchor tx_anchor;
struct usb_anchor rx_anchor;
struct sk_buff *rx_skb[2];
};
#define HCI_VENDOR_HDR_SIZE 5
struct hci_vendor_hdr {
__u8 type;
__le16 snum;
__le16 dlen;
} __attribute__ ((packed));
static int bpa10x_recv(struct hci_dev *hdev, int queue, void *buf, int count)
{
struct bpa10x_data *data = hdev->driver_data;
BT_DBG("%s queue %d buffer %p count %d", hdev->name,
queue, buf, count);
if (queue < 0 || queue > 1)
return -EILSEQ;
hdev->stat.byte_rx += count;
while (count) {
struct sk_buff *skb = data->rx_skb[queue];
struct { __u8 type; int expect; } *scb;
int type, len = 0;
if (!skb) {
/* Start of the frame */
type = *((__u8 *) buf);
count--; buf++;
switch (type) {
case HCI_EVENT_PKT:
if (count >= HCI_EVENT_HDR_SIZE) {
struct hci_event_hdr *h = buf;
len = HCI_EVENT_HDR_SIZE + h->plen;
} else
return -EILSEQ;
break;
case HCI_ACLDATA_PKT:
if (count >= HCI_ACL_HDR_SIZE) {
struct hci_acl_hdr *h = buf;
len = HCI_ACL_HDR_SIZE +
__le16_to_cpu(h->dlen);
} else
return -EILSEQ;
break;
case HCI_SCODATA_PKT:
if (count >= HCI_SCO_HDR_SIZE) {
struct hci_sco_hdr *h = buf;
len = HCI_SCO_HDR_SIZE + h->dlen;
} else
return -EILSEQ;
break;
case HCI_VENDOR_PKT:
if (count >= HCI_VENDOR_HDR_SIZE) {
struct hci_vendor_hdr *h = buf;
len = HCI_VENDOR_HDR_SIZE +
__le16_to_cpu(h->dlen);
} else
return -EILSEQ;
break;
}
skb = bt_skb_alloc(len, GFP_ATOMIC);
if (!skb) {
BT_ERR("%s no memory for packet", hdev->name);
return -ENOMEM;
}
skb->dev = (void *) hdev;
data->rx_skb[queue] = skb;
scb = (void *) skb->cb;
scb->type = type;
scb->expect = len;
} else {
/* Continuation */
scb = (void *) skb->cb;
len = scb->expect;
}
len = min(len, count);
memcpy(skb_put(skb, len), buf, len);
scb->expect -= len;
if (scb->expect == 0) {
/* Complete frame */
data->rx_skb[queue] = NULL;
bt_cb(skb)->pkt_type = scb->type;
hci_recv_frame(skb);
}
count -= len; buf += len;
}
return 0;
}
static void bpa10x_tx_complete(struct urb *urb)
{
struct sk_buff *skb = urb->context;
struct hci_dev *hdev = (struct hci_dev *) skb->dev;
BT_DBG("%s urb %p status %d count %d", hdev->name,
urb, urb->status, urb->actual_length);
if (!test_bit(HCI_RUNNING, &hdev->flags))
goto done;
if (!urb->status)
hdev->stat.byte_tx += urb->transfer_buffer_length;
else
hdev->stat.err_tx++;
done:
kfree(urb->setup_packet);
kfree_skb(skb);
}
static void bpa10x_rx_complete(struct urb *urb)
{
struct hci_dev *hdev = urb->context;
struct bpa10x_data *data = hdev->driver_data;
int err;
BT_DBG("%s urb %p status %d count %d", hdev->name,
urb, urb->status, urb->actual_length);
if (!test_bit(HCI_RUNNING, &hdev->flags))
return;
if (urb->status == 0) {
if (bpa10x_recv(hdev, usb_pipebulk(urb->pipe),
urb->transfer_buffer,
urb->actual_length) < 0) {
BT_ERR("%s corrupted event packet", hdev->name);
hdev->stat.err_rx++;
}
}
usb_anchor_urb(urb, &data->rx_anchor);
err = usb_submit_urb(urb, GFP_ATOMIC);
if (err < 0) {
BT_ERR("%s urb %p failed to resubmit (%d)",
hdev->name, urb, -err);
usb_unanchor_urb(urb);
}
}
static inline int bpa10x_submit_intr_urb(struct hci_dev *hdev)
{
struct bpa10x_data *data = hdev->driver_data;
struct urb *urb;
unsigned char *buf;
unsigned int pipe;
int err, size = 16;
BT_DBG("%s", hdev->name);
urb = usb_alloc_urb(0, GFP_KERNEL);
if (!urb)
return -ENOMEM;
buf = kmalloc(size, GFP_KERNEL);
if (!buf) {
usb_free_urb(urb);
return -ENOMEM;
}
pipe = usb_rcvintpipe(data->udev, 0x81);
usb_fill_int_urb(urb, data->udev, pipe, buf, size,
bpa10x_rx_complete, hdev, 1);
urb->transfer_flags |= URB_FREE_BUFFER;
usb_anchor_urb(urb, &data->rx_anchor);
err = usb_submit_urb(urb, GFP_KERNEL);
if (err < 0) {
BT_ERR("%s urb %p submission failed (%d)",
hdev->name, urb, -err);
usb_unanchor_urb(urb);
}
usb_free_urb(urb);
return err;
}
static inline int bpa10x_submit_bulk_urb(struct hci_dev *hdev)
{
struct bpa10x_data *data = hdev->driver_data;
struct urb *urb;
unsigned char *buf;
unsigned int pipe;
int err, size = 64;
BT_DBG("%s", hdev->name);
urb = usb_alloc_urb(0, GFP_KERNEL);
if (!urb)
return -ENOMEM;
buf = kmalloc(size, GFP_KERNEL);
if (!buf) {
usb_free_urb(urb);
return -ENOMEM;
}
pipe = usb_rcvbulkpipe(data->udev, 0x82);
usb_fill_bulk_urb(urb, data->udev, pipe,
buf, size, bpa10x_rx_complete, hdev);
urb->transfer_flags |= URB_FREE_BUFFER;
usb_anchor_urb(urb, &data->rx_anchor);
err = usb_submit_urb(urb, GFP_KERNEL);
if (err < 0) {
BT_ERR("%s urb %p submission failed (%d)",
hdev->name, urb, -err);
usb_unanchor_urb(urb);
}
usb_free_urb(urb);
return err;
}
static int bpa10x_open(struct hci_dev *hdev)
{
struct bpa10x_data *data = hdev->driver_data;
int err;
BT_DBG("%s", hdev->name);
if (test_and_set_bit(HCI_RUNNING, &hdev->flags))
return 0;
err = bpa10x_submit_intr_urb(hdev);
if (err < 0)
goto error;
err = bpa10x_submit_bulk_urb(hdev);
if (err < 0)
goto error;
return 0;
error:
usb_kill_anchored_urbs(&data->rx_anchor);
clear_bit(HCI_RUNNING, &hdev->flags);
return err;
}
static int bpa10x_close(struct hci_dev *hdev)
{
struct bpa10x_data *data = hdev->driver_data;
BT_DBG("%s", hdev->name);
if (!test_and_clear_bit(HCI_RUNNING, &hdev->flags))
return 0;
usb_kill_anchored_urbs(&data->rx_anchor);
return 0;
}
static int bpa10x_flush(struct hci_dev *hdev)
{
struct bpa10x_data *data = hdev->driver_data;
BT_DBG("%s", hdev->name);
usb_kill_anchored_urbs(&data->tx_anchor);
return 0;
}
static int bpa10x_send_frame(struct sk_buff *skb)
{
struct hci_dev *hdev = (struct hci_dev *) skb->dev;
struct bpa10x_data *data = hdev->driver_data;
struct usb_ctrlrequest *dr;
struct urb *urb;
unsigned int pipe;
int err;
BT_DBG("%s", hdev->name);
if (!test_bit(HCI_RUNNING, &hdev->flags))
return -EBUSY;
urb = usb_alloc_urb(0, GFP_ATOMIC);
if (!urb)
return -ENOMEM;
/* Prepend skb with frame type */
*skb_push(skb, 1) = bt_cb(skb)->pkt_type;
switch (bt_cb(skb)->pkt_type) {
case HCI_COMMAND_PKT:
dr = kmalloc(sizeof(*dr), GFP_ATOMIC);
if (!dr) {
usb_free_urb(urb);
return -ENOMEM;
}
dr->bRequestType = USB_TYPE_VENDOR;
dr->bRequest = 0;
dr->wIndex = 0;
dr->wValue = 0;
dr->wLength = __cpu_to_le16(skb->len);
pipe = usb_sndctrlpipe(data->udev, 0x00);
usb_fill_control_urb(urb, data->udev, pipe, (void *) dr,
skb->data, skb->len, bpa10x_tx_complete, skb);
hdev->stat.cmd_tx++;
break;
case HCI_ACLDATA_PKT:
pipe = usb_sndbulkpipe(data->udev, 0x02);
usb_fill_bulk_urb(urb, data->udev, pipe,
skb->data, skb->len, bpa10x_tx_complete, skb);
hdev->stat.acl_tx++;
break;
case HCI_SCODATA_PKT:
pipe = usb_sndbulkpipe(data->udev, 0x02);
usb_fill_bulk_urb(urb, data->udev, pipe,
skb->data, skb->len, bpa10x_tx_complete, skb);
hdev->stat.sco_tx++;
break;
default:
usb_free_urb(urb);
return -EILSEQ;
}
usb_anchor_urb(urb, &data->tx_anchor);
err = usb_submit_urb(urb, GFP_ATOMIC);
if (err < 0) {
BT_ERR("%s urb %p submission failed", hdev->name, urb);
kfree(urb->setup_packet);
usb_unanchor_urb(urb);
}
usb_free_urb(urb);
return 0;
}
static void bpa10x_destruct(struct hci_dev *hdev)
{
struct bpa10x_data *data = hdev->driver_data;
BT_DBG("%s", hdev->name);
kfree(data->rx_skb[0]);
kfree(data->rx_skb[1]);
kfree(data);
}
static int bpa10x_probe(struct usb_interface *intf, const struct usb_device_id *id)
{
struct bpa10x_data *data;
struct hci_dev *hdev;
int err;
BT_DBG("intf %p id %p", intf, id);
if (intf->cur_altsetting->desc.bInterfaceNumber != 0)
return -ENODEV;
data = kzalloc(sizeof(*data), GFP_KERNEL);
if (!data)
return -ENOMEM;
data->udev = interface_to_usbdev(intf);
init_usb_anchor(&data->tx_anchor);
init_usb_anchor(&data->rx_anchor);
hdev = hci_alloc_dev();
if (!hdev) {
kfree(data);
return -ENOMEM;
}
hdev->type = HCI_USB;
hdev->driver_data = data;
data->hdev = hdev;
SET_HCIDEV_DEV(hdev, &intf->dev);
hdev->open = bpa10x_open;
hdev->close = bpa10x_close;
hdev->flush = bpa10x_flush;
hdev->send = bpa10x_send_frame;
hdev->destruct = bpa10x_destruct;
hdev->owner = THIS_MODULE;
err = hci_register_dev(hdev);
if (err < 0) {
hci_free_dev(hdev);
kfree(data);
return err;
}
usb_set_intfdata(intf, data);
return 0;
}
static void bpa10x_disconnect(struct usb_interface *intf)
{
struct bpa10x_data *data = usb_get_intfdata(intf);
BT_DBG("intf %p", intf);
if (!data)
return;
usb_set_intfdata(intf, NULL);
hci_unregister_dev(data->hdev);
hci_free_dev(data->hdev);
}
static struct usb_driver bpa10x_driver = {
.name = "bpa10x",
.probe = bpa10x_probe,
.disconnect = bpa10x_disconnect,
.id_table = bpa10x_table,
};
static int __init bpa10x_init(void)
{
BT_INFO("Digianswer Bluetooth USB driver ver %s", VERSION);
return usb_register(&bpa10x_driver);
}
static void __exit bpa10x_exit(void)
{
usb_deregister(&bpa10x_driver);
}
module_init(bpa10x_init);
module_exit(bpa10x_exit);
MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
MODULE_DESCRIPTION("Digianswer Bluetooth USB driver ver " VERSION);
MODULE_VERSION(VERSION);
MODULE_LICENSE("GPL");