ucom(4) memory leaks

Mon, 05 May 2014 08:28:40 -0700 

Every USB serial adapter but ucycom(4) leaks 2 xfer descriptors when
it is closed.

This is due to a wrong check involving `sc_uhidev' which is most of
the time initialized with some garbage from the stack.

This driver also leaks the memory allocated for its input buffer
`sc_ibuf'.

Diff below fix both issues.  I don't want to initialize uca.uhidev in
every driver because I think that we should kill the uhidev-layer an
its associated complexity from ucom(4).

Ok?

Index: ucom.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/ucom.c,v
retrieving revision 1.63
diff -u -p -r1.63 ucom.c
--- ucom.c      3 Feb 2014 20:59:05 -0000       1.63
+++ ucom.c      5 May 2014 08:00:09 -0000
@@ -228,13 +228,17 @@ ucom_detach(struct device *self, int fla
                sc->sc_bulkout_pipe = NULL;
        }
        if (sc->sc_ixfer != NULL) {
-               if (sc->sc_uhidev == NULL)
+               if (sc->sc_bulkin_no != -1) {
+                       usbd_free_buffer(sc->sc_ixfer);
+                       sc->sc_ibuf = NULL;
                        usbd_free_xfer(sc->sc_ixfer);
+               }
                sc->sc_ixfer = NULL;
        }
        if (sc->sc_oxfer != NULL) {
                usbd_free_buffer(sc->sc_oxfer);
-               if (sc->sc_uhidev == NULL)
+               sc->sc_obuf = NULL;
+               if (sc->sc_bulkin_no != -1)
                        usbd_free_xfer(sc->sc_oxfer);
                sc->sc_oxfer = NULL;
        }
@@ -418,7 +422,7 @@ ucom_do_open(dev_t dev, int flag, int mo
        tp = sc->sc_tty;
        splx(s);
 
-       DPRINTF(("ucomopen: unit=%d, tp=%p\n", unit, tp));
+       DPRINTF(("ucomopen: unit=%d, tp=%p\n", UCOMUNIT(dev), tp));
 
        tp->t_dev = dev;
        if (!ISSET(tp->t_state, TS_ISOPEN)) {
@@ -520,7 +524,7 @@ ucom_do_open(dev_t dev, int flag, int mo
        return (0);
 
 fail_4:
-       if (sc->sc_uhidev == NULL)
+       if (sc->sc_bulkin_no != -1)
                usbd_free_xfer(sc->sc_oxfer);
        sc->sc_oxfer = NULL;
 fail_3:
@@ -554,6 +558,8 @@ ucomclose(dev_t dev, int flag, int mode,
        if (sc == NULL || usbd_is_dying(sc->sc_uparent))
                return (EIO);
 
+       DPRINTF(("ucomclose: unit=%d\n", UCOMUNIT(dev)));
+
        sc->sc_refcnt++;
        error = ucom_do_close(sc, flag, mode, p);
        if (--sc->sc_refcnt < 0)
@@ -571,7 +577,6 @@ ucom_do_close(struct ucom_softc *sc, int
        if (!ISSET(tp->t_state, TS_ISOPEN))
                return (0);
 
-       DPRINTF(("ucomclose: unit=%d\n", UCOMUNIT(dev)));
        ucom_lock(sc);
 
        (*LINESW(tp, l_close))(tp, flag, p);
@@ -1192,13 +1197,17 @@ ucom_cleanup(struct ucom_softc *sc)
                sc->sc_bulkout_pipe = NULL;
        }
        if (sc->sc_ixfer != NULL) {
-               if (sc->sc_uhidev == NULL)
+               if (sc->sc_bulkin_no != -1) {
+                       usbd_free_buffer(sc->sc_ixfer);
+                       sc->sc_ibuf = NULL;
                        usbd_free_xfer(sc->sc_ixfer);
+               }
                sc->sc_ixfer = NULL;
        }
        if (sc->sc_oxfer != NULL) {
                usbd_free_buffer(sc->sc_oxfer);
-               if (sc->sc_uhidev == NULL)
+               sc->sc_obuf = NULL;
+               if (sc->sc_bulkin_no != -1)
                        usbd_free_xfer(sc->sc_oxfer);
                sc->sc_oxfer = NULL;
        }

Reply via email to