USB: cdc_acm: Fix memory leak after hangup

Am Donnerstag, 10. September 2009 15:43:53 schrieb Dietmar Hilbrich:
> Hello,
>
> i have the following problem with the cdc-acm - driver:
>
> I'm using the driver with an "Ericsson F3507G" on a Thinkpad T400.
>
> If a disable the device (with the RFKill-Switch) while it is used by a
> programm like ppp, the driver doesn't seem to correctly clean up the tty,
> even after the program has been closed)
>
> The tty is still active (e.g. there still exists an entry in
> /sys/dev/char/166:0 if ttyACM0 was used) and if a reacticate the device,
> this device entry will be skipped and the Device-Nodes ttyACM1, ttyACM2
> and ttyACM3 will be used.
>
> This problem was introduced with the commit
> 10077d4a6674f535abdbe25cdecb1202af7948f1 (before 2.6.31-rc1) and still
> exists in 2.6.31.
>
> I was able the fix this problem with the following patch:
>
> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
> index 2bfc41e..0970d2f 100644
> --- a/drivers/usb/class/cdc-acm.c
> +++ b/drivers/usb/class/cdc-acm.c
> @@ -676,6 +676,7 @@ static void acm_tty_hangup(struct tty_struct *tty)
>         struct acm *acm = tty->driver_data;
>         tty_port_hangup(&acm->port);
>         acm_port_down(acm, 0);
> +       acm_tty_unregister(acm);
>  }

I have the same problem with cdc-acm (I'm using a Samsung SGH-U900): when I
unplug it from the USB port during a PPP connection, the ppp daemon gets the
hangup correctly (and closes the device), but the struct acm corresponding to
the device disconnected is not freed. Hence reconnecting the device results in
creation of /dev/ttyACM(x+1). The same happens when the system is hibernated
during a PPP connection.

This memory leak is due to the fact that when the tty is hung up,
tty_port_close_start() returns always zero, and acm_tty_close() never reaches
the point where acm_tty_unregister() is called.

Here is a fix for this.

Signed-off-by: Francesco Lavra <francescolavra@interfree.it>
Acked-by: Oliver Neukum <oliver@neukum.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
index b72fa49..e4eca78 100644 (file)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -686,15 +686,21 @@ static void acm_tty_close(struct tty_struct *tty, struct file *filp)
 
        /* Perform the closing process and see if we need to do the hardware
           shutdown */
-       if (!acm || tty_port_close_start(&acm->port, tty, filp) == 0)
+       if (!acm)
+               return;
+       if (tty_port_close_start(&acm->port, tty, filp) == 0) {
+               mutex_lock(&open_mutex);
+               if (!acm->dev) {
+                       tty_port_tty_set(&acm->port, NULL);
+                       acm_tty_unregister(acm);
+                       tty->driver_data = NULL;
+               }
+               mutex_unlock(&open_mutex);
                return;
+       }
        acm_port_down(acm, 0);
        tty_port_close_end(&acm->port, tty);
-       mutex_lock(&open_mutex);
        tty_port_tty_set(&acm->port, NULL);
-       if (!acm->dev)
-               acm_tty_unregister(acm);
-       mutex_unlock(&open_mutex);
 }
 
 static int acm_tty_write(struct tty_struct *tty,