From f6c103ea8b2ebb3077decb02ca42bbd8c5d2def6 Mon Sep 17 00:00:00 2001
From: imp <imp@FreeBSD.org>
Date: Tue, 20 Apr 2010 20:39:42 +0000
Subject: Make sure that we free the passed in data message if we don't
 actually insert it onto the queue.  Also, fix a mtx leak if someone turns off
 devctl while we're processing a messages.

MFC after:	5 days
---
 sys/kern/subr_bus.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

(limited to 'sys/kern/subr_bus.c')

diff --git a/sys/kern/subr_bus.c b/sys/kern/subr_bus.c
index 6e939c0..9d3292a 100644
--- a/sys/kern/subr_bus.c
+++ b/sys/kern/subr_bus.c
@@ -545,15 +545,16 @@ devctl_queue_data(char *data)
 	struct proc *p;
 
 	if (strlen(data) == 0)
-		return;
+		goto out;
 	if (devctl_queue_length == 0)
-		return;
+		goto out;
 	n1 = malloc(sizeof(*n1), M_BUS, M_NOWAIT);
 	if (n1 == NULL)
-		return;
+		goto out;
 	n1->dei_data = data;
 	mtx_lock(&devsoftc.mtx);
 	if (devctl_queue_length == 0) {
+		mtx_unlock(&devsoftc.mtx);
 		free(n1->dei_data, M_BUS);
 		free(n1, M_BUS);
 		return;
@@ -577,6 +578,14 @@ devctl_queue_data(char *data)
 		psignal(p, SIGIO);
 		PROC_UNLOCK(p);
 	}
+	return;
+out:
+	/*
+	 * We have to free data on all error paths since the caller
+	 * assumes it will be free'd when this item is dequeued.
+	 */
+	free(data, M_BUS);
+	return;
 }
 
 /**
-- 
cgit v1.1