Commit 3de4e205 authored Jan 04, 2016 by Michal Nazarewicz Committed by Felipe Balbi Mar 04, 2016

usb: f_fs: fix memory leak when ep changes during transfer

In the ffs_epfile_io function, data buffer is allocated for non-halt
requests. Later, after grabing a mutex, the function checks that
epfile->ep is still ep and if it’s not, it set ret to -ESHUTDOWN and
follow a path including spin_unlock_irq (just after ‘ret = -ESHUTDOWN’),
mutex_unlock (after if-else-if-else chain) and returns ret. Noticeably,
this does not include freeing of the data buffer.

Fix by introducing a goto which moves control flow to the the end of the
function where spin_unlock_irq, mutex_unlock and kfree are all called.

Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>

parent 12496785

drivers/usb/gadget/function/f_fs.c

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -763,7 +763,7 @@ static ssize_t ffs_epfile_io(struct file file, struct ffs_io_data io_data)
	if (epfile->ep != ep) {		if (epfile->ep != ep) {
	/* In the meantime, endpoint got disabled or changed. */		/* In the meantime, endpoint got disabled or changed. */
	ret = -ESHUTDOWN;		ret = -ESHUTDOWN;
	spin_unlock_irq(&epfile->ffs->eps_lock);		goto error_lock;
	} else if (halt) {		} else if (halt) {
	/* Halt */		/* Halt */
	if (likely(epfile->ep == ep) && !WARN_ON(!ep->ep))		if (likely(epfile->ep == ep) && !WARN_ON(!ep->ep))