usb: gadget: Zero ffs_io_data (50859551) · Commits · e / devices / android_kernel_fairphone_FP5

In some cases the "Allocate & copy" block in ffs_epfile_io() is not executed. Consequently, in such a case ffs_alloc_buffer() is never called and struct ffs_io_data is not initialized properly. This in turn leads to problems when ffs_free_buffer() is called at the end of ffs_epfile_io(). This patch uses kzalloc() instead of kmalloc() in the aio case and memset() in non-aio case to properly initialize struct ffs_io_data. Signed-off-by:

Andrzej Pietrasiewicz <andrzej.p@collabora.com> Signed-off-by:

Felipe Balbi <felipe.balbi@linux.intel.com>

drivers/usb/gadget/function/f_fs.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -1183,11 +1183,12 @@ static ssize_t ffs_epfile_write_iter(struct kiocb kiocb, struct iov_iter from)
		ENTER();

		if (!is_sync_kiocb(kiocb)) {
		p = kmalloc(sizeof(io_data), GFP_KERNEL);
		p = kzalloc(sizeof(io_data), GFP_KERNEL);
		if (unlikely(!p))
		return -ENOMEM;
		p->aio = true;
		} else {
		memset(p, 0, sizeof(*p));
		p->aio = false;
		}

		@@ -1219,11 +1220,12 @@ static ssize_t ffs_epfile_read_iter(struct kiocb kiocb, struct iov_iter to)
		ENTER();

		if (!is_sync_kiocb(kiocb)) {
		p = kmalloc(sizeof(io_data), GFP_KERNEL);
		p = kzalloc(sizeof(io_data), GFP_KERNEL);
		if (unlikely(!p))
		return -ENOMEM;
		p->aio = true;
		} else {
		memset(p, 0, sizeof(*p));
		p->aio = false;
		}