Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b9e00088 authored by Michal Nazarewicz's avatar Michal Nazarewicz Committed by Greg Kroah-Hartman
Browse files

USB: gadget: f_mass_storage: fix in error recovery 



In to places in fsg_common_init() an unconditional call to kfree()
on common was performed in error recovery which is not a valid
behaviour since fsg_common structure is not always allocated by
fsg_common_init().

To fix, the calls has been replaced with a goto to a proper error
recovery which does the correct thing.

Also, refactored fsg_common_release() function.

Signed-off-by: default avatarMichal Nazarewicz <mina86@mina86.com>
Reviewed-by: default avatarViral Mehta <viral.mehta@lntinfotech.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent f537da68

drivers/usb/gadget/f_mass_storage.c

+25 −26
Original line number Diff line number Diff line
@@ -2742,10 +2742,8 @@ static struct fsg_common *fsg_common_init(struct fsg_common *common, 
	/* Maybe allocate device-global string IDs, and patch descriptors */

	if (fsg_strings[FSG_STRING_INTERFACE].id == 0) {

		rc = usb_string_id(cdev);

		if (rc < 0) {

			kfree(common);

			return ERR_PTR(rc);

		}

		if (unlikely(rc < 0))

			goto error_release;

		fsg_strings[FSG_STRING_INTERFACE].id = rc;

		fsg_intf_desc.iInterface = rc;

	}
@@ -2753,9 +2751,9 @@ static struct fsg_common *fsg_common_init(struct fsg_common *common, 
	/* Create the LUNs, open their backing files, and register the

	 * LUN devices in sysfs. */

	curlun = kzalloc(nluns * sizeof *curlun, GFP_KERNEL);

	if (!curlun) {

		kfree(common);

		return ERR_PTR(-ENOMEM);

	if (unlikely(!curlun)) {

		rc = -ENOMEM;

		goto error_release;

	}

	common->luns = curlun;
@@ -2914,11 +2912,7 @@ static struct fsg_common *fsg_common_init(struct fsg_common *common, 


static void fsg_common_release(struct kref *ref)

{

	struct fsg_common *common =

		container_of(ref, struct fsg_common, ref);

	unsigned i = common->nluns;

	struct fsg_lun *lun = common->luns;

	struct fsg_buffhd *bh;

	struct fsg_common *common = container_of(ref, struct fsg_common, ref);



	/* If the thread isn't already dead, tell it to exit now */

	if (common->state != FSG_STATE_TERMINATED) {
@@ -2929,9 +2923,11 @@ static void fsg_common_release(struct kref *ref) 
		complete(&common->thread_notifier);

	}



	/* Beware tempting for -> do-while optimization: when in error

	 * recovery nluns may be zero. */

	if (likely(common->luns)) {

		struct fsg_lun *lun = common->luns;

		unsigned i = common->nluns;



		/* In error recovery common->nluns may be zero. */

		for (; i; --i, ++lun) {

			device_remove_file(&lun->dev, &dev_attr_ro);

			device_remove_file(&lun->dev, &dev_attr_file);
@@ -2940,12 +2936,15 @@ static void fsg_common_release(struct kref *ref) 
		}



		kfree(common->luns);

	}



	i = FSG_NUM_BUFFERS;

	bh = common->buffhds;

	{

		struct fsg_buffhd *bh = common->buffhds;

		unsigned i = FSG_NUM_BUFFERS;

		do {

			kfree(bh->buf);

		} while (++bh, --i);

	}



	if (common->free_storage_on_release)

		kfree(common);