summaryrefslogtreecommitdiff
path: root/drivers/usb/gadget/function/f_fs.c
diff options
context:
space:
mode:
authorMichal Nazarewicz <mina86@mina86.com>2016-01-04 22:42:43 +0300
committerFelipe Balbi <balbi@kernel.org>2016-03-04 16:14:31 +0300
commit3de4e20568171f542adb8d54a47c46ff025ca942 (patch)
tree9f714516c9623e66aa6b072c071c01aa87b01d0f /drivers/usb/gadget/function/f_fs.c
parent12496785a414593ff25fd271f37d3a95d2a8058b (diff)
downloadlinux-3de4e20568171f542adb8d54a47c46ff025ca942.tar.xz
usb: f_fs: fix memory leak when ep changes during transfer
In the ffs_epfile_io function, data buffer is allocated for non-halt requests. Later, after grabing a mutex, the function checks that epfile->ep is still ep and if it’s not, it set ret to -ESHUTDOWN and follow a path including spin_unlock_irq (just after ‘ret = -ESHUTDOWN’), mutex_unlock (after if-else-if-else chain) and returns ret. Noticeably, this does not include freeing of the data buffer. Fix by introducing a goto which moves control flow to the the end of the function where spin_unlock_irq, mutex_unlock and kfree are all called. Signed-off-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Felipe Balbi <balbi@kernel.org>
Diffstat (limited to 'drivers/usb/gadget/function/f_fs.c')
-rw-r--r--drivers/usb/gadget/function/f_fs.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index cf43e9e18368..d1a4a8645620 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -763,7 +763,7 @@ static ssize_t ffs_epfile_io(struct file *file, struct ffs_io_data *io_data)
if (epfile->ep != ep) {
/* In the meantime, endpoint got disabled or changed. */
ret = -ESHUTDOWN;
- spin_unlock_irq(&epfile->ffs->eps_lock);
+ goto error_lock;
} else if (halt) {
/* Halt */
if (likely(epfile->ep == ep) && !WARN_ON(!ep->ep))