Skip to content

L
linux-davinci
Commit d794a021 authored by Oliver Neukum's avatar Oliver Neukum Committed by Greg Kroah-Hartman
Browse files
Options

USB: fix memleak in usbfs 

This patch fixes a memory leak in devio.c::processcompl

If writing to user space fails the packet must be discarded, as it
already has been removed from the queue of completed packets.
Signed-off-by: default avatarOliver Neukum <oliver@neukum.org>
Cc: stable <stable@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent ba516de3
Show whitespace changes
Inline Side-by-side
Showing with 10 additions and 6 deletions
drivers/usb/core/devio.c
View file @ d794a021
...@@ -1231,22 +1231,22 @@ static int processcompl(struct async *as, void __user * __user *arg) ...@@ -1231,22 +1231,22 @@ static int processcompl(struct async *as, void __user * __user *arg)
if (as->userbuffer) if (as->userbuffer)
if (copy_to_user(as->userbuffer, urb->transfer_buffer, if (copy_to_user(as->userbuffer, urb->transfer_buffer,
urb->transfer_buffer_length)) urb->transfer_buffer_length))
return -EFAULT; goto err_out;
if (put_user(as->status, &userurb->status)) if (put_user(as->status, &userurb->status))
return -EFAULT; goto err_out;
if (put_user(urb->actual_length, &userurb->actual_length)) if (put_user(urb->actual_length, &userurb->actual_length))
return -EFAULT; goto err_out;
if (put_user(urb->error_count, &userurb->error_count)) if (put_user(urb->error_count, &userurb->error_count))
return -EFAULT; goto err_out;
if (usb_endpoint_xfer_isoc(&urb->ep->desc)) { if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
for (i = 0; i < urb->number_of_packets; i++) { for (i = 0; i < urb->number_of_packets; i++) {
if (put_user(urb->iso_frame_desc[i].actual_length, if (put_user(urb->iso_frame_desc[i].actual_length,
&userurb->iso_frame_desc[i].actual_length)) &userurb->iso_frame_desc[i].actual_length))
return -EFAULT; goto err_out;
if (put_user(urb->iso_frame_desc[i].status, if (put_user(urb->iso_frame_desc[i].status,
&userurb->iso_frame_desc[i].status)) &userurb->iso_frame_desc[i].status))
return -EFAULT; goto err_out;
} }
} }
...@@ -1255,6 +1255,10 @@ static int processcompl(struct async *as, void __user * __user *arg) ...@@ -1255,6 +1255,10 @@ static int processcompl(struct async *as, void __user * __user *arg)
if (put_user(addr, (void __user * __user *)arg)) if (put_user(addr, (void __user * __user *)arg))
return -EFAULT; return -EFAULT;
return 0; return 0;
err_out:
free_async(as);
return -EFAULT;
} }
static struct async *reap_as(struct dev_state *ps) static struct async *reap_as(struct dev_state *ps)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment