2018-07-23 11:12:00

by Xidong Wang

[permalink] [raw]
Subject: [PATCH 1/1] usb:gadget:function:fix memory leak

In function f_audio_set_alt(), the memory allocated by
usb_ep_alloc_request() is not released on the error path
that req->buf, which holds the return value of kzalloc(),
is NULL. This will result in a memory leak bug.

Signed-off-by: Xidong Wang <[email protected]>
---
drivers/usb/gadget/function/f_uac1_legacy.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/function/f_uac1_legacy.c b/drivers/usb/gadget/function/f_uac1_legacy.c
index 24c086b..2fcdade 100644
--- a/drivers/usb/gadget/function/f_uac1_legacy.c
+++ b/drivers/usb/gadget/function/f_uac1_legacy.c
@@ -630,8 +630,11 @@ static int f_audio_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
ERROR(cdev,
"%s queue req: %d\n",
out_ep->name, err);
- } else
+ } else {
+ usb_ep_free_request(
+ out_ep, req);
err = -ENOMEM;
+ }
} else
err = -ENOMEM;
}
--
2.7.4




2018-07-26 11:12:32

by Felipe Balbi

[permalink] [raw]
Subject: Re: [PATCH 1/1] usb:gadget:function:fix memory leak


hi,

Xidong Wang <[email protected]> writes:
> In function f_audio_set_alt(), the memory allocated by
> usb_ep_alloc_request() is not released on the error path
> that req->buf, which holds the return value of kzalloc(),
> is NULL. This will result in a memory leak bug.
>
> Signed-off-by: Xidong Wang <[email protected]>
> ---
> drivers/usb/gadget/function/f_uac1_legacy.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/usb/gadget/function/f_uac1_legacy.c b/drivers/usb/gadget/function/f_uac1_legacy.c
> index 24c086b..2fcdade 100644
> --- a/drivers/usb/gadget/function/f_uac1_legacy.c
> +++ b/drivers/usb/gadget/function/f_uac1_legacy.c
> @@ -630,8 +630,11 @@ static int f_audio_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
> ERROR(cdev,
> "%s queue req: %d\n",
> out_ep->name, err);
> - } else
> + } else {
> + usb_ep_free_request(
> + out_ep, req);
> err = -ENOMEM;
> + }

I feel like this hunk has been ping ponging between having
usb_ep_free_request() and not having it because completion callback will
call usb_ep_free_request() or something along those lines.

Can we get a final solution that solves all cases and doesn't introduce
other bugs?

--
balbi

Attachments:
signature.asc (847.00 B)