2013-09-12 00:35:00

by David Cohen

Subject: [PATCH] usb: dwc3: gadget: avoid memory leak when failing to allocate all eps

If dwc3_gadget_init_endpoint() fails after allocate some of the eps, we
need to free their memory to avoid leak.

Signed-off-by: David Cohen <[email protected]>
---
drivers/usb/dwc3/gadget.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index f168eae..611bdba 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1707,8 +1707,13 @@ static void dwc3_gadget_free_endpoints(struct dwc3 *dwc)

for (epnum = 0; epnum < DWC3_ENDPOINTS_NUM; epnum++) {
dep = dwc->eps[epnum];
+ /*
+ * Because dwc was allocated by kzalloc() and eps are set
+ * in ascending order, we can assume no extra one was
+ * allocated after first dep == NULL.
+ */
if (!dep)
- continue;
+ break;
/*
* Physical endpoints 0 and 1 are special; they form the
* bi-directional USB endpoint 0.
@@ -2611,15 +2616,13 @@ int dwc3_gadget_init(struct dwc3 *dwc)
ret = usb_add_gadget_udc(dwc->dev, &dwc->gadget);
if (ret) {
dev_err(dwc->dev, "failed to register udc\n");
- goto err5;
+ goto err4;
}

return 0;

-err5:
- dwc3_gadget_free_endpoints(dwc);
-
err4:
+ dwc3_gadget_free_endpoints(dwc);
dma_free_coherent(dwc->dev, DWC3_EP0_BOUNCE_SIZE,
dwc->ep0_bounce, dwc->ep0_bounce_addr);

--
1.8.4.rc3

2013-09-12 00:43:05

by David Cohen

Subject: Re: [PATCH] usb: dwc3: gadget: avoid memory leak when failing to allocate all eps

Hi Mr. Balbi, :)

On 09/11/2013 05:38 PM, David Cohen wrote:
> If dwc3_gadget_init_endpoint() fails after allocate some of the eps, we
> need to free their memory to avoid leak.
>
> Signed-off-by: David Cohen <[email protected]>
> ---
> drivers/usb/dwc3/gadget.c | 13 ++++++++-----
> 1 file changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
> index f168eae..611bdba 100644
> --- a/drivers/usb/dwc3/gadget.c
> +++ b/drivers/usb/dwc3/gadget.c
> @@ -1707,8 +1707,13 @@ static void dwc3_gadget_free_endpoints(struct dwc3 *dwc)
>
> for (epnum = 0; epnum < DWC3_ENDPOINTS_NUM; epnum++) {
> dep = dwc->eps[epnum];
> + /*
> + * Because dwc was allocated by kzalloc() and eps are set
> + * in ascending order, we can assume no extra one was
> + * allocated after first dep == NULL.
> + */

Wrong assumption here. Please consider patch v2 instead.

BR, David Cohen