aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorOliver Neukum <oliver@neukum.org>2009-06-28 17:34:14 -0400
committerGreg Kroah-Hartman <gregkh@suse.de>2009-07-12 18:16:39 -0400
commitd794a02111cd3393da69bc7d6dd2b6074bd037cc (patch)
treea455f01284f4503edfe8e335c333694711073736 /drivers
parentba516de332c0e574457e58fb5aa0293e628b7b10 (diff)
USB: fix memleak in usbfs
This patch fixes a memory leak in devio.c::processcompl If writing to user space fails the packet must be discarded, as it already has been removed from the queue of completed packets. Signed-off-by: Oliver Neukum <oliver@neukum.org> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/usb/core/devio.c16
1 files changed, 10 insertions, 6 deletions
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 308609039c7..706f18156af 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1231,22 +1231,22 @@ static int processcompl(struct async *as, void __user * __user *arg)
1231 if (as->userbuffer) 1231 if (as->userbuffer)
1232 if (copy_to_user(as->userbuffer, urb->transfer_buffer, 1232 if (copy_to_user(as->userbuffer, urb->transfer_buffer,
1233 urb->transfer_buffer_length)) 1233 urb->transfer_buffer_length))
1234 return -EFAULT; 1234 goto err_out;
1235 if (put_user(as->status, &userurb->status)) 1235 if (put_user(as->status, &userurb->status))
1236 return -EFAULT; 1236 goto err_out;
1237 if (put_user(urb->actual_length, &userurb->actual_length)) 1237 if (put_user(urb->actual_length, &userurb->actual_length))
1238 return -EFAULT; 1238 goto err_out;
1239 if (put_user(urb->error_count, &userurb->error_count)) 1239 if (put_user(urb->error_count, &userurb->error_count))
1240 return -EFAULT; 1240 goto err_out;
1241 1241
1242 if (usb_endpoint_xfer_isoc(&urb->ep->desc)) { 1242 if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
1243 for (i = 0; i < urb->number_of_packets; i++) { 1243 for (i = 0; i < urb->number_of_packets; i++) {
1244 if (put_user(urb->iso_frame_desc[i].actual_length, 1244 if (put_user(urb->iso_frame_desc[i].actual_length,
1245 &userurb->iso_frame_desc[i].actual_length)) 1245 &userurb->iso_frame_desc[i].actual_length))
1246 return -EFAULT; 1246 goto err_out;
1247 if (put_user(urb->iso_frame_desc[i].status, 1247 if (put_user(urb->iso_frame_desc[i].status,
1248 &userurb->iso_frame_desc[i].status)) 1248 &userurb->iso_frame_desc[i].status))
1249 return -EFAULT; 1249 goto err_out;
1250 } 1250 }
1251 } 1251 }
1252 1252
@@ -1255,6 +1255,10 @@ static int processcompl(struct async *as, void __user * __user *arg)
1255 if (put_user(addr, (void __user * __user *)arg)) 1255 if (put_user(addr, (void __user * __user *)arg))
1256 return -EFAULT; 1256 return -EFAULT;
1257 return 0; 1257 return 0;
1258
1259err_out:
1260 free_async(as);
1261 return -EFAULT;
1258} 1262}
1259 1263
1260static struct async *reap_as(struct dev_state *ps) 1264static struct async *reap_as(struct dev_state *ps)
generated by cgit v1.2.2 (git 2.25.0) at 2024-10-16 06:26:30 -0400