From: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
If ffs_epfile_io() fails in AIO case, we end up leaking io_data
(and iovec_copy in case of AIO read).
Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
---
drivers/usb/gadget/function/f_fs.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index af98b09..3ab34a2 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -970,6 +970,7 @@ static ssize_t ffs_epfile_aio_write(struct kiocb *kiocb,
unsigned long nr_segs, loff_t loff)
{
struct ffs_io_data *io_data;
+ ssize_t res;
ENTER();
@@ -989,7 +990,10 @@ static ssize_t ffs_epfile_aio_write(struct kiocb *kiocb,
kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
- return ffs_epfile_io(kiocb->ki_filp, io_data);
+ res = ffs_epfile_io(kiocb->ki_filp, io_data);
+ if (res != -EIOCBQUEUED)
+ kfree(io_data);
+ return res;
}
static ssize_t ffs_epfile_aio_read(struct kiocb *kiocb,
@@ -998,6 +1002,7 @@ static ssize_t ffs_epfile_aio_read(struct kiocb *kiocb,
{
struct ffs_io_data *io_data;
struct iovec *iovec_copy;
+ ssize_t res;
ENTER();
@@ -1025,7 +1030,12 @@ static ssize_t ffs_epfile_aio_read(struct kiocb *kiocb,
kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
- return ffs_epfile_io(kiocb->ki_filp, io_data);
+ res = ffs_epfile_io(kiocb->ki_filp, io_data);
+ if (res != -EIOCBQUEUED) {
+ kfree(io_data);
+ kfree(iovec_copy);
+ }
+ return res;
}
static int
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
