__uvcg_fill_strm() called from __uvcg_iter_stream_cls() might have advanced the "data" even if __uvcg_iter_stream_cls() returns an error, so use a backup copy as an argument to kfree(). Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@xxxxxxxxxxx> --- drivers/usb/gadget/function/uvc_configfs.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/usb/gadget/function/uvc_configfs.c b/drivers/usb/gadget/function/uvc_configfs.c index cc2a613..49f25e8 100644 --- a/drivers/usb/gadget/function/uvc_configfs.c +++ b/drivers/usb/gadget/function/uvc_configfs.c @@ -2086,7 +2086,7 @@ static int uvcg_streaming_class_allow_link(struct config_item *src, struct mutex *su_mutex = &src->ci_group->cg_subsys->su_mutex; struct uvc_descriptor_header ***class_array, **cl_arr; struct uvcg_streaming_header *target_hdr; - void *data; + void *data, *data_save; size_t size = 0, count = 0; int ret = -EINVAL; @@ -2119,7 +2119,7 @@ static int uvcg_streaming_class_allow_link(struct config_item *src, goto unlock; } - data = kzalloc(size, GFP_KERNEL); + data = data_save = kzalloc(size, GFP_KERNEL); if (!data) { kfree(*class_array); *class_array = NULL; @@ -2132,7 +2132,11 @@ static int uvcg_streaming_class_allow_link(struct config_item *src, if (ret) { kfree(*class_array); *class_array = NULL; - kfree(data); + /* + * __uvcg_fill_strm() called from __uvcg_iter_stream_cls() + * might have advanced the "data", so use a backup copy + */ + kfree(data_save); goto unlock; } *cl_arr = (struct uvc_descriptor_header *)&opts->uvc_color_matching; -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html