On Thu, 15 Mar 2012 02:23:55 +0100, <Yongsul@xxxxxxxxxxxxxxx> wrote:
In some usb gadget driver, for example usb gadget serial driver(serial.c),
multifunction composite driver(multi,c), nokia composite gadget driver(nokia.c),
HID composite driver(hid.c), CDC composite driver(cdc2.c).., the configuration's
bind function by called the 'usb_add_config()' has multiple bind config functions
for each functionality, for example cdc2 configuration bind function -'cdc_do_config()'
has two functionality bind config functions -'ecm_bind_config()' & 'acm_bind_config()'
in CDC composite driver.
In each functionality bind config function, new instance for each functionality is
allocated & initialized by 'kzalloc()' ,and finally the new instance is added by
'usb_add_function()'. After 'usb_add_function' state, already created the instance
is only handled by its configuration & freed from functionality unbind function.
So, If an error occurred during the second functionality bind config state, for example
an error occurred at 'acm_bind_config()' after succeeding 'ecm_bind_function()',
The created instance by 'acm_bind_config()' cannot be freed.
And it makes memory leak situation.
It may be my poor English skills, but this is very hard to read.
Also, should this be handled in usb_gadget_probe_driver() instead? Ie. on error
recovery path, should usb_gadget_probe_driver() call usb_gadget_remove_driver()?
In particular, if I'm not mistaken, for (some?) gadgets with two configurations
(like g_multi), if the second configuration fails, the first one will not get
removed, so the memory will still leak, no?
Signed-off-by: yongsul96.oh@xxxxxxxxxxx <yongsul96.oh@xxxxxxxxxxx>
---
drivers/usb/gadget/composite.c | 13 +++++++++++++
1 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index baaebf2..4cb1801 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -737,6 +737,19 @@ int usb_add_config(struct usb_composite_dev *cdev,
status = bind(config);
if (status < 0) {
+ while (!list_empty(&config->functions)) {
+ struct usb_function *f;
+
+ f = list_first_entry(&config->functions,
+ struct usb_function, list);
+ list_del(&f->list);
+ if (f->unbind) {
+ DBG(cdev, "unbind function '%s'/%p\n",
+ f->name, f);
+ f->unbind(config, f);
+ /* may free memory for "f" */
+ }
+ }
list_del(&config->list);
config->cdev = NULL;
} else {
--
Best regards, _ _
.o. | Liege of Serenely Enlightened Majesty of o' \,=./ `o
..o | Computer Science, Michał “mina86” Nazarewicz (o o)
ooo +----<email/xmpp: mpn@xxxxxxxxxx>--------------ooO--(_)--Ooo--
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
