Hi Michał,
I'm looking at the life time of descriptors in each gadget and now I got to
f_fs which brings me to this chunk:
|static ssize_t ffs_ep0_write(struct file *file, const char __user *buf,
| size_t len, loff_t *ptr)
|{
…
| switch (ffs->state) {
| case FFS_READ_DESCRIPTORS:
| case FFS_READ_STRINGS:
| /* Copy data */
| if (unlikely(len < 16)) {
| ret = -EINVAL;
| break;
| }
|
| data = ffs_prepare_buffer(buf, len);
data contians the a new allocated buffer with data from userland
| if (IS_ERR(data)) {
| ret = PTR_ERR(data);
| break;
| }
…
| if (ffs->state == FFS_READ_DESCRIPTORS) {
| pr_info("read descriptors\n");
| ret = __ffs_data_got_descs(ffs, data, len);
sets up descriptors and sets f->descriptors and f->hs_descriptors for composite
| if (unlikely(ret < 0))
| break;
|
| ffs->state = FFS_READ_STRINGS;
| ret = len;
| } else {
| pr_info("read strings\n");
| ret = __ffs_data_got_strings(ffs, data, len);
the same thing for strings
| if (unlikely(ret < 0))
| break;
…
| return len;
| }
| break;
…
| default:
| ret = -EBADFD;
| break;
| }
|
| mutex_unlock(&ffs->mutex);
| return ret;
AAAAAAAAAAAaaaaand we are gone
| }
Based on this I'm sure that data is leaked on the error path (on return from
__ffs_data_got_descs() / __ffs_data_got_strings()) because I don't see any
kfree() like I do in the FFS_ACTIVE case.
Let's assume everything goes as planned. When are the descriptors which are
set to f->descriptors f->hs_descriptors kfree()d?
Sebastian
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
