Hi Michał, I'm looking at the life time of descriptors in each gadget and now I got to f_fs which brings me to this chunk: |static ssize_t ffs_ep0_write(struct file *file, const char __user *buf, | size_t len, loff_t *ptr) |{ … | switch (ffs->state) { | case FFS_READ_DESCRIPTORS: | case FFS_READ_STRINGS: | /* Copy data */ | if (unlikely(len < 16)) { | ret = -EINVAL; | break; | } | | data = ffs_prepare_buffer(buf, len); data contians the a new allocated buffer with data from userland | if (IS_ERR(data)) { | ret = PTR_ERR(data); | break; | } … | if (ffs->state == FFS_READ_DESCRIPTORS) { | pr_info("read descriptors\n"); | ret = __ffs_data_got_descs(ffs, data, len); sets up descriptors and sets f->descriptors and f->hs_descriptors for composite | if (unlikely(ret < 0)) | break; | | ffs->state = FFS_READ_STRINGS; | ret = len; | } else { | pr_info("read strings\n"); | ret = __ffs_data_got_strings(ffs, data, len); the same thing for strings | if (unlikely(ret < 0)) | break; … | return len; | } | break; … | default: | ret = -EBADFD; | break; | } | | mutex_unlock(&ffs->mutex); | return ret; AAAAAAAAAAAaaaaand we are gone | } Based on this I'm sure that data is leaked on the error path (on return from __ffs_data_got_descs() / __ffs_data_got_strings()) because I don't see any kfree() like I do in the FFS_ACTIVE case. Let's assume everything goes as planned. When are the descriptors which are set to f->descriptors f->hs_descriptors kfree()d? Sebastian -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html