On Tue, Feb 24, 2015 at 2:00 AM, Christoph Hellwig <hch@xxxxxx> wrote:
> From: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
>
> AIO_PREAD requests call ->aio_read() with iovec on caller's stack, so if
> we are going to access it asynchronously, we'd better get ourselves
> a copy - the one on kernel stack of aio_run_iocb() won't be there
> anymore. function/f_fs.c take care of doing that, legacy/inode.c
> doesn't...
>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
> ---
> drivers/usb/gadget/legacy/inode.c | 15 ++++++++++++---
> 1 file changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
> index db49ec4..9fbbaa0 100644
> --- a/drivers/usb/gadget/legacy/inode.c
> +++ b/drivers/usb/gadget/legacy/inode.c
> @@ -566,7 +566,6 @@ static ssize_t ep_copy_to_user(struct kiocb_priv *priv)
> if (total == 0)
> break;
> }
> -
> return len;
> }
>
> @@ -585,6 +584,7 @@ static void ep_user_copy_worker(struct work_struct *work)
> aio_complete(iocb, ret, ret);
>
> kfree(priv->buf);
> + kfree(priv->iv);
> kfree(priv);
> }
>
> @@ -605,6 +605,7 @@ static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req)
> */
> if (priv->iv == NULL || unlikely(req->actual == 0)) {
> kfree(req->buf);
> + kfree(priv->iv);
> kfree(priv);
> iocb->private = NULL;
> /* aio_complete() reports bytes-transferred _and_ faults */
> @@ -640,7 +641,7 @@ ep_aio_rwtail(
> struct usb_request *req;
> ssize_t value;
>
> - priv = kmalloc(sizeof *priv, GFP_KERNEL);
> + priv = kzalloc(sizeof *priv, GFP_KERNEL);
> if (!priv) {
> value = -ENOMEM;
> fail:
> @@ -649,7 +650,14 @@ fail:
> }
> iocb->private = priv;
> priv->iocb = iocb;
> - priv->iv = iv;
> + if (iv) {
> + priv->iv = kmemdup(iv, nr_segs * sizeof(struct iovec),
> + GFP_KERNEL);
> + if (!priv->iv) {
> + kfree(priv);
> + goto fail;
> + }
> + }
It should be simpler and more efficient to allocate 'iv' piggyback
inside 'priv'.
> priv->nr_segs = nr_segs;
> INIT_WORK(&priv->work, ep_user_copy_worker);
>
> @@ -689,6 +697,7 @@ fail:
> mutex_unlock(&epdata->lock);
>
> if (unlikely(value)) {
> + kfree(priv->iv);
> kfree(priv);
> put_ep(epdata);
> } else
> --
> 1.9.1
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
Thanks,
Ming Lei
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html