On Tue, Feb 24, 2015 at 2:00 AM, Christoph Hellwig <hch@xxxxxx> wrote: > From: Al Viro <viro@xxxxxxxxxxxxxxxxxx> > > AIO_PREAD requests call ->aio_read() with iovec on caller's stack, so if > we are going to access it asynchronously, we'd better get ourselves > a copy - the one on kernel stack of aio_run_iocb() won't be there > anymore. function/f_fs.c take care of doing that, legacy/inode.c > doesn't... > > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx> > --- > drivers/usb/gadget/legacy/inode.c | 15 ++++++++++++--- > 1 file changed, 12 insertions(+), 3 deletions(-) > > diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c > index db49ec4..9fbbaa0 100644 > --- a/drivers/usb/gadget/legacy/inode.c > +++ b/drivers/usb/gadget/legacy/inode.c > @@ -566,7 +566,6 @@ static ssize_t ep_copy_to_user(struct kiocb_priv *priv) > if (total == 0) > break; > } > - > return len; > } > > @@ -585,6 +584,7 @@ static void ep_user_copy_worker(struct work_struct *work) > aio_complete(iocb, ret, ret); > > kfree(priv->buf); > + kfree(priv->iv); > kfree(priv); > } > > @@ -605,6 +605,7 @@ static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req) > */ > if (priv->iv == NULL || unlikely(req->actual == 0)) { > kfree(req->buf); > + kfree(priv->iv); > kfree(priv); > iocb->private = NULL; > /* aio_complete() reports bytes-transferred _and_ faults */ > @@ -640,7 +641,7 @@ ep_aio_rwtail( > struct usb_request *req; > ssize_t value; > > - priv = kmalloc(sizeof *priv, GFP_KERNEL); > + priv = kzalloc(sizeof *priv, GFP_KERNEL); > if (!priv) { > value = -ENOMEM; > fail: > @@ -649,7 +650,14 @@ fail: > } > iocb->private = priv; > priv->iocb = iocb; > - priv->iv = iv; > + if (iv) { > + priv->iv = kmemdup(iv, nr_segs * sizeof(struct iovec), > + GFP_KERNEL); > + if (!priv->iv) { > + kfree(priv); > + goto fail; > + } > + } It should be simpler and more efficient to allocate 'iv' piggyback inside 'priv'. > priv->nr_segs = nr_segs; > INIT_WORK(&priv->work, ep_user_copy_worker); > > @@ -689,6 +697,7 @@ fail: > mutex_unlock(&epdata->lock); > > if (unlikely(value)) { > + kfree(priv->iv); > kfree(priv); > put_ep(epdata); > } else > -- > 1.9.1 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html Thanks, Ming Lei -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html