From: Al Viro <v...@zeniv.linux.org.uk>
If ffs_epfile_io() fails in AIO case, we end up leaking io_data
(and iovec_copy in case of AIO read).
Signed-off-by: Al Viro <v...@zeniv.linux.org.uk>
---
drivers/usb/gadget/function/f_fs.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/function/f_fs.c
b/drivers/usb/gadget/function/f_fs.c
index 63314ed..0c120ad 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -962,6 +962,7 @@ static ssize_t ffs_epfile_aio_write(struct kiocb *kiocb,
unsigned long nr_segs, loff_t loff)
{
struct ffs_io_data *io_data;
+ ssize_t res;
ENTER();
@@ -981,7 +982,10 @@ static ssize_t ffs_epfile_aio_write(struct kiocb *kiocb,
kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
- return ffs_epfile_io(kiocb->ki_filp, io_data);
+ res = ffs_epfile_io(kiocb->ki_filp, io_data);
+ if (res != -EIOCBQUEUED)
+ kfree(io_data);
+ return res;
}
static ssize_t ffs_epfile_aio_read(struct kiocb *kiocb,
@@ -990,6 +994,7 @@ static ssize_t ffs_epfile_aio_read(struct kiocb *kiocb,
{
struct ffs_io_data *io_data;
struct iovec *iovec_copy;
+ ssize_t res;
ENTER();
@@ -1017,7 +1022,12 @@ static ssize_t ffs_epfile_aio_read(struct kiocb *kiocb,
kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
- return ffs_epfile_io(kiocb->ki_filp, io_data);
+ res = ffs_epfile_io(kiocb->ki_filp, io_data);
+ if (res != -EIOCBQUEUED) {
+ kfree(io_data);
+ kfree(iovec_copy);
+ }
+ return res;
}
static int
--
2.1.4
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
