[PATCH 2/4] usb: gadget: f_mass_storage: Drop invalid kfree() in fsg_common_release()

Fri, 28 Mar 2025 01:16:45 -0700 

Boards with low memory (CONFIG_SYS_MALLOC_LEN=0x81000), can be crashed
using the => ums command twice in row:

=> ums 0 mmc 2
UMS: LUN 0, dev mmc 2, hwpart 0, sector 0x0, count 0x3a3e000
|crq->brequest:0x0
CTRL+C - Operation aborted
=> ums 0 mmc 2
UMS: LUN 0, dev mmc 2, hwpart 0, sector 0x0, count 0x3a3e000
"Synchronous Abort" handler, esr 0x96000004, far 0xfffffffff2ea20f0
elr: 000000000102ea78 lr : 000000000105e028 (reloc)
elr: 00000000f2f33a78 lr : 00000000f2f63028
x0 : 0000000100000000 x1 : 0000000100000000
x2 : 0000000000000000 x3 : fffffffff2ea20e0
x4 : 00000000f2fc9720 x5 : 00000000f2ea20e0
x6 : 00000000f2fc9730 x7 : 00000000f2ee4780
x8 : 000000000000003f x9 : 0000000000000004
x10: 0000000000000058 x11: 00000000000058c4
x12: 0000000000000000 x13: 00000000f2e60800
x14: 00000000f4ec0040 x15: 0000000000000000
x16: 00000000f2f62f2c x17: 0000000000c0c0c0
x18: 00000000f2e73e00 x19: 00000000f2ea2010
x20: 00000000fffffff4 x21: 00000000f2e9b500
x22: 00000000f2ea20f0 x23: 00000000f2ea2050
x24: 00000000f2f61eec x25: 00000000f2fcf000
x26: 00000000f2e9fcd0 x27: 0000000000000000
x28: 0000000000000000 x29: 00000000f2e60290

Code: d00004a6 911cc0c6 cb000063 8b000021 (f9400860)
Resetting CPU ...

This happens when fsg_common_init() fails to allocate memory and calls
fsg_common_release().
fsg_common_release() then calls kfree() which frees common->luns.
However, common->luns was never allocated via kmalloc/calloc(),
resulting in a crash.

Drop the invalid kfree. The memory from common->luns will be
reclaimed when we kfree(common) later in fgs_common_release().

Reported-by: Zixun LI <ad...@hifiphile.com>
Signed-off-by: Mattijs Korpershoek <mkorpersh...@baylibre.com>
---
 drivers/usb/gadget/f_mass_storage.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/drivers/usb/gadget/f_mass_storage.c 
b/drivers/usb/gadget/f_mass_storage.c
index bd749c033f9a..6f464185bd39 100644
--- a/drivers/usb/gadget/f_mass_storage.c
+++ b/drivers/usb/gadget/f_mass_storage.c
@@ -2564,8 +2564,6 @@ static void fsg_common_release(struct fsg_common *common)
                /* In error recovery common->nluns may be zero. */
                for (; i; --i, ++lun)
                        fsg_lun_close(lun);
-
-               kfree(common->luns);
        }
 
        {

-- 
2.49.0

Reply via email to