From de2080d41b5d584205e408d72021f0f335a046fc Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sat, 31 Jan 2015 23:42:34 -0500 Subject: gadget/function/f_fs.c: close leaks If ffs_epfile_io() fails in AIO case, we end up leaking io_data (and iovec_copy in case of AIO read). Signed-off-by: Al Viro --- drivers/usb/gadget/function/f_fs.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'drivers') diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index af98b096af2f..3ab34a2075df 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -970,6 +970,7 @@ static ssize_t ffs_epfile_aio_write(struct kiocb *kiocb, unsigned long nr_segs, loff_t loff) { struct ffs_io_data *io_data; + ssize_t res; ENTER(); @@ -989,7 +990,10 @@ static ssize_t ffs_epfile_aio_write(struct kiocb *kiocb, kiocb_set_cancel_fn(kiocb, ffs_aio_cancel); - return ffs_epfile_io(kiocb->ki_filp, io_data); + res = ffs_epfile_io(kiocb->ki_filp, io_data); + if (res != -EIOCBQUEUED) + kfree(io_data); + return res; } static ssize_t ffs_epfile_aio_read(struct kiocb *kiocb, @@ -998,6 +1002,7 @@ static ssize_t ffs_epfile_aio_read(struct kiocb *kiocb, { struct ffs_io_data *io_data; struct iovec *iovec_copy; + ssize_t res; ENTER(); @@ -1025,7 +1030,12 @@ static ssize_t ffs_epfile_aio_read(struct kiocb *kiocb, kiocb_set_cancel_fn(kiocb, ffs_aio_cancel); - return ffs_epfile_io(kiocb->ki_filp, io_data); + res = ffs_epfile_io(kiocb->ki_filp, io_data); + if (res != -EIOCBQUEUED) { + kfree(io_data); + kfree(iovec_copy); + } + return res; } static int -- cgit v1.2.3-59-g8ed1b