From mboxrd@z Thu Jan  1 00:00:00 1970
From: Christoph Hellwig <hch@lst.de>
Subject: [PATCH 03/12] gadget/function/f_fs.c: close leaks
Date: Mon, 23 Feb 2015 10:00:27 -0800
Message-ID: <1424714436-19371-4-git-send-email-hch@lst.de>
References: <1424714436-19371-1-git-send-email-hch@lst.de>
Cc: Maxim Patlasov <MPatlasov@parallels.com>,
	Robert Baldyga <r.baldyga@samsung.com>,
	Michal Nazarewicz <mina86@mina86.com>,
	Felipe Balbi <balbi@ti.com>, linux-aio@kvack.org,
	linux-fsdevel@vger.kernel.org
To: Al Viro <viro@zeniv.linux.org.uk>
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from bombadil.infradead.org ([198.137.202.9]:54193 "EHLO
	bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752333AbbBWSCm (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Mon, 23 Feb 2015 13:02:42 -0500
In-Reply-To: <1424714436-19371-1-git-send-email-hch@lst.de>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

From: Al Viro <viro@zeniv.linux.org.uk>

If ffs_epfile_io() fails in AIO case, we end up leaking io_data
(and iovec_copy in case of AIO read).

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
 drivers/usb/gadget/function/f_fs.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
index af98b09..3ab34a2 100644
--- a/drivers/usb/gadget/function/f_fs.c
+++ b/drivers/usb/gadget/function/f_fs.c
@@ -970,6 +970,7 @@ static ssize_t ffs_epfile_aio_write(struct kiocb *kiocb,
 				    unsigned long nr_segs, loff_t loff)
 {
 	struct ffs_io_data *io_data;
+	ssize_t res;
 
 	ENTER();
 
@@ -989,7 +990,10 @@ static ssize_t ffs_epfile_aio_write(struct kiocb *kiocb,
 
 	kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
 
-	return ffs_epfile_io(kiocb->ki_filp, io_data);
+	res = ffs_epfile_io(kiocb->ki_filp, io_data);
+	if (res != -EIOCBQUEUED)
+		kfree(io_data);
+	return res;
 }
 
 static ssize_t ffs_epfile_aio_read(struct kiocb *kiocb,
@@ -998,6 +1002,7 @@ static ssize_t ffs_epfile_aio_read(struct kiocb *kiocb,
 {
 	struct ffs_io_data *io_data;
 	struct iovec *iovec_copy;
+	ssize_t res;
 
 	ENTER();
 
@@ -1025,7 +1030,12 @@ static ssize_t ffs_epfile_aio_read(struct kiocb *kiocb,
 
 	kiocb_set_cancel_fn(kiocb, ffs_aio_cancel);
 
-	return ffs_epfile_io(kiocb->ki_filp, io_data);
+	res = ffs_epfile_io(kiocb->ki_filp, io_data);
+	if (res != -EIOCBQUEUED) {
+		kfree(io_data);
+		kfree(iovec_copy);
+	}
+	return res;
 }
 
 static int
-- 
1.9.1