From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Oliver Neukum <oliver@neukum.org>
Subject: [patch 07/37] USB: fix memleak in usbfs
Date: Tue, 28 Jul 2009 15:58:35 -0700 [thread overview]
Message-ID: <20090728225941.990136151@mini.kroah.org> (raw)
In-Reply-To: <20090728230145.GA10486@kroah.com>
[-- Attachment #1: usb-fix-memleak-in-usbfs.patch --]
[-- Type: text/plain, Size: 1794 bytes --]
2.6.27-stable review patch. If anyone has any objections, please let us know.
------------------
From: Oliver Neukum <oliver@neukum.org>
commit d794a02111cd3393da69bc7d6dd2b6074bd037cc upstream.
This patch fixes a memory leak in devio.c::processcompl
If writing to user space fails the packet must be discarded, as it
already has been removed from the queue of completed packets.
Signed-off-by: Oliver Neukum <oliver@neukum.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/usb/core/devio.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1228,22 +1228,22 @@ static int processcompl(struct async *as
if (as->userbuffer)
if (copy_to_user(as->userbuffer, urb->transfer_buffer,
urb->transfer_buffer_length))
- return -EFAULT;
+ goto err_out;
if (put_user(as->status, &userurb->status))
- return -EFAULT;
+ goto err_out;
if (put_user(urb->actual_length, &userurb->actual_length))
- return -EFAULT;
+ goto err_out;
if (put_user(urb->error_count, &userurb->error_count))
- return -EFAULT;
+ goto err_out;
if (usb_endpoint_xfer_isoc(&urb->ep->desc)) {
for (i = 0; i < urb->number_of_packets; i++) {
if (put_user(urb->iso_frame_desc[i].actual_length,
&userurb->iso_frame_desc[i].actual_length))
- return -EFAULT;
+ goto err_out;
if (put_user(urb->iso_frame_desc[i].status,
&userurb->iso_frame_desc[i].status))
- return -EFAULT;
+ goto err_out;
}
}
@@ -1252,6 +1252,10 @@ static int processcompl(struct async *as
if (put_user(addr, (void __user * __user *)arg))
return -EFAULT;
return 0;
+
+err_out:
+ free_async(as);
+ return -EFAULT;
}
static struct async *reap_as(struct dev_state *ps)
next prev parent reply other threads:[~2009-07-28 23:09 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20090728225828.431071451@mini.kroah.org>
2009-07-28 23:01 ` [patch 00/37] 2.6.27.29-stable review Greg KH
2009-07-28 22:58 ` [patch 01/37] fix RCU-callback-after-kmem_cache_destroy problem in sl[aou]b Greg KH
2009-07-28 22:58 ` [patch 02/37] gigaset: accept connection establishment messages in any order Greg KH
2009-07-28 22:58 ` [patch 03/37] SCSI: zalon: fix oops on attach failure Greg KH
2009-07-28 22:58 ` [patch 04/37] sound: usb-audio: add workaround for Blue Microphones devices Greg KH
2009-07-28 22:58 ` [patch 05/37] sound: virtuoso: fix Xonar D1/DX silence after resume Greg KH
2009-07-28 22:58 ` [patch 06/37] USB: EHCI: report actual_length for iso transfers Greg KH
2009-07-28 22:58 ` Greg KH [this message]
2009-07-28 22:58 ` [patch 08/37] USB: fix uninitialised variable in ti_do_download Greg KH
2009-07-28 22:58 ` [patch 09/37] USB: handle zero-length usbfs submissions correctly Greg KH
2009-07-28 22:58 ` [patch 10/37] USB: RNDIS gadget, fix issues talking from PXA Greg KH
2009-07-28 22:58 ` [patch 11/37] USB: ti_usb_3410_5052: fix duplicate device ids Greg KH
2009-07-28 22:58 ` [patch 12/37] ALSA: ca0106 - Fix the max capture buffer size Greg KH
2009-07-28 22:58 ` [patch 13/37] ALSA: hda - Fix mute control with some ALC262 models Greg KH
2009-07-28 22:58 ` [patch 14/37] HID: hiddev, fix lock imbalance Greg KH
2009-07-28 22:58 ` [patch 15/37] elf: fix one check-after-use Greg KH
2009-07-28 22:58 ` [patch 16/37] hwmon: (max6650) Fix lock imbalance Greg KH
2009-07-28 22:58 ` [patch 17/37] md: avoid dereferencing NULL pointer when accessing suspend_* sysfs attributes Greg KH
2009-07-28 22:58 ` [patch 18/37] mm: mark page accessed before we write_end() Greg KH
2009-07-28 22:58 ` [patch 19/37] x86-64: Fix bad_srat() to clear all state Greg KH
2009-07-28 22:58 ` [patch 20/37] x86: dont use access_ok() as a range check in get_user_pages_fast() Greg KH
2009-07-28 22:58 ` [patch 21/37] SUNRPC: Avoid an unnecessary task reschedule on ENOTCONN Greg KH
2009-07-28 22:58 ` [patch 22/37] SUNRPC: Ensure we set XPRT_CLOSING only after weve sent a tcp FIN Greg KH
2009-07-28 22:58 ` [patch 23/37] SUNRPC: Dont disconnect if a connection is still in progress Greg KH
2009-07-28 22:58 ` [patch 24/37] ACPI: EC: Limit workaround for ASUS notebooks even more Greg KH
2009-07-28 22:58 ` [patch 25/37] Enable PNPACPI _PSx Support, v3 Greg KH
2009-07-28 22:58 ` [patch 26/37] ACPI: suspend: dont let device _PS3 failure prevent suspend Greg KH
2009-07-28 22:58 ` [patch 27/37] Input: wistron_btns - recognize Maxdata Pro 7000 notebooks Greg KH
2009-07-28 22:58 ` [patch 28/37] eCryptfs: Check Tag 11 literal data buffer size (CVE-2009-2406) Greg KH
2009-07-28 22:58 ` [patch 29/37] eCryptfs: parse_tag_3_packet check tag 3 packet encrypted key size (CVE-2009-2407) Greg KH
2009-07-28 22:58 ` [patch 30/37] ipsec: Fix name of CAST algorithm Greg KH
2009-07-28 22:58 ` [patch 31/37] pegasus usb-net: Fix endianness bugs Greg KH
2009-07-28 22:59 ` [patch 32/37] sky2: Fix checksum endianness Greg KH
2009-07-28 22:59 ` [patch 33/37] x25: Fix sleep from timer on socket destroy Greg KH
2009-07-28 22:59 ` [patch 34/37] usbnet cdc_subset: fix issues talking to PXA gadgets Greg KH
2009-07-28 22:59 ` [patch 35/37] r8169: avoid losing MSI interrupts Greg KH
2009-07-28 22:59 ` [patch 36/37] E100: work around the driver using streaming DMA mapping for RX descriptors Greg KH
2009-07-28 22:59 ` [patch 37/37] NET: Fix locking issues in PPP, 6pack, mkiss and strip line disciplines Greg KH
2009-07-28 23:39 ` [patch 00/37] 2.6.27.29-stable review Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090728225941.990136151@mini.kroah.org \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=oliver@neukum.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox