usbnet: fix memory leak in error case

stable inclusion from stable-v5.10.130 commit 0085da9df3dced730027923a6b48f58e9016af91 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5YRJO Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0085da9df3dced730027923a6b48f58e9016af91 -------------------------------- commit b55a21b7 upstream. usbnet_write_cmd_async() mixed up which buffers need to be freed in which error case. v2: add Fixes tag v3: fix uninitialized buf pointer Fixes: 877bd862 ("usbnet: introduce usbnet 3 command helpers") Signed-off-by: N Oliver Neukum <oneukum@suse.com> Link: https://lore.kernel.org/r/20220705125351.17309-1-oneukum@suse.comSigned-off-by: N Jakub Kicinski <kuba@kernel.org> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com>

usbnet: fix memory leak in error case
stable inclusion from stable-v5.10.130 commit 0085da9df3dced730027923a6b48f58e9016af91 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5YRJO Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0085da9df3dced730027923a6b48f58e9016af91 -------------------------------- commit b55a21b7 upstream. usbnet_write_cmd_async() mixed up which buffers need to be freed in which error case. v2: add Fixes tag v3: fix uninitialized buf pointer Fixes: 877bd862 ("usbnet: introduce usbnet 3 command helpers") Signed-off-by: N Oliver Neukum <oneukum@suse.com> Link: https://lore.kernel.org/r/20220705125351.17309-1-oneukum@suse.comSigned-off-by: N Jakub Kicinski <kuba@kernel.org> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com>
e91c7191 · Oliver Neukum · Zheng Zengkai · 26afbe0f · e91c7191
隐藏空白更改
内联并排

Showing with 12 addition and 5 deletion

drivers/net/usb/usbnet.c drivers/net/usb/usbnet.c +12 -5

未找到文件。
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -2102,7 +2102,7 @@ static void usbnet_async_cmd_cb(struct urb *urb)
 int usbnet_write_cmd_async(struct usbnet *dev, u8 cmd, u8 reqtype,
 			   u16 value, u16 index, const void *data, u16 size)
 {
-	struct usb_ctrlrequest *req = NULL;
+	struct usb_ctrlrequest *req;
 	struct urb *urb;
 	int err = -ENOMEM;
 	void *buf = NULL;
@@ -2120,7 +2120,7 @@ int usbnet_write_cmd_async(struct usbnet *dev, u8 cmd, u8 reqtype,
 		if (!buf) {
 			netdev_err(dev->net, "Error allocating buffer"
 				   " in %s!\n", __func__);
-			goto fail_free;
+			goto fail_free_urb;
 		}
 	}

@@ -2144,14 +2144,21 @@ int usbnet_write_cmd_async(struct usbnet *dev, u8 cmd, u8 reqtype,
 	if (err < 0) {
 		netdev_err(dev->net, "Error submitting the control"
 			   " message: status=%d\n", err);
-		goto fail_free;
+		goto fail_free_all;
 	}
 	return 0;

+fail_free_all:
+	kfree(req);
 fail_free_buf:
 	kfree(buf);
-fail_free:
-	kfree(req);
+	/*
+	 * avoid a double free
+	 * needed because the flag can be set only
+	 * after filling the URB
+	 */
+	urb->transfer_flags = 0;
+fail_free_urb:
 	usb_free_urb(urb);
 fail:
 	return err;