提交 d12a8727 编写于 作者: P Pavitrakumar Managutte 提交者: Felipe Balbi

usb: gadget: function: Remove redundant usb_free_all_descriptors

Removed usb_free_all_descriptors in the bind functions, which
results in double-free corruption of the descriptors on error path.
The usb descriptors are allocated by usb_assign_descriptors.
Signed-off-by: NPavitrakumar Managutte <pavitra1729@gmail.com>
Reviewed-by: NRobert Baldyga <r.baldyga@samsung.com>
Reviewed-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: NFelipe Balbi <balbi@ti.com>
上级 1200a82a
...@@ -325,7 +325,6 @@ static int eem_bind(struct usb_configuration *c, struct usb_function *f) ...@@ -325,7 +325,6 @@ static int eem_bind(struct usb_configuration *c, struct usb_function *f)
return 0; return 0;
fail: fail:
usb_free_all_descriptors(f);
if (eem->port.out_ep) if (eem->port.out_ep)
eem->port.out_ep->driver_data = NULL; eem->port.out_ep->driver_data = NULL;
if (eem->port.in_ep) if (eem->port.in_ep)
......
...@@ -621,12 +621,14 @@ static int __init hidg_bind(struct usb_configuration *c, struct usb_function *f) ...@@ -621,12 +621,14 @@ static int __init hidg_bind(struct usb_configuration *c, struct usb_function *f)
dev = MKDEV(major, hidg->minor); dev = MKDEV(major, hidg->minor);
status = cdev_add(&hidg->cdev, dev, 1); status = cdev_add(&hidg->cdev, dev, 1);
if (status) if (status)
goto fail; goto fail_free_descs;
device_create(hidg_class, NULL, dev, NULL, "%s%d", "hidg", hidg->minor); device_create(hidg_class, NULL, dev, NULL, "%s%d", "hidg", hidg->minor);
return 0; return 0;
fail_free_descs:
usb_free_all_descriptors(f);
fail: fail:
ERROR(f->config->cdev, "hidg_bind FAILED\n"); ERROR(f->config->cdev, "hidg_bind FAILED\n");
if (hidg->req != NULL) { if (hidg->req != NULL) {
...@@ -635,7 +637,6 @@ static int __init hidg_bind(struct usb_configuration *c, struct usb_function *f) ...@@ -635,7 +637,6 @@ static int __init hidg_bind(struct usb_configuration *c, struct usb_function *f)
usb_ep_free_request(hidg->in_ep, hidg->req); usb_ep_free_request(hidg->in_ep, hidg->req);
} }
usb_free_all_descriptors(f);
return status; return status;
} }
......
...@@ -1461,7 +1461,6 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f) ...@@ -1461,7 +1461,6 @@ static int ncm_bind(struct usb_configuration *c, struct usb_function *f)
return 0; return 0;
fail: fail:
usb_free_all_descriptors(f);
if (ncm->notify_req) { if (ncm->notify_req) {
kfree(ncm->notify_req->buf); kfree(ncm->notify_req->buf);
usb_ep_free_request(ncm->notify, ncm->notify_req); usb_ep_free_request(ncm->notify, ncm->notify_req);
......
...@@ -397,7 +397,6 @@ static int obex_bind(struct usb_configuration *c, struct usb_function *f) ...@@ -397,7 +397,6 @@ static int obex_bind(struct usb_configuration *c, struct usb_function *f)
return 0; return 0;
fail: fail:
usb_free_all_descriptors(f);
/* we might as well release our claims on endpoints */ /* we might as well release our claims on endpoints */
if (obex->port.out) if (obex->port.out)
obex->port.out->driver_data = NULL; obex->port.out->driver_data = NULL;
......
...@@ -570,8 +570,8 @@ static int pn_bind(struct usb_configuration *c, struct usb_function *f) ...@@ -570,8 +570,8 @@ static int pn_bind(struct usb_configuration *c, struct usb_function *f)
err_req: err_req:
for (i = 0; i < phonet_rxq_size && fp->out_reqv[i]; i++) for (i = 0; i < phonet_rxq_size && fp->out_reqv[i]; i++)
usb_ep_free_request(fp->out_ep, fp->out_reqv[i]); usb_ep_free_request(fp->out_ep, fp->out_reqv[i]);
err:
usb_free_all_descriptors(f); usb_free_all_descriptors(f);
err:
if (fp->out_ep) if (fp->out_ep)
fp->out_ep->driver_data = NULL; fp->out_ep->driver_data = NULL;
if (fp->in_ep) if (fp->in_ep)
......
...@@ -803,7 +803,7 @@ rndis_bind(struct usb_configuration *c, struct usb_function *f) ...@@ -803,7 +803,7 @@ rndis_bind(struct usb_configuration *c, struct usb_function *f)
if (rndis->manufacturer && rndis->vendorID && if (rndis->manufacturer && rndis->vendorID &&
rndis_set_param_vendor(rndis->config, rndis->vendorID, rndis_set_param_vendor(rndis->config, rndis->vendorID,
rndis->manufacturer)) rndis->manufacturer))
goto fail; goto fail_free_descs;
/* NOTE: all that is done without knowing or caring about /* NOTE: all that is done without knowing or caring about
* the network link ... which is unavailable to this code * the network link ... which is unavailable to this code
...@@ -817,10 +817,11 @@ rndis_bind(struct usb_configuration *c, struct usb_function *f) ...@@ -817,10 +817,11 @@ rndis_bind(struct usb_configuration *c, struct usb_function *f)
rndis->notify->name); rndis->notify->name);
return 0; return 0;
fail_free_descs:
usb_free_all_descriptors(f);
fail: fail:
kfree(f->os_desc_table); kfree(f->os_desc_table);
f->os_desc_n = 0; f->os_desc_n = 0;
usb_free_all_descriptors(f);
if (rndis->notify_req) { if (rndis->notify_req) {
kfree(rndis->notify_req->buf); kfree(rndis->notify_req->buf);
......
...@@ -380,7 +380,6 @@ geth_bind(struct usb_configuration *c, struct usb_function *f) ...@@ -380,7 +380,6 @@ geth_bind(struct usb_configuration *c, struct usb_function *f)
return 0; return 0;
fail: fail:
usb_free_all_descriptors(f);
/* we might as well release our claims on endpoints */ /* we might as well release our claims on endpoints */
if (geth->port.out_ep) if (geth->port.out_ep)
geth->port.out_ep->driver_data = NULL; geth->port.out_ep->driver_data = NULL;
......
...@@ -1084,7 +1084,7 @@ afunc_bind(struct usb_configuration *cfg, struct usb_function *fn) ...@@ -1084,7 +1084,7 @@ afunc_bind(struct usb_configuration *cfg, struct usb_function *fn)
prm->rbuf = kzalloc(prm->max_psize * USB_XFERS, GFP_KERNEL); prm->rbuf = kzalloc(prm->max_psize * USB_XFERS, GFP_KERNEL);
if (!prm->rbuf) { if (!prm->rbuf) {
prm->max_psize = 0; prm->max_psize = 0;
goto err; goto err_free_descs;
} }
prm = &agdev->uac2.p_prm; prm = &agdev->uac2.p_prm;
...@@ -1092,17 +1092,19 @@ afunc_bind(struct usb_configuration *cfg, struct usb_function *fn) ...@@ -1092,17 +1092,19 @@ afunc_bind(struct usb_configuration *cfg, struct usb_function *fn)
prm->rbuf = kzalloc(prm->max_psize * USB_XFERS, GFP_KERNEL); prm->rbuf = kzalloc(prm->max_psize * USB_XFERS, GFP_KERNEL);
if (!prm->rbuf) { if (!prm->rbuf) {
prm->max_psize = 0; prm->max_psize = 0;
goto err; goto err_free_descs;
} }
ret = alsa_uac2_init(agdev); ret = alsa_uac2_init(agdev);
if (ret) if (ret)
goto err; goto err_free_descs;
return 0; return 0;
err_free_descs:
usb_free_all_descriptors(fn);
err: err:
kfree(agdev->uac2.p_prm.rbuf); kfree(agdev->uac2.p_prm.rbuf);
kfree(agdev->uac2.c_prm.rbuf); kfree(agdev->uac2.c_prm.rbuf);
usb_free_all_descriptors(fn);
if (agdev->in_ep) if (agdev->in_ep)
agdev->in_ep->driver_data = NULL; agdev->in_ep->driver_data = NULL;
if (agdev->out_ep) if (agdev->out_ep)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册