From: AntonMoryakov <ant.v.morya...@gmail.com>
Static analyzer detected a potential memory leak in _ehci_submit_int_msg()
when backbuffer returned from _ehci_poll_int_queue does not match
the original buffer. In this case, the allocated interrupt queue
was not destroyed before returning, leading to a memory leak.
Correction:
Ensure int_queue is properly destroyed when receiving wrong buffer
by adding error handling path. Fixes memory leak that occurred
when backbuffer validation failed.
Signed-off-by: Anton Moryakov <ant.v.morya...@gmail.com>
---
drivers/usb/host/ehci-hcd.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
index 7d5519c65a9..75cd0ec71ed 100644
--- a/drivers/usb/host/ehci-hcd.c
+++ b/drivers/usb/host/ehci-hcd.c
@@ -1556,7 +1556,8 @@ static int _ehci_submit_int_msg(struct usb_device *dev,
unsigned long pipe,
if (backbuffer != buffer) {
debug("got wrong buffer back (%p instead of %p)\n",
backbuffer, buffer);
- return -EINVAL;
+ result = -EINVAL;
+ goto err;
}
ret = _ehci_destroy_int_queue(dev, queue);
@@ -1565,6 +1566,10 @@ static int _ehci_submit_int_msg(struct usb_device *dev,
unsigned long pipe,
/* everything worked out fine */
return result;
+
+err:
+ _ehci_destroy_int_queue(dev, queue);
+ return result;
}
static int _ehci_lock_async(struct ehci_ctrl *ctrl, int lock)
--
2.34.1
