In some USB composite gadget drivers, the configuration's bind function
called by the usb_add_config() calls multiple bind config functions.
(for example cdc2 configuration bind function in the cdc_do_config()
of the cdc2.c has two functionality bind config functions.
- the ecm_bind_config() & the acm_bind_config())
In each functionality bind config function, new instance is allocated and
finally added by the usb_add_function().
So if an error occurred during the second functionality bind config
(for example an error occurred at the acm_bind_config() after succeeding of
the ecm_bind_function()), the instance created by the acm_bind_config()
cannot be freed creating a memory leak.
This patch fixes this issue.
Signed-off-by: Yongsul Oh <yongsul96.oh@xxxxxxxxxxx>
---
drivers/usb/gadget/composite.c | 13 +++++++++++++
1 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index baaebf2..4cb1801 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -737,6 +737,19 @@ int usb_add_config(struct usb_composite_dev *cdev,
status = bind(config);
if (status < 0) {
+ while (!list_empty(&config->functions)) {
+ struct usb_function *f;
+
+ f = list_first_entry(&config->functions,
+ struct usb_function, list);
+ list_del(&f->list);
+ if (f->unbind) {
+ DBG(cdev, "unbind function '%s'/%p\n",
+ f->name, f);
+ f->unbind(config, f);
+ /* may free memory for "f" */
+ }
+ }
list_del(&config->list);
config->cdev = NULL;
} else {