From d13d6d68938959fcffaa7dafec0f442021573fe2 Mon Sep 17 00:00:00 2001 From: Utkarsh Saxena Date: Mon, 3 Apr 2017 13:21:58 +0530 Subject: [PATCH] msm: ipa: Fix memory leak in ipa driver Free the memory pointed by msg pointer if copy_to_user fails. Change-Id: I628e089d844a3e1818a1a550e77ac10f33640ac9 Acked-by: Mohammed Javid Signed-off-by: Utkarsh Saxena --- drivers/platform/msm/ipa/ipa_v2/ipa_intf.c | 4 ++++ drivers/platform/msm/ipa/ipa_v3/ipa_intf.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_intf.c b/drivers/platform/msm/ipa/ipa_v2/ipa_intf.c index f8f8fd12161a..5c07bc7d43b5 100644 --- a/drivers/platform/msm/ipa/ipa_v2/ipa_intf.c +++ b/drivers/platform/msm/ipa/ipa_v2/ipa_intf.c @@ -562,6 +562,8 @@ ssize_t ipa_read(struct file *filp, char __user *buf, size_t count, mutex_unlock(&ipa_ctx->msg_lock); if (copy_to_user(buf, &msg->meta, sizeof(struct ipa_msg_meta))) { + kfree(msg); + msg = NULL; ret = -EFAULT; break; } @@ -570,6 +572,8 @@ ssize_t ipa_read(struct file *filp, char __user *buf, size_t count, if (msg->buff) { if (copy_to_user(buf, msg->buff, msg->meta.msg_len)) { + kfree(msg); + msg = NULL; ret = -EFAULT; break; } diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_intf.c b/drivers/platform/msm/ipa/ipa_v3/ipa_intf.c index b687b711dc20..16a567644f79 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_intf.c +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_intf.c @@ -572,6 +572,8 @@ ssize_t ipa3_read(struct file *filp, char __user *buf, size_t count, if (copy_to_user(buf, &msg->meta, sizeof(struct ipa_msg_meta))) { ret = -EFAULT; + kfree(msg); + msg = NULL; break; } buf += sizeof(struct ipa_msg_meta); @@ -580,6 +582,8 @@ ssize_t ipa3_read(struct file *filp, char __user *buf, size_t count, if (copy_to_user(buf, msg->buff, msg->meta.msg_len)) { ret = -EFAULT; + kfree(msg); + msg = NULL; break; } buf += msg->meta.msg_len;