usb: gadget: f_mass_storage: Drop invalid kfree() in fsg_common_release()
Boards with low memory (CONFIG_SYS_MALLOC_LEN=0x81000), can be crashed
using the => ums command twice in row:
=> ums 0 mmc 2
UMS: LUN 0, dev mmc 2, hwpart 0, sector 0x0, count 0x3a3e000
|crq->brequest:0x0
CTRL+C - Operation aborted
=> ums 0 mmc 2
UMS: LUN 0, dev mmc 2, hwpart 0, sector 0x0, count 0x3a3e000
"Synchronous Abort" handler, esr 0x96000004, far 0xfffffffff2ea20f0
elr:
000000000102ea78 lr :
000000000105e028 (reloc)
elr:
00000000f2f33a78 lr :
00000000f2f63028
x0 :
0000000100000000 x1 :
0000000100000000
x2 :
0000000000000000 x3 :
fffffffff2ea20e0
x4 :
00000000f2fc9720 x5 :
00000000f2ea20e0
x6 :
00000000f2fc9730 x7 :
00000000f2ee4780
x8 :
000000000000003f x9 :
0000000000000004
x10:
0000000000000058 x11:
00000000000058c4
x12:
0000000000000000 x13:
00000000f2e60800
x14:
00000000f4ec0040 x15:
0000000000000000
x16:
00000000f2f62f2c x17:
0000000000c0c0c0
x18:
00000000f2e73e00 x19:
00000000f2ea2010
x20:
00000000fffffff4 x21:
00000000f2e9b500
x22:
00000000f2ea20f0 x23:
00000000f2ea2050
x24:
00000000f2f61eec x25:
00000000f2fcf000
x26:
00000000f2e9fcd0 x27:
0000000000000000
x28:
0000000000000000 x29:
00000000f2e60290
Code:
d00004a6 911cc0c6 cb000063 8b000021 (
f9400860)
Resetting CPU ...
This happens when fsg_common_init() fails to allocate memory and calls
fsg_common_release().
fsg_common_release() then calls kfree() which frees common->luns.
However, common->luns was never allocated via kmalloc/calloc(),
resulting in a crash.
Drop the invalid kfree. The memory from common->luns will be
reclaimed when we kfree(common) later in fgs_common_release().
Reported-by: Zixun LI <admin@hifiphile.com>
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Tested-by: Zixun LI <admin@hifiphile.com> # on SAM9X60
Link: https://lore.kernel.org/r/20250328-ums-gadget-leak-v1-2-3b677db99bde@baylibre.com
Signed-off-by: Mattijs Korpershoek <mkorpershoek@kernel.org>
git.openpandora.org / pandora-u-boot.git / commit