[PATCH V2] drivers: usb: host: fix prevent memory leak in interrupt message submission

ant.v.moryakov at gmail.com ant.v.moryakov at gmail.com
Fri May 16 22:11:38 CEST 2025


From: AntonMoryakov <ant.v.moryakov at gmail.com>

Static analyzer detected a potential memory leak in _ehci_submit_int_msg()
when backbuffer returned from _ehci_poll_int_queue does not match
the original buffer. In this case, the allocated interrupt queue
was not destroyed before returning, leading to a memory leak.

Correction:
Ensure int_queue is properly destroyed when receiving wrong buffer
by adding error handling path. Fixes memory leak that occurred
when backbuffer validation failed.

Signed-off-by: Anton Moryakov <ant.v.moryakov at gmail.com>
---
 drivers/usb/host/ehci-hcd.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
index 7d5519c65a9..75cd0ec71ed 100644
--- a/drivers/usb/host/ehci-hcd.c
+++ b/drivers/usb/host/ehci-hcd.c
@@ -1556,7 +1556,8 @@ static int _ehci_submit_int_msg(struct usb_device *dev, unsigned long pipe,
 	if (backbuffer != buffer) {
 		debug("got wrong buffer back (%p instead of %p)\n",
 		      backbuffer, buffer);
-		return -EINVAL;
+		result = -EINVAL;
+		goto err;
 	}
 
 	ret = _ehci_destroy_int_queue(dev, queue);
@@ -1565,6 +1566,10 @@ static int _ehci_submit_int_msg(struct usb_device *dev, unsigned long pipe,
 
 	/* everything worked out fine */
 	return result;
+
+err:
+	_ehci_destroy_int_queue(dev, queue);
+	return result;
 }
 
 static int _ehci_lock_async(struct ehci_ctrl *ctrl, int lock)
-- 
2.34.1



More information about the U-Boot mailing list