usb: gadget: eem: fix echo command processing

During processing of bunch of eem frames if "echo" command is found skb is cloned and the cloned version should be used to send reply. Unfortunately, the data of the original skb were actually used and the cloned skb is never freed. Using the cloned skb and freeing the skb in the completion callback for usb request. Signed-off-by: Yauheni Kaliuta <yauheni.kaliuta@nokia.com> Reviewed-by: Felipe Balbi <balbi@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
mariux64 · Apr 13, 2011 · 505d1f6 · 505d1f6
1 parent 5a9443f
commit 505d1f6
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/drivers/usb/gadget/f_eem.c b/drivers/usb/gadget/f_eem.c
@@ -314,6 +314,9 @@ eem_unbind(struct usb_configuration *c, struct usb_function *f)
 
 static void eem_cmd_complete(struct usb_ep *ep, struct usb_request *req)
 {
+	struct sk_buff *skb = (struct sk_buff *)req->context;
+
+	dev_kfree_skb_any(skb);
 }
 
 /*
@@ -428,10 +431,11 @@ static int eem_unwrap(struct gether *port,
 				skb_trim(skb2, len);
 				put_unaligned_le16(BIT(15) | BIT(11) | len,
 							skb_push(skb2, 2));
-				skb_copy_bits(skb, 0, req->buf, skb->len);
-				req->length = skb->len;
+				skb_copy_bits(skb2, 0, req->buf, skb2->len);
+				req->length = skb2->len;
 				req->complete = eem_cmd_complete;
 				req->zero = 1;
+				req->context = skb2;
 				if (usb_ep_queue(port->in_ep, req, GFP_ATOMIC))
 					DBG(cdev, "echo response queue fail\n");
 				break;