USB: rio500: fix memory leak in close after disconnect

commit e0feb73428b69322dd5caae90b0207de369b5575 upstream.

If a disconnected device is closed, rio_close() must free
the buffers.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/misc/rio500.c b/drivers/usb/misc/rio500.c
index 57c4632ddd0af62a4540f140ed7eced6b4d0fd64..6e761fabffca064a965c487703e930e0b29055cf 100644 (file)
--- a/drivers/usb/misc/rio500.c
+++ b/drivers/usb/misc/rio500.c
@@ -103,9 +103,22 @@ static int close_rio(struct inode *inode, struct file *file)
 {
        struct rio_usb_data *rio = &rio_instance;
 
-       rio->isopen = 0;
+       /* against disconnect() */
+       mutex_lock(&rio500_mutex);
+       mutex_lock(&(rio->lock));
 
-       dev_info(&rio->rio_dev->dev, "Rio closed.\n");
+       rio->isopen = 0;
+       if (!rio->present) {
+               /* cleanup has been delayed */
+               kfree(rio->ibuf);
+               kfree(rio->obuf);
+               rio->ibuf = NULL;
+               rio->obuf = NULL;
+       } else {
+               dev_info(&rio->rio_dev->dev, "Rio closed.\n");
+       }
+       mutex_unlock(&(rio->lock));
+       mutex_unlock(&rio500_mutex);
        return 0;
 }