diff options
| author | Alexey Khoroshilov <khoroshilov@ispras.ru> | 2012-08-08 04:53:07 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-08-10 15:06:39 -0400 |
| commit | 05f2b3912323b4130dbf6d5091601d9ca3aaf119 (patch) | |
| tree | b92d2ba4a7244ed594cb717334004190c9b376ec | |
| parent | e58ba01e2cfe7b7d54d28f78c7af3cff4d5419a3 (diff) | |
USB: whci-hcd: Fix potential memory leak in qset_add_urb_sg()
Do not leak memory by updating pointer with potentially
NULL realloc return value.
By the way remove unused local variable:
struct whc_page_list_entry *entry;
More precisely, it was used to increment uninitialized value within one of cycles.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/usb/host/whci/qset.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/drivers/usb/host/whci/qset.c b/drivers/usb/host/whci/qset.c index 76083ae92138..dc31c425ce01 100644 --- a/drivers/usb/host/whci/qset.c +++ b/drivers/usb/host/whci/qset.c | |||
| @@ -436,7 +436,7 @@ static int qset_add_urb_sg(struct whc *whc, struct whc_qset *qset, struct urb *u | |||
| 436 | int i; | 436 | int i; |
| 437 | int ntds = 0; | 437 | int ntds = 0; |
| 438 | struct whc_std *std = NULL; | 438 | struct whc_std *std = NULL; |
| 439 | struct whc_page_list_entry *entry; | 439 | struct whc_page_list_entry *new_pl_virt; |
| 440 | dma_addr_t prev_end = 0; | 440 | dma_addr_t prev_end = 0; |
| 441 | size_t pl_len; | 441 | size_t pl_len; |
| 442 | int p = 0; | 442 | int p = 0; |
| @@ -508,12 +508,15 @@ static int qset_add_urb_sg(struct whc *whc, struct whc_qset *qset, struct urb *u | |||
| 508 | 508 | ||
| 509 | pl_len = std->num_pointers * sizeof(struct whc_page_list_entry); | 509 | pl_len = std->num_pointers * sizeof(struct whc_page_list_entry); |
| 510 | 510 | ||
| 511 | std->pl_virt = krealloc(std->pl_virt, pl_len, mem_flags); | 511 | new_pl_virt = krealloc(std->pl_virt, pl_len, mem_flags); |
| 512 | if (std->pl_virt == NULL) { | 512 | if (new_pl_virt == NULL) { |
| 513 | kfree(std->pl_virt); | ||
| 514 | std->pl_virt = NULL; | ||
| 513 | return -ENOMEM; | 515 | return -ENOMEM; |
| 514 | } | 516 | } |
| 517 | std->pl_virt = new_pl_virt; | ||
| 515 | 518 | ||
| 516 | for (;p < std->num_pointers; p++, entry++) { | 519 | for (;p < std->num_pointers; p++) { |
| 517 | std->pl_virt[p].buf_ptr = cpu_to_le64(dma_addr); | 520 | std->pl_virt[p].buf_ptr = cpu_to_le64(dma_addr); |
| 518 | dma_addr = (dma_addr + WHCI_PAGE_SIZE) & ~(WHCI_PAGE_SIZE-1); | 521 | dma_addr = (dma_addr + WHCI_PAGE_SIZE) & ~(WHCI_PAGE_SIZE-1); |
| 519 | } | 522 | } |