diff options
| author | Jiri Kosina <jkosina@suse.cz> | 2007-02-21 11:18:03 -0500 |
|---|---|---|
| committer | Jiri Kosina <jkosina@suse.cz> | 2007-03-01 03:52:43 -0500 |
| commit | 776c0e96edecf77f827a62d2a1641cc2ca479043 (patch) | |
| tree | f5eeeefdbd02d3ffcc16b2394451032bf4c4969e /drivers | |
| parent | 4330eb2e5fb6d3c9c0a0be8ed14793f72334d1d4 (diff) | |
HID: fix possible double-free on error path in hid parser
Freeing of device->collection is properly done in hid_free_device() (as
this function is supposed to free all the device resources and could be
called from transport specific code, e.g. usb_hid_configure()).
Remove all kfree() calls preceeding the hid_free_device() call.
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/hid/hid-core.c | 5 |
1 files changed, 0 insertions, 5 deletions
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index aeeb6798e2f1..f4ee1afe488f 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c | |||
| @@ -667,7 +667,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size) | |||
| 667 | 667 | ||
| 668 | if (item.format != HID_ITEM_FORMAT_SHORT) { | 668 | if (item.format != HID_ITEM_FORMAT_SHORT) { |
| 669 | dbg("unexpected long global item"); | 669 | dbg("unexpected long global item"); |
| 670 | kfree(device->collection); | ||
| 671 | hid_free_device(device); | 670 | hid_free_device(device); |
| 672 | kfree(parser); | 671 | kfree(parser); |
| 673 | return NULL; | 672 | return NULL; |
| @@ -676,7 +675,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size) | |||
| 676 | if (dispatch_type[item.type](parser, &item)) { | 675 | if (dispatch_type[item.type](parser, &item)) { |
| 677 | dbg("item %u %u %u %u parsing failed\n", | 676 | dbg("item %u %u %u %u parsing failed\n", |
| 678 | item.format, (unsigned)item.size, (unsigned)item.type, (unsigned)item.tag); | 677 | item.format, (unsigned)item.size, (unsigned)item.type, (unsigned)item.tag); |
| 679 | kfree(device->collection); | ||
| 680 | hid_free_device(device); | 678 | hid_free_device(device); |
| 681 | kfree(parser); | 679 | kfree(parser); |
| 682 | return NULL; | 680 | return NULL; |
| @@ -685,14 +683,12 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size) | |||
| 685 | if (start == end) { | 683 | if (start == end) { |
| 686 | if (parser->collection_stack_ptr) { | 684 | if (parser->collection_stack_ptr) { |
| 687 | dbg("unbalanced collection at end of report description"); | 685 | dbg("unbalanced collection at end of report description"); |
| 688 | kfree(device->collection); | ||
| 689 | hid_free_device(device); | 686 | hid_free_device(device); |
| 690 | kfree(parser); | 687 | kfree(parser); |
| 691 | return NULL; | 688 | return NULL; |
| 692 | } | 689 | } |
| 693 | if (parser->local.delimiter_depth) { | 690 | if (parser->local.delimiter_depth) { |
| 694 | dbg("unbalanced delimiter at end of report description"); | 691 | dbg("unbalanced delimiter at end of report description"); |
| 695 | kfree(device->collection); | ||
| 696 | hid_free_device(device); | 692 | hid_free_device(device); |
| 697 | kfree(parser); | 693 | kfree(parser); |
| 698 | return NULL; | 694 | return NULL; |
| @@ -703,7 +699,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size) | |||
| 703 | } | 699 | } |
| 704 | 700 | ||
| 705 | dbg("item fetching failed at offset %d\n", (int)(end - start)); | 701 | dbg("item fetching failed at offset %d\n", (int)(end - start)); |
| 706 | kfree(device->collection); | ||
| 707 | hid_free_device(device); | 702 | hid_free_device(device); |
| 708 | kfree(parser); | 703 | kfree(parser); |
| 709 | return NULL; | 704 | return NULL; |