Commit 776c0e96 authored by Jiri Kosina's avatar Jiri Kosina

HID: fix possible double-free on error path in hid parser

Freeing of device->collection is properly done in hid_free_device() (as
this function is supposed to free all the device resources and could be
called from transport specific code, e.g. usb_hid_configure()).

Remove all kfree() calls preceeding the hid_free_device() call.
Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
parent 4330eb2e
...@@ -667,7 +667,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size) ...@@ -667,7 +667,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size)
if (item.format != HID_ITEM_FORMAT_SHORT) { if (item.format != HID_ITEM_FORMAT_SHORT) {
dbg("unexpected long global item"); dbg("unexpected long global item");
kfree(device->collection);
hid_free_device(device); hid_free_device(device);
kfree(parser); kfree(parser);
return NULL; return NULL;
...@@ -676,7 +675,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size) ...@@ -676,7 +675,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size)
if (dispatch_type[item.type](parser, &item)) { if (dispatch_type[item.type](parser, &item)) {
dbg("item %u %u %u %u parsing failed\n", dbg("item %u %u %u %u parsing failed\n",
item.format, (unsigned)item.size, (unsigned)item.type, (unsigned)item.tag); item.format, (unsigned)item.size, (unsigned)item.type, (unsigned)item.tag);
kfree(device->collection);
hid_free_device(device); hid_free_device(device);
kfree(parser); kfree(parser);
return NULL; return NULL;
...@@ -685,14 +683,12 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size) ...@@ -685,14 +683,12 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size)
if (start == end) { if (start == end) {
if (parser->collection_stack_ptr) { if (parser->collection_stack_ptr) {
dbg("unbalanced collection at end of report description"); dbg("unbalanced collection at end of report description");
kfree(device->collection);
hid_free_device(device); hid_free_device(device);
kfree(parser); kfree(parser);
return NULL; return NULL;
} }
if (parser->local.delimiter_depth) { if (parser->local.delimiter_depth) {
dbg("unbalanced delimiter at end of report description"); dbg("unbalanced delimiter at end of report description");
kfree(device->collection);
hid_free_device(device); hid_free_device(device);
kfree(parser); kfree(parser);
return NULL; return NULL;
...@@ -703,7 +699,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size) ...@@ -703,7 +699,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size)
} }
dbg("item fetching failed at offset %d\n", (int)(end - start)); dbg("item fetching failed at offset %d\n", (int)(end - start));
kfree(device->collection);
hid_free_device(device); hid_free_device(device);
kfree(parser); kfree(parser);
return NULL; return NULL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment