Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 776c0e96 authored by Jiri Kosina's avatar Jiri Kosina
Browse files

HID: fix possible double-free on error path in hid parser 



Freeing of device->collection is properly done in hid_free_device() (as
this function is supposed to free all the device resources and could be
called from transport specific code, e.g. usb_hid_configure()).

Remove all kfree() calls preceeding the hid_free_device() call.

Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
parent 4330eb2e

drivers/hid/hid-core.c

+0 −5
Original line number Diff line number Diff line
@@ -667,7 +667,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size) 


		if (item.format != HID_ITEM_FORMAT_SHORT) {

			dbg("unexpected long global item");

			kfree(device->collection);

			hid_free_device(device);

			kfree(parser);

			return NULL;
@@ -676,7 +675,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size) 
		if (dispatch_type[item.type](parser, &item)) {

			dbg("item %u %u %u %u parsing failed\n",

				item.format, (unsigned)item.size, (unsigned)item.type, (unsigned)item.tag);

			kfree(device->collection);

			hid_free_device(device);

			kfree(parser);

			return NULL;
@@ -685,14 +683,12 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size) 
		if (start == end) {

			if (parser->collection_stack_ptr) {

				dbg("unbalanced collection at end of report description");

				kfree(device->collection);

				hid_free_device(device);

				kfree(parser);

				return NULL;

			}

			if (parser->local.delimiter_depth) {

				dbg("unbalanced delimiter at end of report description");

				kfree(device->collection);

				hid_free_device(device);

				kfree(parser);

				return NULL;
@@ -703,7 +699,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size) 
	}



	dbg("item fetching failed at offset %d\n", (int)(end - start));

	kfree(device->collection);

	hid_free_device(device);

	kfree(parser);

	return NULL;