On 07.05.2015 01:00, Fabio Estevam wrote:
> On Wed, May 6, 2015 at 6:48 PM, Alexey Khoroshilov
> <khoroshilov@xxxxxxxxx> wrote:
>> If prox_parse_report() fails, memory allocated for channels is not
>> deallocated, since it is still in local variable channels
>> while kfree() is called with indio_dev->channels.
>>
>> Found by Linux Driver Verification project (linuxtesting.org).
>>
>> Signed-off-by: Alexey Khoroshilov <khoroshilov@xxxxxxxxx>
>> ---
>> drivers/iio/light/hid-sensor-prox.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/iio/light/hid-sensor-prox.c b/drivers/iio/light/hid-sensor-prox.c
>> index 91ecc46ffeaa..d0d188108a11 100644
>> --- a/drivers/iio/light/hid-sensor-prox.c
>> +++ b/drivers/iio/light/hid-sensor-prox.c
>> @@ -281,8 +281,9 @@ static int hid_prox_probe(struct platform_device *pdev)
>> ret = prox_parse_report(pdev, hsdev, channels,
>> HID_USAGE_SENSOR_PROX, prox_state);
>> if (ret) {
>> + kfree(channels);
>> dev_err(&pdev->dev, "failed to setup attributes\n");
>> - goto error_free_dev_mem;
>> + return ret;
>
> Then the other calls to error_free_dev_mem will also miss to call
> 'kfree(channels)'.
>
Not exactly. Other calls are after
indio_dev->channels = channels;
So,
error_free_dev_mem:
kfree(indio_dev->channels);
works for them well.
--
Alexey
--
To unsubscribe from this list: send the line "unsubscribe linux-iio" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
