[PATCH] drivers/usb/gadget/inode.c: add missing kfree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: Julia Lawall <julia@xxxxxxx>

The label fail frees dev->buf, but kbuf hasn't yet been stored there at
this point.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@exists@
local idexpression x;
statement S;
expression E;
expression *ptr != NULL;
@@

x = memdup_user(...);
...
if (IS_ERR(x)) S
... when != x
    when != x = E
(
 return \(0\|<+...x...+>\|ptr\);
|
*return ...;
)
// </smpl>

Signed-off-by: Julia Lawall <julia@xxxxxxx>

---
I wonder if it is really correct to free dev->buf at fail in this case.
Because it is freeing the previously allocated value of dev->buf, not the
current one as done in subsequent cases.

 drivers/usb/gadget/inode.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c
index a01383f..316547a 100644
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1870,8 +1870,10 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 
 	spin_lock_irq (&dev->lock);
 	value = -EINVAL;
-	if (dev->buf)
+	if (dev->buf) {
+		kfree(kbuf);
 		goto fail;
+	}
 	dev->buf = kbuf;
 
 	/* full or low speed config */

--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux