Fix a memory leak in the usb_store_new_id() error paths. When bailing out due to sanity checks, the function left the already allocated usb_dynid struct in place. Detected by Coverity: CID 1162604. Signed-off-by: Christian Engelmayer <cengelma@xxxxxx> --- This patch addresses a regression introduced in the following commits: commit c63fe8f6ca3669f1d120ff70523e2911b9966574 usb: core: add sanity checks when using bInterfaceClass with new_id commit 1b9fb31f7db7882d475bdc8b335403e8eaabf1ef usb: core: check for valid id_table when using the RefId feature commit 52a6966c350624db89addc3e6a825f5e797a73e4 usb: core: bail out if user gives an unknown RefId when using new_id --- drivers/usb/core/driver.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c index 5d01558..7e95661 100644 --- a/drivers/usb/core/driver.c +++ b/drivers/usb/core/driver.c @@ -63,8 +63,10 @@ ssize_t usb_store_new_id(struct usb_dynids *dynids, dynid->id.idProduct = idProduct; dynid->id.match_flags = USB_DEVICE_ID_MATCH_DEVICE; if (fields > 2 && bInterfaceClass) { - if (bInterfaceClass > 255) + if (bInterfaceClass > 255) { + kfree(dynid); return -EINVAL; + } dynid->id.bInterfaceClass = (u8)bInterfaceClass; dynid->id.match_flags |= USB_DEVICE_ID_MATCH_INT_CLASS; @@ -73,8 +75,10 @@ ssize_t usb_store_new_id(struct usb_dynids *dynids, if (fields > 4) { const struct usb_device_id *id = id_table; - if (!id) + if (!id) { + kfree(dynid); return -ENODEV; + } for (; id->match_flags; id++) if (id->idVendor == refVendor && id->idProduct == refProduct) @@ -82,8 +86,10 @@ ssize_t usb_store_new_id(struct usb_dynids *dynids, if (id->match_flags) dynid->id.driver_info = id->driver_info; - else + else { + kfree(dynid); return -ENODEV; + } } spin_lock(&dynids->lock); -- 1.8.3.2 -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html