On 09/19/2012 04:36 AM, Kevin Daughtridge wrote: > --- a/drivers/hid/hid-core.c > +++ b/drivers/hid/hid-core.c > @@ -775,12 +775,14 @@ int hid_open_report(struct hid_device *d > return -ENODEV; > size = device->dev_rsize; > > + start = kmemdup(start, size, GFP_KERNEL); > + if (start == NULL) > + return -ENOMEM; > + > if (device->driver->report_fixup) > start = device->driver->report_fixup(device, start, &size); > > - device->rdesc = kmemdup(start, size, GFP_KERNEL); > - if (device->rdesc == NULL) > - return -ENOMEM; > + device->rdesc = start; > device->rsize = size; AFAICS this is incorrect. Some drivers return pointers to their own static structure from their .report_fixup. Hence there are two problems: * leak, because kmemdup'ped start is never freed * invalid free -- kfree(device->rdesc) will try to free a static structure regards, -- js suse labs -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
