public-mirrors/linux
1
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-10-31 16:54:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

HID: uhid: avoid dangling pointers in uhid context

Browse source 
Avoid keeping uhid->rd_data and uhid->rd_size set in case
uhid_dev_create2() fails. This is non-critical as we never flip
uhid->running and thus never enter uhid_dev_destroy(). However, it's much
nicer for debugging if pointers are only set if they point to valid data.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
This commit is contained in:
David Herrmann 2014-07-29 17:14:17 +02:00 committed by Jiri Kosina
parent 56c4775463
commit 41c4a46423
1 changed files with 11 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
drivers/hid/uhid.c
View file

@ -363,20 +363,24 @@ static int uhid_dev_create2(struct uhid_device *uhid,
const struct uhid_event *ev)
{
struct hid_device *hid;
size_t rd_size;
void *rd_data;
int ret;
if (uhid->running)
return -EALREADY;
uhid->rd_size = ev->u.create2.rd_size;
if (uhid->rd_size <= 0 || uhid->rd_size > HID_MAX_DESCRIPTOR_SIZE)
rd_size = ev->u.create2.rd_size;
if (rd_size <= 0 || rd_size > HID_MAX_DESCRIPTOR_SIZE)
return -EINVAL;
uhid->rd_data = kmemdup(ev->u.create2.rd_data, uhid->rd_size,
GFP_KERNEL);
if (!uhid->rd_data)
rd_data = kmemdup(ev->u.create2.rd_data, rd_size, GFP_KERNEL);
if (!rd_data)
return -ENOMEM;
uhid->rd_size = rd_size;
uhid->rd_data = rd_data;
hid = hid_allocate_device();
if (IS_ERR(hid)) {
ret = PTR_ERR(hid);
@ -416,6 +420,8 @@ err_hid:
uhid->running = false;
err_free:
kfree(uhid->rd_data);
uhid->rd_data = NULL;
uhid->rd_size = 0;
return ret;
}