From 05f2b3912323b4130dbf6d5091601d9ca3aaf119 Mon Sep 17 00:00:00 2001 From: Alexey Khoroshilov Date: Wed, 8 Aug 2012 12:53:07 +0400 Subject: USB: whci-hcd: Fix potential memory leak in qset_add_urb_sg() Do not leak memory by updating pointer with potentially NULL realloc return value. By the way remove unused local variable: struct whc_page_list_entry *entry; More precisely, it was used to increment uninitialized value within one of cycles. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov Signed-off-by: Greg Kroah-Hartman --- drivers/usb/host/whci/qset.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'drivers/usb/host/whci') diff --git a/drivers/usb/host/whci/qset.c b/drivers/usb/host/whci/qset.c index 76083ae92138..dc31c425ce01 100644 --- a/drivers/usb/host/whci/qset.c +++ b/drivers/usb/host/whci/qset.c @@ -436,7 +436,7 @@ static int qset_add_urb_sg(struct whc *whc, struct whc_qset *qset, struct urb *u int i; int ntds = 0; struct whc_std *std = NULL; - struct whc_page_list_entry *entry; + struct whc_page_list_entry *new_pl_virt; dma_addr_t prev_end = 0; size_t pl_len; int p = 0; @@ -508,12 +508,15 @@ static int qset_add_urb_sg(struct whc *whc, struct whc_qset *qset, struct urb *u pl_len = std->num_pointers * sizeof(struct whc_page_list_entry); - std->pl_virt = krealloc(std->pl_virt, pl_len, mem_flags); - if (std->pl_virt == NULL) { + new_pl_virt = krealloc(std->pl_virt, pl_len, mem_flags); + if (new_pl_virt == NULL) { + kfree(std->pl_virt); + std->pl_virt = NULL; return -ENOMEM; } + std->pl_virt = new_pl_virt; - for (;p < std->num_pointers; p++, entry++) { + for (;p < std->num_pointers; p++) { std->pl_virt[p].buf_ptr = cpu_to_le64(dma_addr); dma_addr = (dma_addr + WHCI_PAGE_SIZE) & ~(WHCI_PAGE_SIZE-1); } -- cgit v1.2.3 From 3821bf4abb7f78c90af7fa2975df6618906b11ec Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Fri, 20 Jul 2012 09:58:16 +0300 Subject: USB: whci-hcd: fix NULL dereference on allocation failure If usb_create_hcd() fails here then we dereference "whc" inside the call to whc_clean_up() before it has been set. The compiler would have warned about this if we hadn't initialized all the pointers to NULL at the start of the function. I've cleaned that up as well. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- drivers/usb/host/whci/hcd.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'drivers/usb/host/whci') diff --git a/drivers/usb/host/whci/hcd.c b/drivers/usb/host/whci/hcd.c index 1e141f755b26..c3a647816af0 100644 --- a/drivers/usb/host/whci/hcd.c +++ b/drivers/usb/host/whci/hcd.c @@ -238,16 +238,16 @@ static struct hc_driver whc_hc_driver = { static int whc_probe(struct umc_dev *umc) { - int ret = -ENOMEM; + int ret; struct usb_hcd *usb_hcd; - struct wusbhc *wusbhc = NULL; - struct whc *whc = NULL; + struct wusbhc *wusbhc; + struct whc *whc; struct device *dev = &umc->dev; usb_hcd = usb_create_hcd(&whc_hc_driver, dev, "whci"); if (usb_hcd == NULL) { dev_err(dev, "unable to create hcd\n"); - goto error; + return -ENOMEM; } usb_hcd->wireless = 1; -- cgit v1.2.3