diff options
author | David Herrmann <dh.herrmann@gmail.com> | 2014-07-29 17:14:17 +0200 |
---|---|---|
committer | Jiri Kosina <jkosina@suse.cz> | 2014-08-25 03:28:06 -0500 |
commit | 41c4a46423c08274ef83cdbd44bbd2066cba59bb (patch) | |
tree | 8d85cc93440209b831a5faf46ba2619c89b0b8c4 /drivers/hid/uhid.c | |
parent | 56c47754631b98624e844305709d6a296bde20d1 (diff) | |
download | lwn-41c4a46423c08274ef83cdbd44bbd2066cba59bb.tar.gz lwn-41c4a46423c08274ef83cdbd44bbd2066cba59bb.zip |
HID: uhid: avoid dangling pointers in uhid context
Avoid keeping uhid->rd_data and uhid->rd_size set in case
uhid_dev_create2() fails. This is non-critical as we never flip
uhid->running and thus never enter uhid_dev_destroy(). However, it's much
nicer for debugging if pointers are only set if they point to valid data.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Diffstat (limited to 'drivers/hid/uhid.c')
-rw-r--r-- | drivers/hid/uhid.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/drivers/hid/uhid.c b/drivers/hid/uhid.c index c05b544cf588..bf13746d1731 100644 --- a/drivers/hid/uhid.c +++ b/drivers/hid/uhid.c @@ -363,20 +363,24 @@ static int uhid_dev_create2(struct uhid_device *uhid, const struct uhid_event *ev) { struct hid_device *hid; + size_t rd_size; + void *rd_data; int ret; if (uhid->running) return -EALREADY; - uhid->rd_size = ev->u.create2.rd_size; - if (uhid->rd_size <= 0 || uhid->rd_size > HID_MAX_DESCRIPTOR_SIZE) + rd_size = ev->u.create2.rd_size; + if (rd_size <= 0 || rd_size > HID_MAX_DESCRIPTOR_SIZE) return -EINVAL; - uhid->rd_data = kmemdup(ev->u.create2.rd_data, uhid->rd_size, - GFP_KERNEL); - if (!uhid->rd_data) + rd_data = kmemdup(ev->u.create2.rd_data, rd_size, GFP_KERNEL); + if (!rd_data) return -ENOMEM; + uhid->rd_size = rd_size; + uhid->rd_data = rd_data; + hid = hid_allocate_device(); if (IS_ERR(hid)) { ret = PTR_ERR(hid); @@ -416,6 +420,8 @@ err_hid: uhid->running = false; err_free: kfree(uhid->rd_data); + uhid->rd_data = NULL; + uhid->rd_size = 0; return ret; } |