HID: fix possible double-free on error path in hid parser

HID: fix possible double-free on error path in hid parser

Freeing of device->collection is properly done in hid_free_device() (as
this function is supposed to free all the device resources and could be
called from transport specific code, e.g. usb_hid_configure()).

Remove all kfree() calls preceeding the hid_free_device() call.

Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 49f18f5b2514adbae5b545df07094771c9bb1f40..5cb2500128ea1ebf6d93ca679c79338cc2adcb55 100644 (file)
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -670,7 +670,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size)
 
                if (item.format != HID_ITEM_FORMAT_SHORT) {
                        dbg("unexpected long global item");
-                       kfree(device->collection);
                        hid_free_device(device);
                        kfree(parser);
                        return NULL;
@@ -679,7 +678,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size)
                if (dispatch_type[item.type](parser, &item)) {
                        dbg("item %u %u %u %u parsing failed\n",
                                item.format, (unsigned)item.size, (unsigned)item.type, (unsigned)item.tag);
-                       kfree(device->collection);
                        hid_free_device(device);
                        kfree(parser);
                        return NULL;
@@ -688,14 +686,12 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size)
                if (start == end) {
                        if (parser->collection_stack_ptr) {
                                dbg("unbalanced collection at end of report description");
-                               kfree(device->collection);
                                hid_free_device(device);
                                kfree(parser);
                                return NULL;
                        }
                        if (parser->local.delimiter_depth) {
                                dbg("unbalanced delimiter at end of report description");
-                               kfree(device->collection);
                                hid_free_device(device);
                                kfree(parser);
                                return NULL;
@@ -706,7 +702,6 @@ struct hid_device *hid_parse_report(__u8 *start, unsigned size)
        }
 
        dbg("item fetching failed at offset %d\n", (int)(end - start));
-       kfree(device->collection);
        hid_free_device(device);
        kfree(parser);
        return NULL;