* [patch] HID: logitech-hidpp: leaks and NULL dereferences
@ 2014-10-31 9:14 Dan Carpenter
2014-10-31 13:49 ` Benjamin Tissoires
0 siblings, 1 reply; 3+ messages in thread
From: Dan Carpenter @ 2014-10-31 9:14 UTC (permalink / raw)
To: Jiri Kosina, Benjamin Tissoires
Cc: Henrik Rydberg, linux-input, kernel-janitors
Shift the allocation down a few lines to avoid a memory leak and also
add a check for allocation failure.
Fixes: 2f31c5252910 ('HID: Introduce hidpp, a module to handle Logitech hid++ devices')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index 361e97d..3cce995 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -200,13 +200,15 @@ static int hidpp_send_fap_command_sync(struct hidpp_device *hidpp,
u8 feat_index, u8 funcindex_clientid, u8 *params, int param_count,
struct hidpp_report *response)
{
- struct hidpp_report *message = kzalloc(sizeof(struct hidpp_report),
- GFP_KERNEL);
+ struct hidpp_report *message;
int ret;
if (param_count > sizeof(message->fap.params))
return -EINVAL;
+ message = kzalloc(sizeof(struct hidpp_report), GFP_KERNEL);
+ if (!message)
+ return -ENOMEM;
message->report_id = REPORT_ID_HIDPP_LONG;
message->fap.feature_index = feat_index;
message->fap.funcindex_clientid = funcindex_clientid;
@@ -221,8 +223,7 @@ static int hidpp_send_rap_command_sync(struct hidpp_device *hidpp_dev,
u8 report_id, u8 sub_id, u8 reg_address, u8 *params, int param_count,
struct hidpp_report *response)
{
- struct hidpp_report *message = kzalloc(sizeof(struct hidpp_report),
- GFP_KERNEL);
+ struct hidpp_report *message;
int ret;
if ((report_id != REPORT_ID_HIDPP_SHORT) &&
@@ -232,6 +233,9 @@ static int hidpp_send_rap_command_sync(struct hidpp_device *hidpp_dev,
if (param_count > sizeof(message->rap.params))
return -EINVAL;
+ message = kzalloc(sizeof(struct hidpp_report), GFP_KERNEL);
+ if (!message)
+ return -ENOMEM;
message->report_id = report_id;
message->rap.sub_id = sub_id;
message->rap.reg_address = reg_address;
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [patch] HID: logitech-hidpp: leaks and NULL dereferences
2014-10-31 9:14 [patch] HID: logitech-hidpp: leaks and NULL dereferences Dan Carpenter
@ 2014-10-31 13:49 ` Benjamin Tissoires
2014-11-03 13:27 ` Jiri Kosina
0 siblings, 1 reply; 3+ messages in thread
From: Benjamin Tissoires @ 2014-10-31 13:49 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Jiri Kosina, Henrik Rydberg, linux-input, kernel-janitors
On Oct 31 2014 or thereabouts, Dan Carpenter wrote:
> Shift the allocation down a few lines to avoid a memory leak and also
> add a check for allocation failure.
>
> Fixes: 2f31c5252910 ('HID: Introduce hidpp, a module to handle Logitech hid++ devices')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
Ouch, I am ashamed of not having spot that :/
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Thanks Dan!
Benjamin
> diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
> index 361e97d..3cce995 100644
> --- a/drivers/hid/hid-logitech-hidpp.c
> +++ b/drivers/hid/hid-logitech-hidpp.c
> @@ -200,13 +200,15 @@ static int hidpp_send_fap_command_sync(struct hidpp_device *hidpp,
> u8 feat_index, u8 funcindex_clientid, u8 *params, int param_count,
> struct hidpp_report *response)
> {
> - struct hidpp_report *message = kzalloc(sizeof(struct hidpp_report),
> - GFP_KERNEL);
> + struct hidpp_report *message;
> int ret;
>
> if (param_count > sizeof(message->fap.params))
> return -EINVAL;
>
> + message = kzalloc(sizeof(struct hidpp_report), GFP_KERNEL);
> + if (!message)
> + return -ENOMEM;
> message->report_id = REPORT_ID_HIDPP_LONG;
> message->fap.feature_index = feat_index;
> message->fap.funcindex_clientid = funcindex_clientid;
> @@ -221,8 +223,7 @@ static int hidpp_send_rap_command_sync(struct hidpp_device *hidpp_dev,
> u8 report_id, u8 sub_id, u8 reg_address, u8 *params, int param_count,
> struct hidpp_report *response)
> {
> - struct hidpp_report *message = kzalloc(sizeof(struct hidpp_report),
> - GFP_KERNEL);
> + struct hidpp_report *message;
> int ret;
>
> if ((report_id != REPORT_ID_HIDPP_SHORT) &&
> @@ -232,6 +233,9 @@ static int hidpp_send_rap_command_sync(struct hidpp_device *hidpp_dev,
> if (param_count > sizeof(message->rap.params))
> return -EINVAL;
>
> + message = kzalloc(sizeof(struct hidpp_report), GFP_KERNEL);
> + if (!message)
> + return -ENOMEM;
> message->report_id = report_id;
> message->rap.sub_id = sub_id;
> message->rap.reg_address = reg_address;
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [patch] HID: logitech-hidpp: leaks and NULL dereferences
2014-10-31 13:49 ` Benjamin Tissoires
@ 2014-11-03 13:27 ` Jiri Kosina
0 siblings, 0 replies; 3+ messages in thread
From: Jiri Kosina @ 2014-11-03 13:27 UTC (permalink / raw)
To: Benjamin Tissoires
Cc: Dan Carpenter, Henrik Rydberg, linux-input, kernel-janitors
On Fri, 31 Oct 2014, Benjamin Tissoires wrote:
> > Shift the allocation down a few lines to avoid a memory leak and also
> > add a check for allocation failure.
> >
> > Fixes: 2f31c5252910 ('HID: Introduce hidpp, a module to handle Logitech hid++ devices')
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> >
>
> Ouch, I am ashamed of not having spot that :/
>
> Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Good catch. Applied, thanks.
--
Jiri Kosina
SUSE Labs
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-11-03 13:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-31 9:14 [patch] HID: logitech-hidpp: leaks and NULL dereferences Dan Carpenter
2014-10-31 13:49 ` Benjamin Tissoires
2014-11-03 13:27 ` Jiri Kosina
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).