USB: whci-hcd: Fix potential memory leak in qset_add_urb_sg()
authorAlexey Khoroshilov <khoroshilov@ispras.ru>
Wed, 8 Aug 2012 08:53:07 +0000 (12:53 +0400)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 10 Aug 2012 19:06:39 +0000 (12:06 -0700)
Do not leak memory by updating pointer with potentially
NULL realloc return value.

By the way remove unused local variable:
struct whc_page_list_entry *entry;
More precisely, it was used to increment uninitialized value within one of cycles.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/host/whci/qset.c

index 76083ae9213800cf48ecc1fa2208def7c1cf4542..dc31c425ce0179551b27e2d7a900f1bb7b411ad8 100644 (file)
@@ -436,7 +436,7 @@ static int qset_add_urb_sg(struct whc *whc, struct whc_qset *qset, struct urb *u
        int i;
        int ntds = 0;
        struct whc_std *std = NULL;
-       struct whc_page_list_entry *entry;
+       struct whc_page_list_entry *new_pl_virt;
        dma_addr_t prev_end = 0;
        size_t pl_len;
        int p = 0;
@@ -508,12 +508,15 @@ static int qset_add_urb_sg(struct whc *whc, struct whc_qset *qset, struct urb *u
 
                        pl_len = std->num_pointers * sizeof(struct whc_page_list_entry);
 
-                       std->pl_virt = krealloc(std->pl_virt, pl_len, mem_flags);
-                       if (std->pl_virt == NULL) {
+                       new_pl_virt = krealloc(std->pl_virt, pl_len, mem_flags);
+                       if (new_pl_virt == NULL) {
+                               kfree(std->pl_virt);
+                               std->pl_virt = NULL;
                                return -ENOMEM;
                        }
+                       std->pl_virt = new_pl_virt;
 
-                       for (;p < std->num_pointers; p++, entry++) {
+                       for (;p < std->num_pointers; p++) {
                                std->pl_virt[p].buf_ptr = cpu_to_le64(dma_addr);
                                dma_addr = (dma_addr + WHCI_PAGE_SIZE) & ~(WHCI_PAGE_SIZE-1);
                        }