releases/2.6.20.2/hid-fix-possible-double-free-on-error-path-in-hid-parser.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From stable-bounces@linux.kernel.org Thu Mar  1 03:02:37 2007
 From: Jiri Kosina <jkosina@suse.cz>
 Date: Thu, 1 Mar 2007 12:02:52 +0100 (CET)
 Subject: HID: fix possible double-free on error path in hid parser
 To: stable@kernel.org
 Message-ID: <Pine.LNX.4.64.0703011200520.4248@jikos.suse.cz>


 From: Jiri Kosina <jkosina@suse.cz>

 HID: fix possible double-free on error path in hid parser

 Freeing of device->collection is properly done in hid_free_device() (as
 this function is supposed to free all the device resources and could be
 called from transport specific code, e.g. usb_hid_configure()).

 Remove all kfree() calls preceeding the hid_free_device() call.

 Signed-off-by: Jiri Kosina <jkosina@suse.cz>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 ---
  drivers/hid/hid-core.c |    5 -----
  1 file changed, 5 deletions(-)

 --- linux-2.6.20.1.orig/drivers/hid/hid-core.c
 +++ linux-2.6.20.1/drivers/hid/hid-core.c
 @@ -670,7 +670,6 @@ struct hid_device *hid_parse_report(__u8

  		if (item.format != HID_ITEM_FORMAT_SHORT) {
  			dbg("unexpected long global item");
 -			kfree(device->collection);
  			hid_free_device(device);
  			kfree(parser);
  			return NULL;
 @@ -679,7 +678,6 @@ struct hid_device *hid_parse_report(__u8
  		if (dispatch_type[item.type](parser, &item)) {
  			dbg("item %u %u %u %u parsing failed\n",
  				item.format, (unsigned)item.size, (unsigned)item.type, (unsigned)item.tag);
 -			kfree(device->collection);
  			hid_free_device(device);
  			kfree(parser);
  			return NULL;
 @@ -688,14 +686,12 @@ struct hid_device *hid_parse_report(__u8
  		if (start == end) {
  			if (parser->collection_stack_ptr) {
  				dbg("unbalanced collection at end of report description");
 -				kfree(device->collection);
  				hid_free_device(device);
  				kfree(parser);
  				return NULL;
  			}
  			if (parser->local.delimiter_depth) {
  				dbg("unbalanced delimiter at end of report description");
 -				kfree(device->collection);
  				hid_free_device(device);
  				kfree(parser);
  				return NULL;
 @@ -706,7 +702,6 @@ struct hid_device *hid_parse_report(__u8
  	}

  	dbg("item fetching failed at offset %d\n", (int)(end - start));
 -	kfree(device->collection);
  	hid_free_device(device);
  	kfree(parser);
  	return NULL;
	From stable-bounces@linux.kernel.org Thu Mar 1 03:02:37 2007
	From: Jiri Kosina <jkosina@suse.cz>
	Date: Thu, 1 Mar 2007 12:02:52 +0100 (CET)
	Subject: HID: fix possible double-free on error path in hid parser
	To: stable@kernel.org
	Message-ID: <Pine.LNX.4.64.0703011200520.4248@jikos.suse.cz>


	From: Jiri Kosina <jkosina@suse.cz>

	HID: fix possible double-free on error path in hid parser

	Freeing of device->collection is properly done in hid_free_device() (as
	this function is supposed to free all the device resources and could be
	called from transport specific code, e.g. usb_hid_configure()).

	Remove all kfree() calls preceeding the hid_free_device() call.

	Signed-off-by: Jiri Kosina <jkosina@suse.cz>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	---
	drivers/hid/hid-core.c \| 5 -----
	1 file changed, 5 deletions(-)

	--- linux-2.6.20.1.orig/drivers/hid/hid-core.c
	+++ linux-2.6.20.1/drivers/hid/hid-core.c
	@@ -670,7 +670,6 @@ struct hid_device *hid_parse_report(__u8

	if (item.format != HID_ITEM_FORMAT_SHORT) {
	dbg("unexpected long global item");
	- kfree(device->collection);
	hid_free_device(device);
	kfree(parser);
	return NULL;
	@@ -679,7 +678,6 @@ struct hid_device *hid_parse_report(__u8
	if (dispatch_type[item.type](parser, &item)) {
	dbg("item %u %u %u %u parsing failed\n",
	item.format, (unsigned)item.size, (unsigned)item.type, (unsigned)item.tag);
	- kfree(device->collection);
	hid_free_device(device);
	kfree(parser);
	return NULL;
	@@ -688,14 +686,12 @@ struct hid_device *hid_parse_report(__u8
	if (start == end) {
	if (parser->collection_stack_ptr) {
	dbg("unbalanced collection at end of report description");
	- kfree(device->collection);
	hid_free_device(device);
	kfree(parser);
	return NULL;
	}
	if (parser->local.delimiter_depth) {
	dbg("unbalanced delimiter at end of report description");
	- kfree(device->collection);
	hid_free_device(device);
	kfree(parser);
	return NULL;
	@@ -706,7 +702,6 @@ struct hid_device *hid_parse_report(__u8
	}

	dbg("item fetching failed at offset %d\n", (int)(end - start));
	- kfree(device->collection);
	hid_free_device(device);
	kfree(parser);
	return NULL;