From: Jiri Kosina HID: fix possible double-free on error path in hid parser Freeing of device->collection is properly done in hid_free_device() (as this function is supposed to free all the device resources and could be called from transport specific code, e.g. usb_hid_configure()). Remove all kfree() calls preceeding the hid_free_device() call. Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman --- drivers/hid/hid-core.c | 5 ----- 1 file changed, 5 deletions(-) --- linux-2.6.20.1.orig/drivers/hid/hid-core.c +++ linux-2.6.20.1/drivers/hid/hid-core.c @@ -670,7 +670,6 @@ struct hid_device *hid_parse_report(__u8 if (item.format != HID_ITEM_FORMAT_SHORT) { dbg("unexpected long global item"); - kfree(device->collection); hid_free_device(device); kfree(parser); return NULL; @@ -679,7 +678,6 @@ struct hid_device *hid_parse_report(__u8 if (dispatch_type[item.type](parser, &item)) { dbg("item %u %u %u %u parsing failed\n", item.format, (unsigned)item.size, (unsigned)item.type, (unsigned)item.tag); - kfree(device->collection); hid_free_device(device); kfree(parser); return NULL; @@ -688,14 +686,12 @@ struct hid_device *hid_parse_report(__u8 if (start == end) { if (parser->collection_stack_ptr) { dbg("unbalanced collection at end of report description"); - kfree(device->collection); hid_free_device(device); kfree(parser); return NULL; } if (parser->local.delimiter_depth) { dbg("unbalanced delimiter at end of report description"); - kfree(device->collection); hid_free_device(device); kfree(parser); return NULL; @@ -706,7 +702,6 @@ struct hid_device *hid_parse_report(__u8 } dbg("item fetching failed at offset %d\n", (int)(end - start)); - kfree(device->collection); hid_free_device(device); kfree(parser); return NULL; -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/