summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDominik Brodowski <linux@dominikbrodowski.net>2010-01-24 12:11:02 +0100
committerDominik Brodowski <linux@dominikbrodowski.net>2010-02-17 17:48:30 +0100
commit44961a03adbf16d872f0b83ec848d0759516d33f (patch)
treeba0e93fd1a473d93370d56c77416c44de6e9b3f9
parentc3bfc96ef7366aa996fb8286a36f3333a3b4ff25 (diff)
pcmcia: avoid prod_id memleak
Reported-by: Wolfram Sang <w.sang@pengutronix.de> Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
-rw-r--r--drivers/pcmcia/ds.c19
1 files changed, 14 insertions, 5 deletions
diff --git a/drivers/pcmcia/ds.c b/drivers/pcmcia/ds.c
index 9968c0d3a5fb..93925f5908b8 100644
--- a/drivers/pcmcia/ds.c
+++ b/drivers/pcmcia/ds.c
@@ -237,8 +237,11 @@ static void pcmcia_release_function(struct kref *ref)
static void pcmcia_release_dev(struct device *dev)
{
struct pcmcia_device *p_dev = to_pcmcia_dev(dev);
+ int i;
dev_dbg(dev, "releasing device\n");
pcmcia_put_socket(p_dev->socket);
+ for (i = 0; i < 4; i++)
+ kfree(p_dev->prod_id[i]);
kfree(p_dev->devname);
kref_put(&p_dev->function_config->ref, pcmcia_release_function);
kfree(p_dev);
@@ -450,6 +453,7 @@ static int pcmcia_device_query(struct pcmcia_device *p_dev)
for (i = 0; i < min_t(unsigned int, 4, vers1->ns); i++) {
char *tmp;
unsigned int length;
+ char *new;
tmp = vers1->str + vers1->ofs[i];
@@ -457,13 +461,15 @@ static int pcmcia_device_query(struct pcmcia_device *p_dev)
if ((length < 2) || (length > 255))
continue;
- p_dev->prod_id[i] = kmalloc(sizeof(char) * length,
- GFP_KERNEL);
- if (!p_dev->prod_id[i])
+ new = kmalloc(sizeof(char) * length, GFP_KERNEL);
+ if (!new)
continue;
- p_dev->prod_id[i] = strncpy(p_dev->prod_id[i],
- tmp, length);
+ new = strncpy(new, tmp, length);
+
+ tmp = p_dev->prod_id[i];
+ p_dev->prod_id[i] = new;
+ kfree(tmp);
}
mutex_unlock(&p_dev->socket->ops_mutex);
}
@@ -485,6 +491,7 @@ static DEFINE_MUTEX(device_add_lock);
struct pcmcia_device *pcmcia_device_add(struct pcmcia_socket *s, unsigned int function)
{
struct pcmcia_device *p_dev, *tmp_dev;
+ int i;
s = pcmcia_get_socket(s);
if (!s)
@@ -575,6 +582,8 @@ struct pcmcia_device *pcmcia_device_add(struct pcmcia_socket *s, unsigned int fu
s->device_count--;
mutex_unlock(&s->ops_mutex);
+ for (i = 0; i < 4; i++)
+ kfree(p_dev->prod_id[i]);
kfree(p_dev->devname);
kfree(p_dev);
err_put: