Function rtl88eu_download_fw() may leak the memory of the already requested
firmware data due to direct returns in the error paths. Ensure cleanup by
using a centralized exit path. Detected by Coverity CID 1269127.

Signed-off-by: Christian Engelmayer <cenge...@gmx.at>
---
Compile tested only. Applies against branch staging-next.
---
 drivers/staging/rtl8188eu/hal/fw.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/rtl8188eu/hal/fw.c 
b/drivers/staging/rtl8188eu/hal/fw.c
index 3b2875481fc5..1b57ca49af5f 100644
--- a/drivers/staging/rtl8188eu/hal/fw.c
+++ b/drivers/staging/rtl8188eu/hal/fw.c
@@ -201,17 +201,19 @@ int rtl88eu_download_fw(struct adapter *adapt)
        if (fw->size > FW_8188E_SIZE) {
                dev_err(device, "Firmware size exceed 0x%X. Check it.\n",
                         FW_8188E_SIZE);
-               return -1;
+               err = -1;
+               goto exit;
        }
 
        pfwdata = kzalloc(FW_8188E_SIZE, GFP_KERNEL);
-       if (!pfwdata)
-               return -ENOMEM;
+       if (!pfwdata) {
+               err = -ENOMEM;
+               goto exit;
+       }
 
        rtlhal->pfirmware = pfwdata;
        memcpy(rtlhal->pfirmware, fw->data, fw->size);
        rtlhal->fwsize = fw->size;
-       release_firmware(fw);
 
        fwsize = rtlhal->fwsize;
        pfwheader = (struct rtl92c_firmware_header *)pfwdata;
@@ -232,5 +234,7 @@ int rtl88eu_download_fw(struct adapter *adapt)
 
        err = _rtl88e_fw_free_to_go(adapt);
 
+exit:
+       release_firmware(fw);
        return err;
 }
-- 
1.9.1

_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Reply via email to