firewire: cdev: fix memory leak in an error path

If copy_from_user in an FW_CDEV_IOC_SEND_RESPONSE ioctl failed, an
inbound_transaction_resource instance is no longer referenced and needs
to be freed.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>

diff --git a/drivers/firewire/core-cdev.c b/drivers/firewire/core-cdev.c
index ced186d..0516acd 100644 (file)
--- a/drivers/firewire/core-cdev.c
+++ b/drivers/firewire/core-cdev.c
@@ -698,6 +698,7 @@ static int ioctl_send_response(struct client *client, void *buffer)
        struct fw_cdev_send_response *request = buffer;
        struct client_resource *resource;
        struct inbound_transaction_resource *r;
+       int ret = 0;
 
        if (release_client_resource(client, request->handle,
                                    release_request, &resource) < 0)
@@ -707,13 +708,17 @@ static int ioctl_send_response(struct client *client, void *buffer)
                         resource);
        if (request->length < r->length)
                r->length = request->length;
-       if (copy_from_user(r->data, u64_to_uptr(request->data), r->length))
-               return -EFAULT;
+
+       if (copy_from_user(r->data, u64_to_uptr(request->data), r->length)) {
+               ret = -EFAULT;
+               goto out;
+       }
 
        fw_send_response(client->device->card, r->request, request->rcode);
+ out:
        kfree(r);
 
-       return 0;
+       return ret;
 }
 
 static int ioctl_initiate_bus_reset(struct client *client, void *buffer)