gpio: free handles in fringe cases

If we fail when copying the ioctl() struct to userspace we still
need to clean up the cruft otherwise left behind or it will stay
around until the issuing process terminates the file handle.

Reported-by: Alexander Stein <alexander.stein@systec-electronic.com>
Acked-by: Alexander Stein <alexander.stein@systec-electronic.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>

diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index b195ec4..69efe27 100644 (file)
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -488,8 +488,10 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip)
        }
 
        handlereq.fd = fd;
-       if (copy_to_user(ip, &handlereq, sizeof(handlereq)))
-               return -EFAULT;
+       if (copy_to_user(ip, &handlereq, sizeof(handlereq))) {
+               ret = -EFAULT;
+               goto out_free_descs;
+       }
 
        dev_dbg(&gdev->dev, "registered chardev handle for %d lines\n",
                lh->numdescs);
@@ -784,8 +786,10 @@ static int lineevent_create(struct gpio_device *gdev, void __user *ip)
        }
 
        eventreq.fd = fd;
-       if (copy_to_user(ip, &eventreq, sizeof(eventreq)))
-               return -EFAULT;
+       if (copy_to_user(ip, &eventreq, sizeof(eventreq))) {
+               ret = -EFAULT;
+               goto out_free_irq;
+       }
 
        return 0;