[PATCH 07/10] media: lirc: do not pass ERR_PTR to kfree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



If memdup_user() fails, txbuf will be an error pointer and passed
to kfree.

Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Signed-off-by: Sean Young <sean@xxxxxxxx>
---
 drivers/media/rc/lirc_dev.c | 35 ++++++++++++++++++-----------------
 1 file changed, 18 insertions(+), 17 deletions(-)

diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c
index 6cedb546c3e0..8618aba152c6 100644
--- a/drivers/media/rc/lirc_dev.c
+++ b/drivers/media/rc/lirc_dev.c
@@ -231,7 +231,7 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
 {
 	struct lirc_fh *fh = file->private_data;
 	struct rc_dev *dev = fh->rc;
-	unsigned int *txbuf = NULL;
+	unsigned int *txbuf;
 	struct ir_raw_event *raw = NULL;
 	ssize_t ret;
 	size_t count;
@@ -246,14 +246,14 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
 
 	if (!dev->registered) {
 		ret = -ENODEV;
-		goto out;
+		goto out_unlock;
 	}
 
 	start = ktime_get();
 
 	if (!dev->tx_ir) {
 		ret = -EINVAL;
-		goto out;
+		goto out_unlock;
 	}
 
 	if (fh->send_mode == LIRC_MODE_SCANCODE) {
@@ -261,17 +261,17 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
 
 		if (n != sizeof(scan)) {
 			ret = -EINVAL;
-			goto out;
+			goto out_unlock;
 		}
 
 		if (copy_from_user(&scan, buf, sizeof(scan))) {
 			ret = -EFAULT;
-			goto out;
+			goto out_unlock;
 		}
 
 		if (scan.flags || scan.keycode || scan.timestamp) {
 			ret = -EINVAL;
-			goto out;
+			goto out_unlock;
 		}
 
 		/*
@@ -283,26 +283,26 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
 		if (scan.scancode > U32_MAX ||
 		    !rc_validate_scancode(scan.rc_proto, scan.scancode)) {
 			ret = -EINVAL;
-			goto out;
+			goto out_unlock;
 		}
 
 		raw = kmalloc_array(LIRCBUF_SIZE, sizeof(*raw), GFP_KERNEL);
 		if (!raw) {
 			ret = -ENOMEM;
-			goto out;
+			goto out_unlock;
 		}
 
 		ret = ir_raw_encode_scancode(scan.rc_proto, scan.scancode,
 					     raw, LIRCBUF_SIZE);
 		if (ret < 0)
-			goto out;
+			goto out_kfree;
 
 		count = ret;
 
 		txbuf = kmalloc_array(count, sizeof(unsigned int), GFP_KERNEL);
 		if (!txbuf) {
 			ret = -ENOMEM;
-			goto out;
+			goto out_kfree;
 		}
 
 		for (i = 0; i < count; i++)
@@ -318,26 +318,26 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
 	} else {
 		if (n < sizeof(unsigned int) || n % sizeof(unsigned int)) {
 			ret = -EINVAL;
-			goto out;
+			goto out_unlock;
 		}
 
 		count = n / sizeof(unsigned int);
 		if (count > LIRCBUF_SIZE || count % 2 == 0) {
 			ret = -EINVAL;
-			goto out;
+			goto out_unlock;
 		}
 
 		txbuf = memdup_user(buf, n);
 		if (IS_ERR(txbuf)) {
 			ret = PTR_ERR(txbuf);
-			goto out;
+			goto out_unlock;
 		}
 	}
 
 	for (i = 0; i < count; i++) {
 		if (txbuf[i] > IR_MAX_DURATION / 1000 - duration || !txbuf[i]) {
 			ret = -EINVAL;
-			goto out;
+			goto out_kfree;
 		}
 
 		duration += txbuf[i];
@@ -345,7 +345,7 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
 
 	ret = dev->tx_ir(dev, txbuf, count);
 	if (ret < 0)
-		goto out;
+		goto out_kfree;
 
 	if (fh->send_mode == LIRC_MODE_SCANCODE) {
 		ret = n;
@@ -368,10 +368,11 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
 		schedule_timeout(usecs_to_jiffies(towait));
 	}
 
-out:
-	mutex_unlock(&dev->lock);
+out_kfree:
 	kfree(txbuf);
 	kfree(raw);
+out_unlock:
+	mutex_unlock(&dev->lock);
 	return ret;
 }
 
-- 
2.14.3




[Index of Archives]     [Linux Input]     [Video for Linux]     [Gstreamer Embedded]     [Mplayer Users]     [Linux USB Devel]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux