media: lirc: do not pass ERR_PTR to kfree

If memdup_user() fails, txbuf will be an error pointer and passed to kfree. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>

media: lirc: do not pass ERR_PTR to kfree
If memdup_user() fails, txbuf will be an error pointer and passed to kfree. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
a74b2bff · Sean Young · Mauro Carvalho Chehab · b996157d · a74b2bff
Commit a74b2bff authored Dec 13, 2017 by Sean Young Committed by Mauro Carvalho Chehab Dec 18, 2017
Show whitespace changes
Inline Side-by-side

Showing with 18 additions and 17 deletions

drivers/media/rc/lirc_dev.c drivers/media/rc/lirc_dev.c +18 -17

No files found.
--- a/drivers/media/rc/lirc_dev.c
+++ b/drivers/media/rc/lirc_dev.c
@@ -231,7 +231,7 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
 {
 	struct lirc_fh *fh = file->private_data;
 	struct rc_dev *dev = fh->rc;
-	unsigned int *txbuf = NULL;
+	unsigned int *txbuf;
 	struct ir_raw_event *raw = NULL;
 	ssize_t ret;
 	size_t count;
@@ -246,14 +246,14 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
 	if (!dev->registered) {
 		ret = -ENODEV;
-		goto out;
+		goto out_unlock;
 	}
 	start = ktime_get();
 	if (!dev->tx_ir) {
 		ret = -EINVAL;
-		goto out;
+		goto out_unlock;
 	}
 	if (fh->send_mode == LIRC_MODE_SCANCODE) {
@@ -261,17 +261,17 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
 		if (n != sizeof(scan)) {
 			ret = -EINVAL;
-			goto out;
+			goto out_unlock;
 		}
 		if (copy_from_user(&scan, buf, sizeof(scan))) {
 			ret = -EFAULT;
-			goto out;
+			goto out_unlock;
 		}
 		if (scan.flags || scan.keycode || scan.timestamp) {
 			ret = -EINVAL;
-			goto out;
+			goto out_unlock;
 		}
 		/*
@@ -283,26 +283,26 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
 		if (scan.scancode > U32_MAX ||
 		    !rc_validate_scancode(scan.rc_proto, scan.scancode)) {
 			ret = -EINVAL;
-			goto out;
+			goto out_unlock;
 		}
 		raw = kmalloc_array(LIRCBUF_SIZE, sizeof(*raw), GFP_KERNEL);
 		if (!raw) {
 			ret = -ENOMEM;
-			goto out;
+			goto out_unlock;
 		}
 		ret = ir_raw_encode_scancode(scan.rc_proto, scan.scancode,
 					     raw, LIRCBUF_SIZE);
 		if (ret < 0)
-			goto out;
+			goto out_kfree;
 		count = ret;
 		txbuf = kmalloc_array(count, sizeof(unsigned int), GFP_KERNEL);
 		if (!txbuf) {
 			ret = -ENOMEM;
-			goto out;
+			goto out_kfree;
 		}
 		for (i = 0; i < count; i++)
@@ -318,26 +318,26 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
 	} else {
 		if (n < sizeof(unsigned int) || n % sizeof(unsigned int)) {
 			ret = -EINVAL;
-			goto out;
+			goto out_unlock;
 		}
 		count = n / sizeof(unsigned int);
 		if (count > LIRCBUF_SIZE || count % 2 == 0) {
 			ret = -EINVAL;
-			goto out;
+			goto out_unlock;
 		}
 		txbuf = memdup_user(buf, n);
 		if (IS_ERR(txbuf)) {
 			ret = PTR_ERR(txbuf);
-			goto out;
+			goto out_unlock;
 		}
 	}
 	for (i = 0; i < count; i++) {
 		if (txbuf[i] > IR_MAX_DURATION / 1000 - duration || !txbuf[i]) {
 			ret = -EINVAL;
-			goto out;
+			goto out_kfree;
 		}
 		duration += txbuf[i];
@@ -345,7 +345,7 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
 	ret = dev->tx_ir(dev, txbuf, count);
 	if (ret < 0)
-		goto out;
+		goto out_kfree;
 	if (fh->send_mode == LIRC_MODE_SCANCODE) {
 		ret = n;
@@ -368,10 +368,11 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
 		schedule_timeout(usecs_to_jiffies(towait));
 	}
-out:
+out_kfree:
-	mutex_unlock(&dev->lock);
 	kfree(txbuf);
 	kfree(raw);
+out_unlock:
+	mutex_unlock(&dev->lock);
 	return ret;
 }