lk/linux-kernel-test
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

staging: lirc_sasem: fix NULL pointer dereference in sasem_probe

Browse Source 
If any memory allocation failed, goto alloc_status_switch
leads to mutex_unlock(&context->ctx_lock) while context is NULL.
The patch moves alloc_status_switch to handle error conditions
in correct way.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
Alexey Khoroshilov
2011-08-30 00:54:21 +04:00
committed by Greg Kroah-Hartman
parent 6699291f89
commit 06b3f44a97
1 changed files with 23 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
drivers/staging/lirc/lirc_sasem.c
View File

@@ -814,29 +814,6 @@ static int sasem_probe(struct usb_interface *interface,
printk(KERN_INFO "%s: Registered Sasem driver (minor:%d)\n", printk(KERN_INFO "%s: Registered Sasem driver (minor:%d)\n",
__func__, lirc_minor); __func__, lirc_minor);
alloc_status_switch:
switch (alloc_status) {
case 7:
if (vfd_ep_found)
usb_free_urb(tx_urb);
case 6:
usb_free_urb(rx_urb);
case 5:
lirc_buffer_free(rbuf);
case 4:
kfree(rbuf);
case 3:
kfree(driver);
case 2:
kfree(context);
context = NULL;
case 1:
retval = -ENOMEM;
goto unlock;
}
/* Needed while unregistering! */ /* Needed while unregistering! */
driver->minor = lirc_minor; driver->minor = lirc_minor;
@@ -867,6 +844,29 @@ alloc_status_switch:
__func__, dev->bus->busnum, dev->devnum); __func__, dev->bus->busnum, dev->devnum);
unlock: unlock:
mutex_unlock(&context->ctx_lock); mutex_unlock(&context->ctx_lock);
alloc_status_switch:
switch (alloc_status) {
case 7:
if (vfd_ep_found)
usb_free_urb(tx_urb);
case 6:
usb_free_urb(rx_urb);
case 5:
lirc_buffer_free(rbuf);
case 4:
kfree(rbuf);
case 3:
kfree(driver);
case 2:
kfree(context);
context = NULL;
case 1:
if (retval == 0)
retval = -ENOMEM;
}
exit: exit:
return retval; return retval;
} }