From: Colin Ian King Date: Tue, 19 Dec 2017 16:48:25 +0000 (-0500) Subject: media: lirc: don't kfree the uninitialized pointer txbuf X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=8d25e15d94a2d7b60c28d3a30e4e0e780cab2056;p=openwrt%2Fstaging%2Fblogic.git media: lirc: don't kfree the uninitialized pointer txbuf The current error exit path if ir_raw_encode_scancode fails is via the label out_kfree which kfree's an uninitialized pointer txbuf. Fix this by exiting via a new exit path that does not kfree txbuf. Also exit via this new exit path for a failed allocation of txbuf to avoid a redundant kfree on a NULL pointer (to save a bunch of CPU cycles). Detected by: CoverityScan, CID#1463070 ("Uninitialized pointer read") Fixes: f81a8158d4fb ("media: lirc: release lock before sleep") Signed-off-by: Colin Ian King Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab --- diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c index 713d42e4b661..c04c546bf092 100644 --- a/drivers/media/rc/lirc_dev.c +++ b/drivers/media/rc/lirc_dev.c @@ -295,14 +295,14 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf, ret = ir_raw_encode_scancode(scan.rc_proto, scan.scancode, raw, LIRCBUF_SIZE); if (ret < 0) - goto out_kfree; + goto out_kfree_raw; count = ret; txbuf = kmalloc_array(count, sizeof(unsigned int), GFP_KERNEL); if (!txbuf) { ret = -ENOMEM; - goto out_kfree; + goto out_kfree_raw; } for (i = 0; i < count; i++) @@ -366,6 +366,7 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf, return n; out_kfree: kfree(txbuf); +out_kfree_raw: kfree(raw); out_unlock: mutex_unlock(&dev->lock);