media: lirc: do not pass ERR_PTR to kfree
If memdup_user() fails, txbuf will be an error pointer and passed to kfree. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
This commit is contained in:
Sean Young
committed by
Mauro Carvalho Chehab
Mauro Carvalho Chehab
parent
b996157dd2
commit
a74b2bff59
@@ -231,7 +231,7 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
|
|||||||
{
|
{
|
||||||
struct lirc_fh *fh = file->private_data;
|
struct lirc_fh *fh = file->private_data;
|
||||||
struct rc_dev *dev = fh->rc;
|
struct rc_dev *dev = fh->rc;
|
||||||
unsigned int *txbuf = NULL;
|
unsigned int *txbuf;
|
||||||
struct ir_raw_event *raw = NULL;
|
struct ir_raw_event *raw = NULL;
|
||||||
ssize_t ret;
|
ssize_t ret;
|
||||||
size_t count;
|
size_t count;
|
||||||
@@ -246,14 +246,14 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
|
|||||||
|
|
||||||
if (!dev->registered) {
|
if (!dev->registered) {
|
||||||
ret = -ENODEV;
|
ret = -ENODEV;
|
||||||
goto out;
|
goto out_unlock;
|
||||||
}
|
}
|
||||||
|
|
||||||
start = ktime_get();
|
start = ktime_get();
|
||||||
|
|
||||||
if (!dev->tx_ir) {
|
if (!dev->tx_ir) {
|
||||||
ret = -EINVAL;
|
ret = -EINVAL;
|
||||||
goto out;
|
goto out_unlock;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (fh->send_mode == LIRC_MODE_SCANCODE) {
|
if (fh->send_mode == LIRC_MODE_SCANCODE) {
|
||||||
@@ -261,17 +261,17 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
|
|||||||
|
|
||||||
if (n != sizeof(scan)) {
|
if (n != sizeof(scan)) {
|
||||||
ret = -EINVAL;
|
ret = -EINVAL;
|
||||||
goto out;
|
goto out_unlock;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (copy_from_user(&scan, buf, sizeof(scan))) {
|
if (copy_from_user(&scan, buf, sizeof(scan))) {
|
||||||
ret = -EFAULT;
|
ret = -EFAULT;
|
||||||
goto out;
|
goto out_unlock;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (scan.flags || scan.keycode || scan.timestamp) {
|
if (scan.flags || scan.keycode || scan.timestamp) {
|
||||||
ret = -EINVAL;
|
ret = -EINVAL;
|
||||||
goto out;
|
goto out_unlock;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -283,26 +283,26 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
|
|||||||
if (scan.scancode > U32_MAX ||
|
if (scan.scancode > U32_MAX ||
|
||||||
!rc_validate_scancode(scan.rc_proto, scan.scancode)) {
|
!rc_validate_scancode(scan.rc_proto, scan.scancode)) {
|
||||||
ret = -EINVAL;
|
ret = -EINVAL;
|
||||||
goto out;
|
goto out_unlock;
|
||||||
}
|
}
|
||||||
|
|
||||||
raw = kmalloc_array(LIRCBUF_SIZE, sizeof(*raw), GFP_KERNEL);
|
raw = kmalloc_array(LIRCBUF_SIZE, sizeof(*raw), GFP_KERNEL);
|
||||||
if (!raw) {
|
if (!raw) {
|
||||||
ret = -ENOMEM;
|
ret = -ENOMEM;
|
||||||
goto out;
|
goto out_unlock;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = ir_raw_encode_scancode(scan.rc_proto, scan.scancode,
|
ret = ir_raw_encode_scancode(scan.rc_proto, scan.scancode,
|
||||||
raw, LIRCBUF_SIZE);
|
raw, LIRCBUF_SIZE);
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
goto out;
|
goto out_kfree;
|
||||||
|
|
||||||
count = ret;
|
count = ret;
|
||||||
|
|
||||||
txbuf = kmalloc_array(count, sizeof(unsigned int), GFP_KERNEL);
|
txbuf = kmalloc_array(count, sizeof(unsigned int), GFP_KERNEL);
|
||||||
if (!txbuf) {
|
if (!txbuf) {
|
||||||
ret = -ENOMEM;
|
ret = -ENOMEM;
|
||||||
goto out;
|
goto out_kfree;
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < count; i++)
|
for (i = 0; i < count; i++)
|
||||||
@@ -318,26 +318,26 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
|
|||||||
} else {
|
} else {
|
||||||
if (n < sizeof(unsigned int) || n % sizeof(unsigned int)) {
|
if (n < sizeof(unsigned int) || n % sizeof(unsigned int)) {
|
||||||
ret = -EINVAL;
|
ret = -EINVAL;
|
||||||
goto out;
|
goto out_unlock;
|
||||||
}
|
}
|
||||||
|
|
||||||
count = n / sizeof(unsigned int);
|
count = n / sizeof(unsigned int);
|
||||||
if (count > LIRCBUF_SIZE || count % 2 == 0) {
|
if (count > LIRCBUF_SIZE || count % 2 == 0) {
|
||||||
ret = -EINVAL;
|
ret = -EINVAL;
|
||||||
goto out;
|
goto out_unlock;
|
||||||
}
|
}
|
||||||
|
|
||||||
txbuf = memdup_user(buf, n);
|
txbuf = memdup_user(buf, n);
|
||||||
if (IS_ERR(txbuf)) {
|
if (IS_ERR(txbuf)) {
|
||||||
ret = PTR_ERR(txbuf);
|
ret = PTR_ERR(txbuf);
|
||||||
goto out;
|
goto out_unlock;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for (i = 0; i < count; i++) {
|
for (i = 0; i < count; i++) {
|
||||||
if (txbuf[i] > IR_MAX_DURATION / 1000 - duration || !txbuf[i]) {
|
if (txbuf[i] > IR_MAX_DURATION / 1000 - duration || !txbuf[i]) {
|
||||||
ret = -EINVAL;
|
ret = -EINVAL;
|
||||||
goto out;
|
goto out_kfree;
|
||||||
}
|
}
|
||||||
|
|
||||||
duration += txbuf[i];
|
duration += txbuf[i];
|
||||||
@@ -345,7 +345,7 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
|
|||||||
|
|
||||||
ret = dev->tx_ir(dev, txbuf, count);
|
ret = dev->tx_ir(dev, txbuf, count);
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
goto out;
|
goto out_kfree;
|
||||||
|
|
||||||
if (fh->send_mode == LIRC_MODE_SCANCODE) {
|
if (fh->send_mode == LIRC_MODE_SCANCODE) {
|
||||||
ret = n;
|
ret = n;
|
||||||
@@ -368,10 +368,11 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
|
|||||||
schedule_timeout(usecs_to_jiffies(towait));
|
schedule_timeout(usecs_to_jiffies(towait));
|
||||||
}
|
}
|
||||||
|
|
||||||
out:
|
out_kfree:
|
||||||
mutex_unlock(&dev->lock);
|
|
||||||
kfree(txbuf);
|
kfree(txbuf);
|
||||||
kfree(raw);
|
kfree(raw);
|
||||||
|
out_unlock:
|
||||||
|
mutex_unlock(&dev->lock);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user