Commit 8d25e15d authored Dec 19, 2017 by Colin Ian King Committed by Mauro Carvalho Chehab Jan 23, 2018

media: lirc: don't kfree the uninitialized pointer txbuf

The current error exit path if ir_raw_encode_scancode fails is via the
label out_kfree which kfree's an uninitialized pointer txbuf. Fix this
by exiting via a new exit path that does not kfree txbuf. Also exit
via this new exit path for a failed allocation of txbuf to avoid a
redundant kfree on a NULL pointer (to save a bunch of CPU cycles).

Detected by: CoverityScan, CID#1463070 ("Uninitialized pointer read")

Fixes: f81a8158 ("media: lirc: release lock before sleep")

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>

parent e3ee691d

drivers/media/rc/lirc_dev.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -295,14 +295,14 @@ static ssize_t ir_lirc_transmit_ir(struct file file, const char __user buf,
		ret = ir_raw_encode_scancode(scan.rc_proto, scan.scancode,
		raw, LIRCBUF_SIZE);
		if (ret < 0)
		goto out_kfree;
		goto out_kfree_raw;

		count = ret;

		txbuf = kmalloc_array(count, sizeof(unsigned int), GFP_KERNEL);
		if (!txbuf) {
		ret = -ENOMEM;
		goto out_kfree;
		goto out_kfree_raw;
		}

		for (i = 0; i < count; i++)
		@@ -366,6 +366,7 @@ static ssize_t ir_lirc_transmit_ir(struct file file, const char __user buf,
		return n;
		out_kfree:
		kfree(txbuf);
		out_kfree_raw:
		kfree(raw);
		out_unlock:
		mutex_unlock(&dev->lock);