[PATCH] staging: lirc_sasem: fix NULL pointer dereference in sasem_probe
Alexey Khoroshilov
khoroshilov at ispras.ru
Mon Aug 29 20:54:21 UTC 2011
If any memory allocation failed, goto alloc_status_switch
leads to mutex_unlock(&context->ctx_lock) while context is NULL.
The patch moves alloc_status_switch to handle error conditions
in correct way.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov at ispras.ru>
---
drivers/staging/lirc/lirc_sasem.c | 46 ++++++++++++++++++------------------
1 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/drivers/staging/lirc/lirc_sasem.c b/drivers/staging/lirc/lirc_sasem.c
index 7080cde..a2d18b0 100644
--- a/drivers/staging/lirc/lirc_sasem.c
+++ b/drivers/staging/lirc/lirc_sasem.c
@@ -814,29 +814,6 @@ static int sasem_probe(struct usb_interface *interface,
printk(KERN_INFO "%s: Registered Sasem driver (minor:%d)\n",
__func__, lirc_minor);
-alloc_status_switch:
-
- switch (alloc_status) {
-
- case 7:
- if (vfd_ep_found)
- usb_free_urb(tx_urb);
- case 6:
- usb_free_urb(rx_urb);
- case 5:
- lirc_buffer_free(rbuf);
- case 4:
- kfree(rbuf);
- case 3:
- kfree(driver);
- case 2:
- kfree(context);
- context = NULL;
- case 1:
- retval = -ENOMEM;
- goto unlock;
- }
-
/* Needed while unregistering! */
driver->minor = lirc_minor;
@@ -867,6 +844,29 @@ alloc_status_switch:
__func__, dev->bus->busnum, dev->devnum);
unlock:
mutex_unlock(&context->ctx_lock);
+
+alloc_status_switch:
+ switch (alloc_status) {
+
+ case 7:
+ if (vfd_ep_found)
+ usb_free_urb(tx_urb);
+ case 6:
+ usb_free_urb(rx_urb);
+ case 5:
+ lirc_buffer_free(rbuf);
+ case 4:
+ kfree(rbuf);
+ case 3:
+ kfree(driver);
+ case 2:
+ kfree(context);
+ context = NULL;
+ case 1:
+ if (retval == 0)
+ retval = -ENOMEM;
+ }
+
exit:
return retval;
}
--
1.7.4.1
More information about the devel
mailing list