summaryrefslogtreecommitdiff
path: root/drivers/media/rc/lirc_dev.c
diff options
context:
space:
mode:
authorColin Ian King <colin.king@canonical.com>2017-12-19 19:48:25 +0300
committerMauro Carvalho Chehab <mchehab@s-opensource.com>2018-01-23 15:20:29 +0300
commit8d25e15d94a2d7b60c28d3a30e4e0e780cab2056 (patch)
treee3f4049902695766758f34e84d5af4fdc28b66cf /drivers/media/rc/lirc_dev.c
parente3ee691dbf24096ea51b3200946b11d68ce75361 (diff)
downloadlinux-8d25e15d94a2d7b60c28d3a30e4e0e780cab2056.tar.xz
media: lirc: don't kfree the uninitialized pointer txbuf
The current error exit path if ir_raw_encode_scancode fails is via the label out_kfree which kfree's an uninitialized pointer txbuf. Fix this by exiting via a new exit path that does not kfree txbuf. Also exit via this new exit path for a failed allocation of txbuf to avoid a redundant kfree on a NULL pointer (to save a bunch of CPU cycles). Detected by: CoverityScan, CID#1463070 ("Uninitialized pointer read") Fixes: f81a8158d4fb ("media: lirc: release lock before sleep") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Sean Young <sean@mess.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Diffstat (limited to 'drivers/media/rc/lirc_dev.c')
-rw-r--r--drivers/media/rc/lirc_dev.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c
index 713d42e4b661..c04c546bf092 100644
--- a/drivers/media/rc/lirc_dev.c
+++ b/drivers/media/rc/lirc_dev.c
@@ -295,14 +295,14 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
ret = ir_raw_encode_scancode(scan.rc_proto, scan.scancode,
raw, LIRCBUF_SIZE);
if (ret < 0)
- goto out_kfree;
+ goto out_kfree_raw;
count = ret;
txbuf = kmalloc_array(count, sizeof(unsigned int), GFP_KERNEL);
if (!txbuf) {
ret = -ENOMEM;
- goto out_kfree;
+ goto out_kfree_raw;
}
for (i = 0; i < count; i++)
@@ -366,6 +366,7 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
return n;
out_kfree:
kfree(txbuf);
+out_kfree_raw:
kfree(raw);
out_unlock:
mutex_unlock(&dev->lock);