提交 06b3f44a 编写于 作者: A Alexey Khoroshilov 提交者: Greg Kroah-Hartman

staging: lirc_sasem: fix NULL pointer dereference in sasem_probe

If any memory allocation failed, goto alloc_status_switch
leads to mutex_unlock(&context->ctx_lock) while context is NULL.
The patch moves alloc_status_switch to handle error conditions
in correct way.

Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: NAlexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>
上级 6699291f
......@@ -814,29 +814,6 @@ static int sasem_probe(struct usb_interface *interface,
printk(KERN_INFO "%s: Registered Sasem driver (minor:%d)\n",
__func__, lirc_minor);
alloc_status_switch:
switch (alloc_status) {
case 7:
if (vfd_ep_found)
usb_free_urb(tx_urb);
case 6:
usb_free_urb(rx_urb);
case 5:
lirc_buffer_free(rbuf);
case 4:
kfree(rbuf);
case 3:
kfree(driver);
case 2:
kfree(context);
context = NULL;
case 1:
retval = -ENOMEM;
goto unlock;
}
/* Needed while unregistering! */
driver->minor = lirc_minor;
......@@ -867,6 +844,29 @@ static int sasem_probe(struct usb_interface *interface,
__func__, dev->bus->busnum, dev->devnum);
unlock:
mutex_unlock(&context->ctx_lock);
alloc_status_switch:
switch (alloc_status) {
case 7:
if (vfd_ep_found)
usb_free_urb(tx_urb);
case 6:
usb_free_urb(rx_urb);
case 5:
lirc_buffer_free(rbuf);
case 4:
kfree(rbuf);
case 3:
kfree(driver);
case 2:
kfree(context);
context = NULL;
case 1:
if (retval == 0)
retval = -ENOMEM;
}
exit:
return retval;
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册