staging: lirc_sasem: fix NULL pointer dereference in sasem_probe

If any memory allocation failed, goto alloc_status_switch leads to mutex_unlock(&context->ctx_lock) while context is NULL. The patch moves alloc_status_switch to handle error conditions in correct way. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2011-08-30 00:54:21 +04:00 · 2011-08-30 00:54:21 +04:00 · 06b3f44a97
parent 6699291f89
commit 06b3f44a97
1 changed files with 23 additions and 23 deletions
--- a/drivers/staging/lirc/lirc_sasem.c
+++ b/drivers/staging/lirc/lirc_sasem.c
@ -814,29 +814,6 @@ static int sasem_probe(struct usb_interface *interface,
 		printk(KERN_INFO "%s: Registered Sasem driver (minor:%d)\n",
 			__func__, lirc_minor);

-alloc_status_switch:
-
-	switch (alloc_status) {
-
-	case 7:
-		if (vfd_ep_found)
-			usb_free_urb(tx_urb);
-	case 6:
-		usb_free_urb(rx_urb);
-	case 5:
-		lirc_buffer_free(rbuf);
-	case 4:
-		kfree(rbuf);
-	case 3:
-		kfree(driver);
-	case 2:
-		kfree(context);
-		context = NULL;
-	case 1:
-		retval = -ENOMEM;
-		goto unlock;
-	}
-
 	/* Needed while unregistering! */
 	driver->minor = lirc_minor;

@ -867,6 +844,29 @@ alloc_status_switch:
 			__func__, dev->bus->busnum, dev->devnum);
 unlock:
 	mutex_unlock(&context->ctx_lock);
+
+alloc_status_switch:
+	switch (alloc_status) {
+
+	case 7:
+		if (vfd_ep_found)
+			usb_free_urb(tx_urb);
+	case 6:
+		usb_free_urb(rx_urb);
+	case 5:
+		lirc_buffer_free(rbuf);
+	case 4:
+		kfree(rbuf);
+	case 3:
+		kfree(driver);
+	case 2:
+		kfree(context);
+		context = NULL;
+	case 1:
+		if (retval == 0)
+			retval = -ENOMEM;
+	}
+
 exit:
 	return retval;
 }