staging: lirc_sasem: fix NULL pointer dereference in sasem_probe

If any memory allocation failed, goto alloc_status_switch leads to mutex_unlock(&context->ctx_lock) while context is NULL. The patch moves alloc_status_switch to handle error conditions in correct way. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
mariux64 · Sep 6, 2011 · 06b3f44 · 06b3f44
1 parent 6699291
commit 06b3f44
Showing 1 changed file with 23 additions and 23 deletions.
diff --git a/drivers/staging/lirc/lirc_sasem.c b/drivers/staging/lirc/lirc_sasem.c
@@ -814,29 +814,6 @@ static int sasem_probe(struct usb_interface *interface,
 		printk(KERN_INFO "%s: Registered Sasem driver (minor:%d)\n",
 			__func__, lirc_minor);
 
-alloc_status_switch:
-
-	switch (alloc_status) {
-
-	case 7:
-		if (vfd_ep_found)
-			usb_free_urb(tx_urb);
-	case 6:
-		usb_free_urb(rx_urb);
-	case 5:
-		lirc_buffer_free(rbuf);
-	case 4:
-		kfree(rbuf);
-	case 3:
-		kfree(driver);
-	case 2:
-		kfree(context);
-		context = NULL;
-	case 1:
-		retval = -ENOMEM;
-		goto unlock;
-	}
-
 	/* Needed while unregistering! */
 	driver->minor = lirc_minor;
 
@@ -867,6 +844,29 @@ static int sasem_probe(struct usb_interface *interface,
 			__func__, dev->bus->busnum, dev->devnum);
 unlock:
 	mutex_unlock(&context->ctx_lock);
+
+alloc_status_switch:
+	switch (alloc_status) {
+
+	case 7:
+		if (vfd_ep_found)
+			usb_free_urb(tx_urb);
+	case 6:
+		usb_free_urb(rx_urb);
+	case 5:
+		lirc_buffer_free(rbuf);
+	case 4:
+		kfree(rbuf);
+	case 3:
+		kfree(driver);
+	case 2:
+		kfree(context);
+		context = NULL;
+	case 1:
+		if (retval == 0)
+			retval = -ENOMEM;
+	}
+
 exit:
 	return retval;
 }