media: lirc: don't kfree the uninitialized pointer txbuf

The current error exit path if ir_raw_encode_scancode fails is via the
label out_kfree which kfree's an uninitialized pointer txbuf. Fix this
by exiting via a new exit path that does not kfree txbuf.  Also exit
via this new exit path for a failed allocation of txbuf to avoid a
redundant kfree on a NULL pointer (to save a bunch of CPU cycles).

Detected by: CoverityScan, CID#1463070 ("Uninitialized pointer read")

Fixes: f81a8158d4fb ("media: lirc: release lock before sleep")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>

diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c
index 713d42e4b66125bf05446dbf3dc0a43ada9ffe68..c04c546bf0920a17115d0e9d75e1195a21f05747 100644 (file)
--- a/drivers/media/rc/lirc_dev.c
+++ b/drivers/media/rc/lirc_dev.c
@@ -295,14 +295,14 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
                ret = ir_raw_encode_scancode(scan.rc_proto, scan.scancode,
                                             raw, LIRCBUF_SIZE);
                if (ret < 0)
-                       goto out_kfree;
+                       goto out_kfree_raw;
 
                count = ret;
 
                txbuf = kmalloc_array(count, sizeof(unsigned int), GFP_KERNEL);
                if (!txbuf) {
                        ret = -ENOMEM;
-                       goto out_kfree;
+                       goto out_kfree_raw;
                }
 
                for (i = 0; i < count; i++)
@@ -366,6 +366,7 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, const char __user *buf,
        return n;
 out_kfree:
        kfree(txbuf);
+out_kfree_raw:
        kfree(raw);
 out_unlock:
        mutex_unlock(&dev->lock);