commit 250f7a5f62a08985af5cf7728ae7ba9edbfdc0a9 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

[media] lirc_dev: fixes in lirc_dev_fop_read()

This makes several changes but they're in one function and sort of
related:

"buf" was leaked on error. The leak if we try to read an invalid
length is the main concern because it could be triggered over and
over.

If the copy_to_user() failed, then the original code returned the
number of bytes remaining. read() is supposed to be the opposite way,
where we return the number of bytes copied. I changed it to just return
-EFAULT on errors.

Also I changed the debug output from "-EFAULT" to just "<fail>" because
it isn't -EFAULT necessarily. And since we go though that path if the
length is invalid now, there was another debug print that I removed.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Reviewed-by: Jarod Wilson <jarod@redhat.com>
Acked-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>

authored by Dan Carpenter and committed by Mauro Carvalho Chehab 15 years ago 250f7a5f 5c769a68

+15 -10

1 changed file

expand all

unified split

drivers

media

lirc_dev.c

+15 -10

drivers/media/IR/lirc_dev.c

··· 647 647 if (!buf) 648 648 return -ENOMEM; 649 649 650 - if (mutex_lock_interruptible(&ir->irctl_lock)) 651 - return -ERESTARTSYS; 650 + if (mutex_lock_interruptible(&ir->irctl_lock)) { 651 + ret = -ERESTARTSYS; 652 + goto out_unlocked; 653 + } 652 654 if (!ir->attached) { 653 - mutex_unlock(&ir->irctl_lock); 654 - return -ENODEV; 655 + ret = -ENODEV; 656 + goto out_locked; 655 657 } 656 658 657 659 if (length % ir->chunk_size) { 658 - dev_dbg(ir->d.dev, LOGHEAD "read result = -EINVAL\n", 659 - ir->d.name, ir->d.minor); 660 - mutex_unlock(&ir->irctl_lock); 661 - return -EINVAL; 660 + ret = -EINVAL; 661 + goto out_locked; 662 662 } 663 663 664 664 /* ··· 709 709 lirc_buffer_read(ir->buf, buf); 710 710 ret = copy_to_user((void *)buffer+written, buf, 711 711 ir->buf->chunk_size); 712 - written += ir->buf->chunk_size; 712 + if (!ret) 713 + written += ir->buf->chunk_size; 714 + else 715 + ret = -EFAULT; 713 716 } 714 717 } 715 718 716 719 remove_wait_queue(&ir->buf->wait_poll, &wait); 717 720 set_current_state(TASK_RUNNING); 721 + 722 + out_locked: 718 723 mutex_unlock(&ir->irctl_lock); 719 724 720 725 out_unlocked: 721 726 kfree(buf); 722 727 dev_dbg(ir->d.dev, LOGHEAD "read result = %s (%d)\n", 723 - ir->d.name, ir->d.minor, ret ? "-EFAULT" : "OK", ret); 728 + ir->d.name, ir->d.minor, ret ? "<fail>" : "<ok>", ret); 724 729 725 730 return ret ? ret : written; 726 731 }