m501fb: don't return zero on failure path in sm501fb_probe()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If no framebuffers found, sm501fb_probe() breaks off initialization,
deallocates sm501fb_info, but returns zero. As a result, use after free
can happen in sm501fb_remove().

The patch adds -ENODEV as a return value in this case.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>

authored by

Alexey Khoroshilov and committed by

Tomi Valkeinen 11 years ago 81676485 d301a5ac

1 changed file

expand all

drivers

video

fbdev

sm501fb.c

drivers/video/fbdev/sm501fb.c

··· 1988 1988 if (info->fb[HEAD_PANEL] == NULL && 1989 1989 info->fb[HEAD_CRT] == NULL) { 1990 1990 dev_err(dev, "no framebuffers found\n"); 1991 + ret = -ENODEV; 1991 1992 goto err_alloc; 1992 1993 } 1993 1994