[media] lirc: fix error paths in lirc_cdev_add()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

"c77d17c0 [media] lirc: use-after free" introduces two problems:
cdev_del() can be called with a NULL argument, and the kobject_put()
path will cause a double free.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>

authored by

Sean Young and committed by

Mauro Carvalho Chehab 9 years ago b40769ee 00361133

+3 -5

1 changed file

expand all

drivers

media

lirc_dev.c

+3 -5

drivers/media/rc/lirc_dev.c

··· 157 157 158 158 static int lirc_cdev_add(struct irctl *ir) 159 159 { 160 - int retval = -ENOMEM; 161 160 struct lirc_driver *d = &ir->d; 162 161 struct cdev *cdev; 162 + int retval; 163 163 164 164 cdev = cdev_alloc(); 165 165 if (!cdev) 166 - goto err_out; 166 + return -ENOMEM; 167 167 168 168 if (d->fops) { 169 169 cdev->ops = d->fops; ··· 177 177 goto err_out; 178 178 179 179 retval = cdev_add(cdev, MKDEV(MAJOR(lirc_base_dev), d->minor), 1); 180 - if (retval) { 181 - kobject_put(&cdev->kobj); 180 + if (retval) 182 181 goto err_out; 183 - } 184 182 185 183 ir->cdev = cdev; 186 184