Input: joydev - fix possible ERR_PTR() dereferencing
authorJavier Martinez Canillas <javier@osg.samsung.com>
Tue, 6 Oct 2015 22:23:36 +0000 (15:23 -0700)
committerDmitry Torokhov <dmitry.torokhov@gmail.com>
Tue, 6 Oct 2015 23:38:40 +0000 (16:38 -0700)
Commit 5702222c9a7a ("Input: joydev - use memdup_user() to duplicate
memory from user-space") changed the kmalloc() and copy_from_user()
with a single call to memdup_user() but wrongly used the same error
path than the old code in which the buffer allocated by kmalloc() was
freed if copy_from_user() failed.

This is of course wrong since if memdup_user() fails, no memory was
allocated and the error in the error-valued pointer should be returned.

Fixes: 5702222c9a7a ("Input: joydev - use memdup_user() to duplicate
memory from user-space")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
drivers/input/joydev.c

index e3dcd4abae182e1f4758cc556d274cfeb09b381c..5d11fea3c8eccd10dbd892d4898d4b0ecca3aacd 100644 (file)
@@ -445,10 +445,8 @@ static int joydev_handle_JSIOCSAXMAP(struct joydev *joydev,
 
        /* Validate the map. */
        abspam = memdup_user(argp, len);
-       if (IS_ERR(abspam)) {
-               retval = PTR_ERR(abspam);
-               goto out;
-       }
+       if (IS_ERR(abspam))
+               return PTR_ERR(abspam);
 
        for (i = 0; i < joydev->nabs; i++) {
                if (abspam[i] > ABS_MAX) {
@@ -478,10 +476,8 @@ static int joydev_handle_JSIOCSBTNMAP(struct joydev *joydev,
 
        /* Validate the map. */
        keypam = memdup_user(argp, len);
-       if (IS_ERR(keypam)) {
-               retval = PTR_ERR(keypam);
-               goto out;
-       }
+       if (IS_ERR(keypam))
+               return PTR_ERR(keypam);
 
        for (i = 0; i < joydev->nkey; i++) {
                if (keypam[i] > KEY_MAX || keypam[i] < BTN_MISC) {