Commit
5702222c9a7a ("Input: joydev - use memdup_user() to duplicate
memory from user-space") changed the kmalloc() and copy_from_user()
with a single call to memdup_user() but wrongly used the same error
path than the old code in which the buffer allocated by kmalloc() was
freed if copy_from_user() failed.
This is of course wrong since if memdup_user() fails, no memory was
allocated and the error in the error-valued pointer should be returned.
Fixes:
5702222c9a7a ("Input: joydev - use memdup_user() to duplicate
memory from user-space")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
/* Validate the map. */
abspam = memdup_user(argp, len);
- if (IS_ERR(abspam)) {
- retval = PTR_ERR(abspam);
- goto out;
- }
+ if (IS_ERR(abspam))
+ return PTR_ERR(abspam);
for (i = 0; i < joydev->nabs; i++) {
if (abspam[i] > ABS_MAX) {
/* Validate the map. */
keypam = memdup_user(argp, len);
- if (IS_ERR(keypam)) {
- retval = PTR_ERR(keypam);
- goto out;
- }
+ if (IS_ERR(keypam))
+ return PTR_ERR(keypam);
for (i = 0; i < joydev->nkey; i++) {
if (keypam[i] > KEY_MAX || keypam[i] < BTN_MISC) {