From: Javier Martinez Canillas Date: Tue, 6 Oct 2015 22:23:36 +0000 (-0700) Subject: Input: joydev - fix possible ERR_PTR() dereferencing X-Git-Tag: firefly_0821_release~176^2~541^2~15^2~38 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=5b21e3c740b770fb2548a5a8ea66e544d114d0a8;p=firefly-linux-kernel-4.4.55.git Input: joydev - fix possible ERR_PTR() dereferencing Commit 5702222c9a7a ("Input: joydev - use memdup_user() to duplicate memory from user-space") changed the kmalloc() and copy_from_user() with a single call to memdup_user() but wrongly used the same error path than the old code in which the buffer allocated by kmalloc() was freed if copy_from_user() failed. This is of course wrong since if memdup_user() fails, no memory was allocated and the error in the error-valued pointer should be returned. Fixes: 5702222c9a7a ("Input: joydev - use memdup_user() to duplicate memory from user-space") Reported-by: Dan Carpenter Signed-off-by: Javier Martinez Canillas Signed-off-by: Dmitry Torokhov --- diff --git a/drivers/input/joydev.c b/drivers/input/joydev.c index e3dcd4abae18..5d11fea3c8ec 100644 --- a/drivers/input/joydev.c +++ b/drivers/input/joydev.c @@ -445,10 +445,8 @@ static int joydev_handle_JSIOCSAXMAP(struct joydev *joydev, /* Validate the map. */ abspam = memdup_user(argp, len); - if (IS_ERR(abspam)) { - retval = PTR_ERR(abspam); - goto out; - } + if (IS_ERR(abspam)) + return PTR_ERR(abspam); for (i = 0; i < joydev->nabs; i++) { if (abspam[i] > ABS_MAX) { @@ -478,10 +476,8 @@ static int joydev_handle_JSIOCSBTNMAP(struct joydev *joydev, /* Validate the map. */ keypam = memdup_user(argp, len); - if (IS_ERR(keypam)) { - retval = PTR_ERR(keypam); - goto out; - } + if (IS_ERR(keypam)) + return PTR_ERR(keypam); for (i = 0; i < joydev->nkey; i++) { if (keypam[i] > KEY_MAX || keypam[i] < BTN_MISC) {