From: Dan Carpenter <error27@gmail.com>
Date: Fri, 20 Feb 2009 23:38:46 +0000 (-0800)
Subject: sx.c: avoid referencing freed memory if copy_from_user() fails
X-Git-Tag: archive/raspbian/4.9.13-1+rpi1~10^2~23871
X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=b28fe28f2a07ee325834179174a95495d2786561;p=linux-4.9.git

sx.c: avoid referencing freed memory if copy_from_user() fails

The "break" would just result in reusing a free'd pointer.  I don't have
the cards myself to test it though.  :/

Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---

diff --git a/drivers/char/sx.c b/drivers/char/sx.c
index d7c416566bd9..518f2a25d91e 100644
--- a/drivers/char/sx.c
+++ b/drivers/char/sx.c
@@ -1789,7 +1789,7 @@ static long sx_fw_ioctl(struct file *filp, unsigned int cmd,
 						nbytes - i : SX_CHUNK_SIZE)) {
 					kfree(tmp);
 					rc = -EFAULT;
-					break;
+					goto out;
 				}
 				memcpy_toio(board->base2 + offset + i, tmp,
 						(i + SX_CHUNK_SIZE > nbytes) ?