On Wed, Jan 10, 2018 at 12:36:23PM +0300, Dan Carpenter wrote: > The "txbuf" is uninitialized when we call ir_raw_encode_scancode() so > this failure path would lead to a crash.
Thanks for reporting this issue, however I'm afraid that the issue has already been resolved: https://www.mail-archive.com/linux-media@vger.kernel.org/msg123672.html and: https://git.linuxtv.org/media_tree.git/commit/?id=8d25e15d94a2d7b60c28d3a30e4e0e780cab2056 Many thanks, Sean > > Fixes: a74b2bff5945 ("media: lirc: do not pass ERR_PTR to kfree") > Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com> > > diff --git a/drivers/media/rc/lirc_dev.c b/drivers/media/rc/lirc_dev.c > index fae42f120aa4..5efe9cd2309a 100644 > --- a/drivers/media/rc/lirc_dev.c > +++ b/drivers/media/rc/lirc_dev.c > @@ -295,7 +295,7 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, > const char __user *buf, > ret = ir_raw_encode_scancode(scan.rc_proto, scan.scancode, > raw, LIRCBUF_SIZE); > if (ret < 0) > - goto out_kfree; > + goto out_free_raw; > > count = ret; > > @@ -366,6 +366,7 @@ static ssize_t ir_lirc_transmit_ir(struct file *file, > const char __user *buf, > return n; > out_kfree: > kfree(txbuf); > +out_free_raw: > kfree(raw); > out_unlock: > mutex_unlock(&dev->lock);
