From b28fe28f2a07ee325834179174a95495d2786561 Mon Sep 17 00:00:00 2001
From: Dan Carpenter <error27@gmail.com>
Date: Fri, 20 Feb 2009 15:38:46 -0800
Subject: sx.c: avoid referencing freed memory if copy_from_user() fails
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The "break" would just result in reusing a free'd pointer.  I don't have
the cards myself to test it though.  :/

Signed-off-by: Dan Carpenter <error27@gmail.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
 drivers/char/sx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'drivers/char')

diff --git a/drivers/char/sx.c b/drivers/char/sx.c
index d7c416566bd9..518f2a25d91e 100644
--- a/drivers/char/sx.c
+++ b/drivers/char/sx.c
@@ -1789,7 +1789,7 @@ static long sx_fw_ioctl(struct file *filp, unsigned int cmd,
 						nbytes - i : SX_CHUNK_SIZE)) {
 					kfree(tmp);
 					rc = -EFAULT;
-					break;
+					goto out;
 				}
 				memcpy_toio(board->base2 + offset + i, tmp,
 						(i + SX_CHUNK_SIZE > nbytes) ?
-- 
cgit v1.2.3