[PATCH] [media] hdpvr: fix null pointer dereference on error path in hdpvr_probe()

[Alexey Khoroshilov]

dev->free_buff_list and dev->rec_buff_list are zero initialized after
kzalloc of dev. If something goes wrong before INIT_LIST_HEAD for them,
goto error leads to call hdpvr_delete() and then to hdpvr_free_buffers(),
where the lists are dereferenced.

The patch moves INIT_LIST_HEAD before the first possible fail.

Signed-off-by: Alexey Khoroshilov <khoroshilov@xxxxxxxxx>
---
 drivers/media/video/hdpvr/hdpvr-core.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/media/video/hdpvr/hdpvr-core.c b/drivers/media/video/hdpvr/hdpvr-core.c
index 441dacf..fe0a088 100644
--- a/drivers/media/video/hdpvr/hdpvr-core.c
+++ b/drivers/media/video/hdpvr/hdpvr-core.c
@@ -295,6 +295,10 @@ static int hdpvr_probe(struct usb_interface *interface,
 		goto error;
 	}
 
+	/* init video transfer queues */
+	INIT_LIST_HEAD(&dev->free_buff_list);
+	INIT_LIST_HEAD(&dev->rec_buff_list);
+
 	dev->workqueue = 0;
 
 	/* register v4l2_device early so it can be used for printks */
@@ -319,10 +323,6 @@ static int hdpvr_probe(struct usb_interface *interface,
 	if (!dev->workqueue)
 		goto error;
 
-	/* init video transfer queues */
-	INIT_LIST_HEAD(&dev->free_buff_list);
-	INIT_LIST_HEAD(&dev->rec_buff_list);
-
 	dev->options = hdpvr_default_options;
 
 	if (default_video_input < HDPVR_VIDEO_INPUTS)
-- 
1.7.4.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/