MFC 322270: Fix a NULL pointer dereference in mly_user_command().

If mly_user_command fails to allocate a command slot it jumps to an 'out'
label used for error handling.  The error handling code checks for a data
buffer in 'mc->mc_data' to free before checking if 'mc' is NULL.  Fix by
just returning directly if we fail to allocate a command and only using
the 'out' label for subsequent errors when there is actual cleanup to
perform.

PR:		217747
Reported by:	PVS-Studio

1 files changed, 4 insertions, 7 deletions

diff --git a/sys/dev/mly/mly.c b/sys/dev/mly/mly.c
index 196e4e6..b5096c1 100644
--- a/sys/dev/mly/mly.c
+++ b/sys/dev/mly/mly.c
@@ -2892,8 +2892,7 @@ mly_user_command(struct mly_softc *sc, struct mly_user_command *uc)
     MLY_LOCK(sc);
     if (mly_alloc_command(sc, &mc)) {
 	MLY_UNLOCK(sc);
-	error = ENOMEM;
-	goto out;		/* XXX Linux version will wait for a command */
+	return (ENOMEM);	/* XXX Linux version will wait for a command */
     }
     MLY_UNLOCK(sc);
 
@@ -2952,11 +2951,9 @@ mly_user_command(struct mly_softc *sc, struct mly_user_command *uc)
  out:
     if (mc->mc_data != NULL)
 	free(mc->mc_data, M_DEVBUF);
-    if (mc != NULL) {
-	MLY_LOCK(sc);
-	mly_release_command(mc);
-	MLY_UNLOCK(sc);
-    }
+    MLY_LOCK(sc);
+    mly_release_command(mc);
+    MLY_UNLOCK(sc);
     return(error);
 }