From: James Bottomley <James.Bottomley@SteelEye.com>
To: Jesper Juhl <jesper.juhl@gmail.com>
Cc: linux-scsi@vger.kernel.org,
Luben Tuikov <luben_tuikov@adaptec.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH][sas] Fix potential NULL pointer dereference bug in sas_smp_get_phy_events()
Date: Fri, 27 Jul 2007 19:02:52 -0400 [thread overview]
Message-ID: <1185577372.3434.29.camel@localhost.localdomain> (raw)
In-Reply-To: <200707272327.57356.jesper.juhl@gmail.com>
On Fri, 2007-07-27 at 23:27 +0200, Jesper Juhl wrote:
> In sas_smp_get_phy_events() we never test if the call to
> alloc_smp_req(RPEL_REQ_SIZE) succeeds or fails. That means we run
> the risk of dereferencing a NULL pointer if it does fail. Far
> better to test if we got NULL back and in that case return -ENOMEM
> just as we already do for the other memory allocation in that
> function.
> This patch reworks the memory allocation a bit to deal with it
> (compile tested only).
>
>
> Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
> ---
>
> drivers/scsi/libsas/sas_expander.c | 11 +++++++++--
> 1 files changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
> index b500f0c..85f5145 100644
> --- a/drivers/scsi/libsas/sas_expander.c
> +++ b/drivers/scsi/libsas/sas_expander.c
> @@ -507,14 +507,21 @@ static int sas_dev_present_in_domain(struct asd_sas_port *port,
> int sas_smp_get_phy_events(struct sas_phy *phy)
> {
> int res;
> + u8 *req;
> + u8 *resp;
> struct sas_rphy *rphy = dev_to_rphy(phy->dev.parent);
> struct domain_device *dev = sas_find_dev_by_rphy(rphy);
> - u8 *req = alloc_smp_req(RPEL_REQ_SIZE);
> - u8 *resp = kzalloc(RPEL_RESP_SIZE, GFP_KERNEL);
>
> + resp = kzalloc(RPEL_RESP_SIZE, GFP_KERNEL);
Actually, this should be alloc_smp_resp(RPEL_RESP_SIZE);
> if (!resp)
> return -ENOMEM;
>
> + req = alloc_smp_req(RPEL_REQ_SIZE);
> + if (!req) {
> + res = -ENOMEM;
> + goto out;
> + }
Just for the sake of being the same as all the rest of the code, the
sequence should be
req = alloc_smp_req(xxx_REQ_SIZE);
if (!req)
return -ENOMEM;
resp = alloc_smp_resp(xxx_RESP_SIZE);
if (!resp) {
kfree(req);
return -ENOMEM;
}
(allocate request then response).
It looks like disc_resp could use a little love too (it's using the req
alloc routines).
James
next prev parent reply other threads:[~2007-07-27 23:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-27 21:27 [PATCH][sas] Fix potential NULL pointer dereference bug in sas_smp_get_phy_events() Jesper Juhl
2007-07-27 23:02 ` James Bottomley [this message]
2007-07-27 23:13 ` Jesper Juhl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1185577372.3434.29.camel@localhost.localdomain \
--to=james.bottomley@steeleye.com \
--cc=jesper.juhl@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=luben_tuikov@adaptec.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.