From: Jesper Juhl <jesper.juhl@gmail.com>
To: linux-scsi@vger.kernel.org
Cc: Luben Tuikov <luben_tuikov@adaptec.com>,
James Bottomley <James.Bottomley@steeleye.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Jesper Juhl <jesper.juhl@gmail.com>
Subject: [PATCH][sas] Fix potential NULL pointer dereference bug in sas_smp_get_phy_events()
Date: Fri, 27 Jul 2007 23:27:57 +0200 [thread overview]
Message-ID: <200707272327.57356.jesper.juhl@gmail.com> (raw)
Hello,
In sas_smp_get_phy_events() we never test if the call to
alloc_smp_req(RPEL_REQ_SIZE) succeeds or fails. That means we run
the risk of dereferencing a NULL pointer if it does fail. Far
better to test if we got NULL back and in that case return -ENOMEM
just as we already do for the other memory allocation in that
function.
This patch reworks the memory allocation a bit to deal with it
(compile tested only).
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
---
drivers/scsi/libsas/sas_expander.c | 11 +++++++++--
1 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
index b500f0c..85f5145 100644
--- a/drivers/scsi/libsas/sas_expander.c
+++ b/drivers/scsi/libsas/sas_expander.c
@@ -507,14 +507,21 @@ static int sas_dev_present_in_domain(struct asd_sas_port *port,
int sas_smp_get_phy_events(struct sas_phy *phy)
{
int res;
+ u8 *req;
+ u8 *resp;
struct sas_rphy *rphy = dev_to_rphy(phy->dev.parent);
struct domain_device *dev = sas_find_dev_by_rphy(rphy);
- u8 *req = alloc_smp_req(RPEL_REQ_SIZE);
- u8 *resp = kzalloc(RPEL_RESP_SIZE, GFP_KERNEL);
+ resp = kzalloc(RPEL_RESP_SIZE, GFP_KERNEL);
if (!resp)
return -ENOMEM;
+ req = alloc_smp_req(RPEL_REQ_SIZE);
+ if (!req) {
+ res = -ENOMEM;
+ goto out;
+ }
+
req[1] = SMP_REPORT_PHY_ERR_LOG;
req[9] = phy->number;
PS. Please keep me on Cc when replying.
next reply other threads:[~2007-07-27 21:29 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-27 21:27 Jesper Juhl [this message]
2007-07-27 23:02 ` [PATCH][sas] Fix potential NULL pointer dereference bug in sas_smp_get_phy_events() James Bottomley
2007-07-27 23:13 ` Jesper Juhl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200707272327.57356.jesper.juhl@gmail.com \
--to=jesper.juhl@gmail.com \
--cc=James.Bottomley@steeleye.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=luben_tuikov@adaptec.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.