* [PATCH] st: fix potential null pointer dereference.
@ 2015-11-18 13:18 Maurizio Lombardi
2015-11-18 15:19 ` Maurizio Lombardi
0 siblings, 1 reply; 2+ messages in thread
From: Maurizio Lombardi @ 2015-11-18 13:18 UTC (permalink / raw)
To: Kai.Makisara; +Cc: linux-scsi, James.Bottomley
If cdev_add() returns an error, the code calls
cdev_del() passing the STm->cdevs[rew] pointer as parameter;
the problem is that the pointer has not been initialized yet.
This patch fixes the problem by moving the STm->cdevs[rew] pointer
initialization before the call to cdev_add().
It also sets STm->devs[rew] = NULL if device_create() fails, just to be
sure we won't end up calling device_unregister() with an invalid pointer.
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
---
drivers/scsi/st.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
index e0a1e52..dff3bdb 100644
--- a/drivers/scsi/st.c
+++ b/drivers/scsi/st.c
@@ -4083,6 +4083,7 @@ static int create_one_cdev(struct scsi_tape *tape, int mode, int rew)
}
cdev->owner = THIS_MODULE;
cdev->ops = &st_fops;
+ STm->cdevs[rew] = cdev;
error = cdev_add(cdev, cdev_devno, 1);
if (error) {
@@ -4091,7 +4092,6 @@ static int create_one_cdev(struct scsi_tape *tape, int mode, int rew)
pr_err("st%d: Device not attached.\n", dev_num);
goto out_free;
}
- STm->cdevs[rew] = cdev;
i = mode << (4 - ST_NBR_MODE_BITS);
snprintf(name, 10, "%s%s%s", rew ? "n" : "",
@@ -4102,6 +4102,7 @@ static int create_one_cdev(struct scsi_tape *tape, int mode, int rew)
if (IS_ERR(dev)) {
pr_err("st%d: device_create failed\n", dev_num);
error = PTR_ERR(dev);
+ STm->devs[rew] = NULL;
goto out_free;
}
--
Maurizio Lombardi
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] st: fix potential null pointer dereference.
2015-11-18 13:18 [PATCH] st: fix potential null pointer dereference Maurizio Lombardi
@ 2015-11-18 15:19 ` Maurizio Lombardi
0 siblings, 0 replies; 2+ messages in thread
From: Maurizio Lombardi @ 2015-11-18 15:19 UTC (permalink / raw)
To: Kai.Makisara; +Cc: linux-scsi, James.Bottomley
Please ignore this one, I sent a V2
On 11/18/2015 02:18 PM, Maurizio Lombardi wrote:
> If cdev_add() returns an error, the code calls
> cdev_del() passing the STm->cdevs[rew] pointer as parameter;
> the problem is that the pointer has not been initialized yet.
>
> This patch fixes the problem by moving the STm->cdevs[rew] pointer
> initialization before the call to cdev_add().
> It also sets STm->devs[rew] = NULL if device_create() fails, just to be
> sure we won't end up calling device_unregister() with an invalid pointer.
>
> Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
> ---
> drivers/scsi/st.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
> index e0a1e52..dff3bdb 100644
> --- a/drivers/scsi/st.c
> +++ b/drivers/scsi/st.c
> @@ -4083,6 +4083,7 @@ static int create_one_cdev(struct scsi_tape *tape, int mode, int rew)
> }
> cdev->owner = THIS_MODULE;
> cdev->ops = &st_fops;
> + STm->cdevs[rew] = cdev;
>
> error = cdev_add(cdev, cdev_devno, 1);
> if (error) {
> @@ -4091,7 +4092,6 @@ static int create_one_cdev(struct scsi_tape *tape, int mode, int rew)
> pr_err("st%d: Device not attached.\n", dev_num);
> goto out_free;
> }
> - STm->cdevs[rew] = cdev;
>
> i = mode << (4 - ST_NBR_MODE_BITS);
> snprintf(name, 10, "%s%s%s", rew ? "n" : "",
> @@ -4102,6 +4102,7 @@ static int create_one_cdev(struct scsi_tape *tape, int mode, int rew)
> if (IS_ERR(dev)) {
> pr_err("st%d: device_create failed\n", dev_num);
> error = PTR_ERR(dev);
> + STm->devs[rew] = NULL;
> goto out_free;
> }
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-11-18 15:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-11-18 13:18 [PATCH] st: fix potential null pointer dereference Maurizio Lombardi
2015-11-18 15:19 ` Maurizio Lombardi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).