* [PATCH] fix potential NULL pointer dereference in yam
@ 2006-05-14 13:12 Jesper Juhl
2006-05-14 14:09 ` Alexey Dobriyan
2006-05-14 17:08 ` Ralf Baechle
0 siblings, 2 replies; 5+ messages in thread
From: Jesper Juhl @ 2006-05-14 13:12 UTC (permalink / raw)
To: linux-kernel; +Cc: Frederic Rible, Jean-Paul Roubelat, linux-hams, Jesper Juhl
Testing a pointer for NULL after it has already been dereferenced is not
very safe.
Patch below to rework yam_open() so that `dev' is not dereferenced until
after it has been tested for NULL.
Found by coverity checker as #787
(please Cc me on replies)
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
---
drivers/net/hamradio/yam.c | 18 ++++++++++++++----
1 files changed, 14 insertions(+), 4 deletions(-)
--- linux-2.6.17-rc4-git2-orig/drivers/net/hamradio/yam.c 2006-05-13 21:28:27.000000000 +0200
+++ linux-2.6.17-rc4-git2/drivers/net/hamradio/yam.c 2006-05-14 15:07:00.000000000 +0200
@@ -845,15 +845,25 @@ static struct net_device_stats *yam_get_
static int yam_open(struct net_device *dev)
{
- struct yam_port *yp = netdev_priv(dev);
+ struct yam_port *yp;
enum uart u;
int i;
- int ret=0;
+ int ret = 0;
- printk(KERN_INFO "Trying %s at iobase 0x%lx irq %u\n", dev->name, dev->base_addr, dev->irq);
+ if (!dev) {
+ printk(KERN_ERR "yam_open() called without device\n");
+ return -ENXIO;
+ }
- if (!dev || !yp->bitrate)
+ yp = netdev_priv(dev);
+ if (!yp->bitrate) {
+ printk(KERN_ERR "%s: no bitrate\n", dev->name);
return -ENXIO;
+ }
+
+ printk(KERN_INFO "Trying %s at iobase 0x%lx irq %u\n",
+ dev->name, dev->base_addr, dev->irq);
+
if (!dev->base_addr || dev->base_addr > 0x1000 - YAM_EXTENT ||
dev->irq < 2 || dev->irq > 15) {
return -ENXIO;
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] fix potential NULL pointer dereference in yam
2006-05-14 13:12 [PATCH] fix potential NULL pointer dereference in yam Jesper Juhl
@ 2006-05-14 14:09 ` Alexey Dobriyan
2006-05-15 20:19 ` Jesper Juhl
2006-05-14 17:08 ` Ralf Baechle
1 sibling, 1 reply; 5+ messages in thread
From: Alexey Dobriyan @ 2006-05-14 14:09 UTC (permalink / raw)
To: Jesper Juhl; +Cc: linux-kernel, Frederic Rible, Jean-Paul Roubelat, linux-hams
On Sun, May 14, 2006 at 03:12:50PM +0200, Jesper Juhl wrote:
> Testing a pointer for NULL after it has already been dereferenced is not
> very safe.
> Patch below to rework yam_open() so that `dev' is not dereferenced until
> after it has been tested for NULL.
> Found by coverity checker as #787
> --- linux-2.6.17-rc4-git2-orig/drivers/net/hamradio/yam.c
> +++ linux-2.6.17-rc4-git2/drivers/net/hamradio/yam.c
> @@ -845,15 +845,25 @@ static struct net_device_stats *yam_get_
>
> static int yam_open(struct net_device *dev)
> {
> - struct yam_port *yp = netdev_priv(dev);
> + struct yam_port *yp;
> enum uart u;
> int i;
> - int ret=0;
> + int ret = 0;
Please, don't make unrelated changes.
> - printk(KERN_INFO "Trying %s at iobase 0x%lx irq %u\n", dev->name, dev->base_addr, dev->irq);
> + if (!dev) {
> + printk(KERN_ERR "yam_open() called without device\n");
> + return -ENXIO;
> + }
How can it be NULL here? The whole array of valid net_devices was
allocated at module init time.
> - if (!dev || !yp->bitrate)
> + yp = netdev_priv(dev);
> + if (!yp->bitrate) {
> + printk(KERN_ERR "%s: no bitrate\n", dev->name);
> return -ENXIO;
> + }
> +
> + printk(KERN_INFO "Trying %s at iobase 0x%lx irq %u\n",
> + dev->name, dev->base_addr, dev->irq);
> +
> if (!dev->base_addr || dev->base_addr > 0x1000 - YAM_EXTENT ||
> dev->irq < 2 || dev->irq > 15) {
> return -ENXIO;
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] fix potential NULL pointer dereference in yam
2006-05-14 13:12 [PATCH] fix potential NULL pointer dereference in yam Jesper Juhl
2006-05-14 14:09 ` Alexey Dobriyan
@ 2006-05-14 17:08 ` Ralf Baechle
1 sibling, 0 replies; 5+ messages in thread
From: Ralf Baechle @ 2006-05-14 17:08 UTC (permalink / raw)
To: Jesper Juhl; +Cc: linux-kernel, Frederic Rible, Jean-Paul Roubelat, linux-hams
On Sun, May 14, 2006 at 03:12:50PM +0200, Jesper Juhl wrote:
> Testing a pointer for NULL after it has already been dereferenced is not
> very safe.
> Patch below to rework yam_open() so that `dev' is not dereferenced until
> after it has been tested for NULL.
It may not obvious and that itself is some sort of bug bug netdev_priv()
assumes that the private part of struct netdev has been allocated
immediately following struct netdev, so the macro will compile into just
pointer arithmetic. So no possible NULL pointer dereference here.
Ralf
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] fix potential NULL pointer dereference in yam
2006-05-14 14:09 ` Alexey Dobriyan
@ 2006-05-15 20:19 ` Jesper Juhl
2006-05-16 9:57 ` Ralf Baechle
0 siblings, 1 reply; 5+ messages in thread
From: Jesper Juhl @ 2006-05-15 20:19 UTC (permalink / raw)
To: Alexey Dobriyan
Cc: linux-kernel, Frederic Rible, Jean-Paul Roubelat, linux-hams,
Ralf Baechle, Jesper Juhl
On Sunday 14 May 2006 16:09, Alexey Dobriyan wrote:
> On Sun, May 14, 2006 at 03:12:50PM +0200, Jesper Juhl wrote:
> > Testing a pointer for NULL after it has already been dereferenced is not
> > very safe.
> > Patch below to rework yam_open() so that `dev' is not dereferenced until
> > after it has been tested for NULL.
>
> > Found by coverity checker as #787
>
> > --- linux-2.6.17-rc4-git2-orig/drivers/net/hamradio/yam.c
> > +++ linux-2.6.17-rc4-git2/drivers/net/hamradio/yam.c
> > @@ -845,15 +845,25 @@ static struct net_device_stats *yam_get_
> >
> > static int yam_open(struct net_device *dev)
> > {
> > - struct yam_port *yp = netdev_priv(dev);
> > + struct yam_port *yp;
> > enum uart u;
> > int i;
> > - int ret=0;
> > + int ret = 0;
>
> Please, don't make unrelated changes.
>
Sorry.
> > - printk(KERN_INFO "Trying %s at iobase 0x%lx irq %u\n", dev->name, dev->base_addr, dev->irq);
> > + if (!dev) {
> > + printk(KERN_ERR "yam_open() called without device\n");
> > + return -ENXIO;
> > + }
>
> How can it be NULL here? The whole array of valid net_devices was
> allocated at module init time.
>
It cannot. You are right, I'm wrong.
I guess removing the check makes sense then ?
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
---
--- linux-2.6.17-rc4-mm1-orig/drivers/net/hamradio/yam.c 2006-05-13 21:28:27.000000000 +0200
+++ linux-2.6.17-rc4-mm1/drivers/net/hamradio/yam.c 2006-05-15 22:16:32.000000000 +0200
@@ -852,7 +852,7 @@ static int yam_open(struct net_device *d
printk(KERN_INFO "Trying %s at iobase 0x%lx irq %u\n", dev->name, dev->base_addr, dev->irq);
- if (!dev || !yp->bitrate)
+ if (!yp->bitrate)
return -ENXIO;
if (!dev->base_addr || dev->base_addr > 0x1000 - YAM_EXTENT ||
dev->irq < 2 || dev->irq > 15) {
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] fix potential NULL pointer dereference in yam
2006-05-15 20:19 ` Jesper Juhl
@ 2006-05-16 9:57 ` Ralf Baechle
0 siblings, 0 replies; 5+ messages in thread
From: Ralf Baechle @ 2006-05-16 9:57 UTC (permalink / raw)
To: Jesper Juhl
Cc: Alexey Dobriyan, linux-kernel, Frederic Rible, Jean-Paul Roubelat,
linux-hams
On Mon, May 15, 2006 at 10:19:36PM +0200, Jesper Juhl wrote:
> > How can it be NULL here? The whole array of valid net_devices was
> > allocated at module init time.
> >
>
> It cannot. You are right, I'm wrong.
> I guess removing the check makes sense then ?
Yes.
Acked-by: Ralf Baechle <ralf@linux-mips.org>
> Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
> ---
>
> --- linux-2.6.17-rc4-mm1-orig/drivers/net/hamradio/yam.c 2006-05-13 21:28:27.000000000 +0200
> +++ linux-2.6.17-rc4-mm1/drivers/net/hamradio/yam.c 2006-05-15 22:16:32.000000000 +0200
> @@ -852,7 +852,7 @@ static int yam_open(struct net_device *d
>
> printk(KERN_INFO "Trying %s at iobase 0x%lx irq %u\n", dev->name, dev->base_addr, dev->irq);
>
> - if (!dev || !yp->bitrate)
> + if (!yp->bitrate)
> return -ENXIO;
> if (!dev->base_addr || dev->base_addr > 0x1000 - YAM_EXTENT ||
> dev->irq < 2 || dev->irq > 15) {
>
73 de DL5RB op Ralf
--
Loc. JN47BS / CQ 14 / ITU 28 / DOK A21
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2006-05-16 9:57 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-05-14 13:12 [PATCH] fix potential NULL pointer dereference in yam Jesper Juhl
2006-05-14 14:09 ` Alexey Dobriyan
2006-05-15 20:19 ` Jesper Juhl
2006-05-16 9:57 ` Ralf Baechle
2006-05-14 17:08 ` Ralf Baechle
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox