From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E83BFC433B4 for ; Fri, 21 May 2021 11:52:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C9D5A613D1 for ; Fri, 21 May 2021 11:52:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232815AbhEULyS (ORCPT ); Fri, 21 May 2021 07:54:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:41410 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233136AbhEULyJ (ORCPT ); Fri, 21 May 2021 07:54:09 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C95AD613D0; Fri, 21 May 2021 11:52:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621597965; bh=W4B3B9in/QqiNCeeJuu5Xijiq25S/MfrfNhYB4WI5/Q=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=DAqtKr8oHFuAJJWu4Xrhpx42n5lw7Et1VuaADhV1tefAxb82gu1MUBSdYeA5qB7Sr fv3iEO5yx7PpAfKrFZtTtL8lSnbWW+HGbWPvYqKXZB2VWK36Ja0qj3TireV5Tnw3Dk 9mJB09M0Qac2CwjoW6vjDIxmIHFevmRy8dTjxQMs= Date: Fri, 21 May 2021 13:52:42 +0200 From: Greg Kroah-Hartman To: Evgeny Novikov Cc: Johan Hovold , Nikolay Kyx , Dinghao Liu , Abheek Dhawan , Lee Gibson , linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org Subject: Re: [PATCH] staging: fwserial: Fix potential NULL pointer dereferences Message-ID: References: <20210521114339.8469-1-novikov@ispras.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210521114339.8469-1-novikov@ispras.ru> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 21, 2021 at 02:43:39PM +0300, Evgeny Novikov wrote: > If fwtty_install() will be invoked with such tty->index that will be > not less than MAX_TOTAL_PORTS then fwtty_port_get() will return NULL and > fwtty_install() will either assign it to tty->driver_data or dereference > in fwtty_port_put() (if tty_standard_install() will fail). The similar > situation is with fwloop_install(). The patch fixes both cases. But how can those cases ever happen? > Found by Linux Driver Verification project (linuxtesting.org). > > Signed-off-by: Evgeny Novikov > --- > drivers/staging/fwserial/fwserial.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/staging/fwserial/fwserial.c b/drivers/staging/fwserial/fwserial.c > index 1ee6382cafc4..d0810896511e 100644 > --- a/drivers/staging/fwserial/fwserial.c > +++ b/drivers/staging/fwserial/fwserial.c > @@ -1069,6 +1069,9 @@ static int fwtty_install(struct tty_driver *driver, struct tty_struct *tty) > struct fwtty_port *port = fwtty_port_get(tty->index); > int err; > > + if (!port) > + return -ENODEV; there's already a valid tty pointer here, so the index can not be "too big". > + > err = tty_standard_install(driver, tty); > if (!err) > tty->driver_data = port; > @@ -1082,6 +1085,9 @@ static int fwloop_install(struct tty_driver *driver, struct tty_struct *tty) > struct fwtty_port *port = fwtty_port_get(table_idx(tty->index)); > int err; > > + if (!port) > + return -ENODEV; > + Same here, how can this ever happen? thanks, greg k-h