diff options
| author | Maurizio Lombardi <mlombard@redhat.com> | 2015-11-18 09:32:44 -0500 |
|---|---|---|
| committer | Martin K. Petersen <martin.petersen@oracle.com> | 2015-11-19 12:12:42 -0500 |
| commit | ab08ee14393724ab52b92be643d588d41a1a05be (patch) | |
| tree | 4d3f3d7c38ad4f9d178a2c15abedb84480ecdcb0 | |
| parent | a35bb4458e5e5c9dc19a0daa0629409285f3b25e (diff) | |
st: fix potential null pointer dereference.
If cdev_add() returns an error, the code calls
cdev_del() passing the STm->cdevs[rew] pointer as parameter;
the problem is that the pointer has not been initialized yet.
This patch fixes the problem by moving the STm->cdevs[rew] pointer
initialization before the call to cdev_add().
It also sets STm->devs[rew] and STm->cdevs[rew] to NULL in
case of failure.
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Tomas Henzl <thenzl@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
| -rw-r--r-- | drivers/scsi/st.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c index b37b9b00c4b4..3e79c80bf6c6 100644 --- a/drivers/scsi/st.c +++ b/drivers/scsi/st.c | |||
| @@ -4083,6 +4083,7 @@ static int create_one_cdev(struct scsi_tape *tape, int mode, int rew) | |||
| 4083 | } | 4083 | } |
| 4084 | cdev->owner = THIS_MODULE; | 4084 | cdev->owner = THIS_MODULE; |
| 4085 | cdev->ops = &st_fops; | 4085 | cdev->ops = &st_fops; |
| 4086 | STm->cdevs[rew] = cdev; | ||
| 4086 | 4087 | ||
| 4087 | error = cdev_add(cdev, cdev_devno, 1); | 4088 | error = cdev_add(cdev, cdev_devno, 1); |
| 4088 | if (error) { | 4089 | if (error) { |
| @@ -4091,7 +4092,6 @@ static int create_one_cdev(struct scsi_tape *tape, int mode, int rew) | |||
| 4091 | pr_err("st%d: Device not attached.\n", dev_num); | 4092 | pr_err("st%d: Device not attached.\n", dev_num); |
| 4092 | goto out_free; | 4093 | goto out_free; |
| 4093 | } | 4094 | } |
| 4094 | STm->cdevs[rew] = cdev; | ||
| 4095 | 4095 | ||
| 4096 | i = mode << (4 - ST_NBR_MODE_BITS); | 4096 | i = mode << (4 - ST_NBR_MODE_BITS); |
| 4097 | snprintf(name, 10, "%s%s%s", rew ? "n" : "", | 4097 | snprintf(name, 10, "%s%s%s", rew ? "n" : "", |
| @@ -4110,8 +4110,9 @@ static int create_one_cdev(struct scsi_tape *tape, int mode, int rew) | |||
| 4110 | return 0; | 4110 | return 0; |
| 4111 | out_free: | 4111 | out_free: |
| 4112 | cdev_del(STm->cdevs[rew]); | 4112 | cdev_del(STm->cdevs[rew]); |
| 4113 | STm->cdevs[rew] = NULL; | ||
| 4114 | out: | 4113 | out: |
| 4114 | STm->cdevs[rew] = NULL; | ||
| 4115 | STm->devs[rew] = NULL; | ||
| 4115 | return error; | 4116 | return error; |
| 4116 | } | 4117 | } |
| 4117 | 4118 | ||