Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ab08ee14 authored by Maurizio Lombardi's avatar Maurizio Lombardi Committed by Martin K. Petersen
Browse files

st: fix potential null pointer dereference. 



If cdev_add() returns an error, the code calls
cdev_del() passing the STm->cdevs[rew] pointer as parameter;
the problem is that the pointer has not been initialized yet.

This patch fixes the problem by moving the STm->cdevs[rew] pointer
initialization before the call to cdev_add().
It also sets STm->devs[rew] and STm->cdevs[rew] to NULL in
case of failure.

Signed-off-by: default avatarMaurizio Lombardi <mlombard@redhat.com>
Reviewed-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: default avatarTomas Henzl <thenzl@redhat.com>
Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
parent a35bb445

drivers/scsi/st.c

+3 −2
Original line number Original line Diff line number Diff line
@@ -4083,6 +4083,7 @@ static int create_one_cdev(struct scsi_tape *tape, int mode, int rew) 
	}

	}

	cdev->owner = THIS_MODULE;

	cdev->owner = THIS_MODULE;

	cdev->ops = &st_fops;

	cdev->ops = &st_fops;

	STm->cdevs[rew] = cdev;





	error = cdev_add(cdev, cdev_devno, 1);

	error = cdev_add(cdev, cdev_devno, 1);

	if (error) {

	if (error) {
@@ -4091,7 +4092,6 @@ static int create_one_cdev(struct scsi_tape *tape, int mode, int rew) 
		pr_err("st%d: Device not attached.\n", dev_num);

		pr_err("st%d: Device not attached.\n", dev_num);

		goto out_free;

		goto out_free;

	}

	}

	STm->cdevs[rew] = cdev;





	i = mode << (4 - ST_NBR_MODE_BITS);

	i = mode << (4 - ST_NBR_MODE_BITS);

	snprintf(name, 10, "%s%s%s", rew ? "n" : "",

	snprintf(name, 10, "%s%s%s", rew ? "n" : "",
@@ -4110,8 +4110,9 @@ static int create_one_cdev(struct scsi_tape *tape, int mode, int rew) 
	return 0;

	return 0;

out_free:

out_free:

	cdev_del(STm->cdevs[rew]);

	cdev_del(STm->cdevs[rew]);

	STm->cdevs[rew] = NULL;

out:

out:

	STm->cdevs[rew] = NULL;

	STm->devs[rew] = NULL;

	return error;

	return error;

}

}