Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 454e8957 authored by Ishai Rabinovitz's avatar Ishai Rabinovitz Committed by James Bottomley
Browse files

[SCSI] sg.c: Fix bad error handling in 



I got a NULL derefrence in cdev_del+1 when called from sg_remove. By looking at
the code of sg_add, sg_alloc and sg_remove (all in drivers/scsi/sg.c) I found
out that sg_add is calling sg_alloc but if it fails afterwards it does not
deallocate the space that was allocated in sg_alloc and the redundant entry has
NULL in cdev. When sg_remove is being called, it tries to perform cdev_del to
this NULL cdev and fails.

Signed-off-by: default avatarIshai Rabinovitz <ishai@mellanox.co.il>
Acked-by: default avatarDouglas Gilbert <dougg@torque.net>
Signed-off-by: default avatarJames Bottomley <James.Bottomley@SteelEye.com>
parent 0f13fc09

drivers/scsi/sg.c

+9 −1
Original line number Diff line number Diff line
@@ -1402,6 +1402,7 @@ sg_add(struct class_device *cl_dev, struct class_interface *cl_intf) 
	Sg_device *sdp = NULL;

	struct cdev * cdev = NULL;

	int error, k;

	unsigned long iflags;



	disk = alloc_disk(1);

	if (!disk) {
@@ -1429,7 +1430,7 @@ sg_add(struct class_device *cl_dev, struct class_interface *cl_intf) 


	error = cdev_add(cdev, MKDEV(SCSI_GENERIC_MAJOR, k), 1);

	if (error)

		goto out;

		goto cdev_add_err;



	sdp->cdev = cdev;

	if (sg_sysfs_valid) {
@@ -1456,6 +1457,13 @@ sg_add(struct class_device *cl_dev, struct class_interface *cl_intf) 


	return 0;



cdev_add_err:

	write_lock_irqsave(&sg_dev_arr_lock, iflags);

	kfree(sg_dev_arr[k]);

	sg_dev_arr[k] = NULL;

	sg_nr_dev--;

	write_unlock_irqrestore(&sg_dev_arr_lock, iflags);



out:

	put_disk(disk);

	if (cdev)