From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
To: Jens Axboe <axboe@kernel.dk>
Cc: linux-kernel@vger.kernel.org, linux-block@vger.kernel.org,
        Sudip Mukherjee <sudipm.mukherjee@gmail.com>,
        Johannes Thumshirn <jthumshirn@suse.de>
Subject: [PATCH v2] block: fix possible NULL dereference
Date: Fri,  1 Apr 2016 15:34:18 +0100
Message-Id: <1459521258-18534-1-git-send-email-sudipm.mukherjee@gmail.com>
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1238
Lines: 41

We were checking for iter to be NULL after dereferencing it. There is
actually no need to check for iter to be NULL as all the callers of
blk_rq_map_user_iov() does call it with a valid pointer to
struct iov_iter.
But as iter->count can be NULL so the assignment to copy is being done
after checking for it.

Signed-off-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
---

v2: removed the check for iter
v1: moved the assignment to copy after check for iter and iter->count


 block/blk-map.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/block/blk-map.c b/block/blk-map.c
index a54f054..e15b4aa 100644
--- a/block/blk-map.c
+++ b/block/blk-map.c
@@ -126,14 +126,15 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
 			const struct iov_iter *iter, gfp_t gfp_mask)
 {
 	struct iovec iov, prv = {.iov_base = NULL, .iov_len = 0};
-	bool copy = (q->dma_pad_mask & iter->count) || map_data;
+	bool copy;
 	struct bio *bio = NULL;
 	struct iov_iter i;
 	int ret;
 
-	if (!iter || !iter->count)
+	if (!iter->count)
 		return -EINVAL;
 
+	copy = (q->dma_pad_mask & iter->count) || map_data;
 	iov_for_each(iov, i, *iter) {
 		unsigned long uaddr = (unsigned long) iov.iov_base;
 
-- 
2.1.4