Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp895111imm;
        Wed, 13 Jun 2018 09:56:30 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKJe6TW32ezO9hF7dlS0sAyKdwZmwK1KEnCB6W1Fc8b4yxz2Fb5tpatZL7NHHNNl96VJ0VV5
X-Received: by 2002:a62:a6dd:: with SMTP id r90-v6mr5715061pfl.60.1528908990415;
        Wed, 13 Jun 2018 09:56:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1528908990; cv=none;
        d=google.com; s=arc-20160816;
        b=tVFiPprNA1gDCqvs+2Pdp1bE0spWIlnsIUGjaZAH7wz8Kndz9soG7BxUwoi6Do2ib/
         NBq3V3Z8FdEI/CLCB/lqPs3abW2wmczYK+ZaCusgisd134HRHFlZIBeWAat6bOQeNcl9
         gGn3AMSq/u8eIVMfhL/+g6uSQVx422XY6I7CsqnNQcX2YO507vMZObKeGcNb6WERnMFI
         5wR0PMpcQ30gJOh3Ae2XshyyxmaEHjgj8s67PcKUI3MveJGQ7Jv0b2QEHUx8YLju5ZPV
         LoMVuBVKsXg4QKgWlSgwy4ejNdRKkMUfcL5B8wqeRwlJfL34hTDTQjeoMXHcBKIgTJUo
         KnTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:message-id:date:subject:cc:to
         :from:arc-authentication-results;
        bh=7NJ/ZqIiJux67bF57Lqi0P2KdbhX/IJ26RbnUyjDFTc=;
        b=vGOnN9A2jB5bnOUu1zR9uQXkPLRaIYXyfd+KxzTNJXQ4H/q49sOPtAVvCmboMBmu4p
         hSV6vVQ3FnOtjS3zQ1Lf/1ZGkGNgBMUxgSrM2vnohQpNi1jubg18TdErFyVrOmw73Hrw
         /Z7LKauoQ7LFZWUmgytX2OGxzif5NChTnVxKaHKXQgFjorLj+QvX0ma90zgJtHk3kjNk
         iYOUhQt5NakPtidzRBsSeC1wDFgEcE1CsuLlfJzXgJ63RphvRcqmQ9peug/oJ3eMnYij
         sQ6BrRKcS1O32MkWKOOMBEVUgoBsOo0GlCwDXSZc9v+b1r3/yd/HMHxYZFqly2o//Qtj
         6ODg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b26-v6si2675805pgw.394.2018.06.13.09.56.16;
        Wed, 13 Jun 2018 09:56:30 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S935132AbeFMQzZ (ORCPT <rfc822;vladislav.valtchev@gmail.com>
        + 99 others); Wed, 13 Jun 2018 12:55:25 -0400
Received: from bran.ispras.ru ([83.149.199.196]:20691 "EHLO smtp.ispras.ru"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S934794AbeFMQzY (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 13 Jun 2018 12:55:24 -0400
Received: from myklebust.intra.ispras.ru (unknown [10.10.2.207])
        by smtp.ispras.ru (Postfix) with ESMTP id D7264203CD;
        Wed, 13 Jun 2018 11:28:28 +0300 (MSK)
From:   Anton Vasilyev <vasilyev@ispras.ru>
To:     Dan Carpenter <dan.carpenter@oracle.com>
Cc:     Anton Vasilyev <vasilyev@ispras.ru>,
        Andy Shevchenko <andy.shevchenko@gmail.com>,
        Sinan Kaya <okaya@codeaurora.org>,
        Johannes Thumshirn <jthumshirn@suse.de>,
        Gaurav Pathak <gauravpathak129@gmail.com>,
        Hannes Reinecke <hare@suse.de>, devel@driverdev.osuosl.org,
        linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org
Subject: [PATCH v2] staging: rts5208: add check on NULL before dereference
Date:   Wed, 13 Jun 2018 19:55:01 +0300
Message-Id: <20180613165501.30669-1-vasilyev@ispras.ru>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20180612130640.6lcnn4cj7cval7aw@mwanda>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

If rtsx_probe() fails to allocate dev->chip, then NULL pointer
dereference occurs at release_everything()->rtsx_release_resources().

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
---
v2: Add error handling into rtsx_probe based on Dan Carpenter's comment.
I do not have corresponding hardware, so patch was tested by compilation only.

I faced with inaccuracy at rtsx_remove() and original rtsx_probe():
there is quiesce_and_remove_host() call with scsi_remove_host() inside,
whereas release_everything() calls scsi_host_put() after this
scsi_remove_host() call. This is strange for me.

Also I do not know is it require to check result value of
rtsx_init_chip() call on rtsx_probe().
---
 drivers/staging/rts5208/rtsx.c | 38 +++++++++++++++++++++++-----------
 1 file changed, 26 insertions(+), 12 deletions(-)

diff --git a/drivers/staging/rts5208/rtsx.c b/drivers/staging/rts5208/rtsx.c
index 70e0b8623110..69e6abe14abf 100644
--- a/drivers/staging/rts5208/rtsx.c
+++ b/drivers/staging/rts5208/rtsx.c
@@ -857,7 +857,7 @@ static int rtsx_probe(struct pci_dev *pci,
 	dev->chip = kzalloc(sizeof(*dev->chip), GFP_KERNEL);
 	if (!dev->chip) {
 		err = -ENOMEM;
-		goto errout;
+		goto chip_alloc_fail;
 	}
 
 	spin_lock_init(&dev->reg_lock);
@@ -879,7 +879,7 @@ static int rtsx_probe(struct pci_dev *pci,
 	if (!dev->remap_addr) {
 		dev_err(&pci->dev, "ioremap error\n");
 		err = -ENXIO;
-		goto errout;
+		goto ioremap_fail;
 	}
 
 	/*
@@ -894,7 +894,7 @@ static int rtsx_probe(struct pci_dev *pci,
 	if (!dev->rtsx_resv_buf) {
 		dev_err(&pci->dev, "alloc dma buffer fail\n");
 		err = -ENXIO;
-		goto errout;
+		goto dma_alloc_fail;
 	}
 	dev->chip->host_cmds_ptr = dev->rtsx_resv_buf;
 	dev->chip->host_cmds_addr = dev->rtsx_resv_buf_addr;
@@ -915,7 +915,7 @@ static int rtsx_probe(struct pci_dev *pci,
 
 	if (rtsx_acquire_irq(dev) < 0) {
 		err = -EBUSY;
-		goto errout;
+		goto irq_acquire_fail;
 	}
 
 	pci_set_master(pci);
@@ -935,14 +935,14 @@ static int rtsx_probe(struct pci_dev *pci,
 	if (IS_ERR(th)) {
 		dev_err(&pci->dev, "Unable to start control thread\n");
 		err = PTR_ERR(th);
-		goto errout;
+		goto control_thread_fail;
 	}
 	dev->ctl_thread = th;
 
 	err = scsi_add_host(host, &pci->dev);
 	if (err) {
 		dev_err(&pci->dev, "Unable to add the scsi host\n");
-		goto errout;
+		goto scsi_add_host_fail;
 	}
 
 	/* Start up the thread for delayed SCSI-device scanning */
@@ -950,18 +950,16 @@ static int rtsx_probe(struct pci_dev *pci,
 	if (IS_ERR(th)) {
 		dev_err(&pci->dev, "Unable to start the device-scanning thread\n");
 		complete(&dev->scanning_done);
-		quiesce_and_remove_host(dev);
 		err = PTR_ERR(th);
-		goto errout;
+		goto scan_thread_fail;
 	}
 
 	/* Start up the thread for polling thread */
 	th = kthread_run(rtsx_polling_thread, dev, "rtsx-polling");
 	if (IS_ERR(th)) {
 		dev_err(&pci->dev, "Unable to start the device-polling thread\n");
-		quiesce_and_remove_host(dev);
 		err = PTR_ERR(th);
-		goto errout;
+		goto scan_thread_fail;
 	}
 	dev->polling_thread = th;
 
@@ -970,9 +968,25 @@ static int rtsx_probe(struct pci_dev *pci,
 	return 0;
 
 	/* We come here if there are any problems */
-errout:
+scan_thread_fail:
+	quiesce_and_remove_host(dev);
+scsi_add_host_fail:
+	complete(&dev->cmnd_ready);
+	wait_for_completion(&dev->control_exit);
+control_thread_fail:
+	free_irq(dev->irq, (void *)dev);
+	rtsx_release_chip(dev->chip);
+irq_acquire_fail:
+	dev->chip->host_cmds_ptr = NULL;
+	dev->chip->host_sg_tbl_ptr = NULL;
+	if (dev->chip->msi_en)
+		pci_disable_msi(dev->pci);
+dma_alloc_fail:
+	iounmap(dev->remap_addr);
+ioremap_fail:
+	kfree(dev->chip);
+chip_alloc_fail:
 	dev_err(&pci->dev, "%s failed\n", __func__);
-	release_everything(dev);
 
 	return err;
 }
-- 
2.17.1