Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp895111imm; Wed, 13 Jun 2018 09:56:30 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJe6TW32ezO9hF7dlS0sAyKdwZmwK1KEnCB6W1Fc8b4yxz2Fb5tpatZL7NHHNNl96VJ0VV5 X-Received: by 2002:a62:a6dd:: with SMTP id r90-v6mr5715061pfl.60.1528908990415; Wed, 13 Jun 2018 09:56:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528908990; cv=none; d=google.com; s=arc-20160816; b=tVFiPprNA1gDCqvs+2Pdp1bE0spWIlnsIUGjaZAH7wz8Kndz9soG7BxUwoi6Do2ib/ NBq3V3Z8FdEI/CLCB/lqPs3abW2wmczYK+ZaCusgisd134HRHFlZIBeWAat6bOQeNcl9 gGn3AMSq/u8eIVMfhL/+g6uSQVx422XY6I7CsqnNQcX2YO507vMZObKeGcNb6WERnMFI 5wR0PMpcQ30gJOh3Ae2XshyyxmaEHjgj8s67PcKUI3MveJGQ7Jv0b2QEHUx8YLju5ZPV LoMVuBVKsXg4QKgWlSgwy4ejNdRKkMUfcL5B8wqeRwlJfL34hTDTQjeoMXHcBKIgTJUo KnTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:message-id:date:subject:cc:to :from:arc-authentication-results; bh=7NJ/ZqIiJux67bF57Lqi0P2KdbhX/IJ26RbnUyjDFTc=; b=vGOnN9A2jB5bnOUu1zR9uQXkPLRaIYXyfd+KxzTNJXQ4H/q49sOPtAVvCmboMBmu4p hSV6vVQ3FnOtjS3zQ1Lf/1ZGkGNgBMUxgSrM2vnohQpNi1jubg18TdErFyVrOmw73Hrw /Z7LKauoQ7LFZWUmgytX2OGxzif5NChTnVxKaHKXQgFjorLj+QvX0ma90zgJtHk3kjNk iYOUhQt5NakPtidzRBsSeC1wDFgEcE1CsuLlfJzXgJ63RphvRcqmQ9peug/oJ3eMnYij sQ6BrRKcS1O32MkWKOOMBEVUgoBsOo0GlCwDXSZc9v+b1r3/yd/HMHxYZFqly2o//Qtj 6ODg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b26-v6si2675805pgw.394.2018.06.13.09.56.16; Wed, 13 Jun 2018 09:56:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935132AbeFMQzZ (ORCPT + 99 others); Wed, 13 Jun 2018 12:55:25 -0400 Received: from bran.ispras.ru ([83.149.199.196]:20691 "EHLO smtp.ispras.ru" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S934794AbeFMQzY (ORCPT ); Wed, 13 Jun 2018 12:55:24 -0400 Received: from myklebust.intra.ispras.ru (unknown [10.10.2.207]) by smtp.ispras.ru (Postfix) with ESMTP id D7264203CD; Wed, 13 Jun 2018 11:28:28 +0300 (MSK) From: Anton Vasilyev To: Dan Carpenter Cc: Anton Vasilyev , Andy Shevchenko , Sinan Kaya , Johannes Thumshirn , Gaurav Pathak , Hannes Reinecke , devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org Subject: [PATCH v2] staging: rts5208: add check on NULL before dereference Date: Wed, 13 Jun 2018 19:55:01 +0300 Message-Id: <20180613165501.30669-1-vasilyev@ispras.ru> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180612130640.6lcnn4cj7cval7aw@mwanda> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If rtsx_probe() fails to allocate dev->chip, then NULL pointer dereference occurs at release_everything()->rtsx_release_resources(). Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Anton Vasilyev --- v2: Add error handling into rtsx_probe based on Dan Carpenter's comment. I do not have corresponding hardware, so patch was tested by compilation only. I faced with inaccuracy at rtsx_remove() and original rtsx_probe(): there is quiesce_and_remove_host() call with scsi_remove_host() inside, whereas release_everything() calls scsi_host_put() after this scsi_remove_host() call. This is strange for me. Also I do not know is it require to check result value of rtsx_init_chip() call on rtsx_probe(). --- drivers/staging/rts5208/rtsx.c | 38 +++++++++++++++++++++++----------- 1 file changed, 26 insertions(+), 12 deletions(-) diff --git a/drivers/staging/rts5208/rtsx.c b/drivers/staging/rts5208/rtsx.c index 70e0b8623110..69e6abe14abf 100644 --- a/drivers/staging/rts5208/rtsx.c +++ b/drivers/staging/rts5208/rtsx.c @@ -857,7 +857,7 @@ static int rtsx_probe(struct pci_dev *pci, dev->chip = kzalloc(sizeof(*dev->chip), GFP_KERNEL); if (!dev->chip) { err = -ENOMEM; - goto errout; + goto chip_alloc_fail; } spin_lock_init(&dev->reg_lock); @@ -879,7 +879,7 @@ static int rtsx_probe(struct pci_dev *pci, if (!dev->remap_addr) { dev_err(&pci->dev, "ioremap error\n"); err = -ENXIO; - goto errout; + goto ioremap_fail; } /* @@ -894,7 +894,7 @@ static int rtsx_probe(struct pci_dev *pci, if (!dev->rtsx_resv_buf) { dev_err(&pci->dev, "alloc dma buffer fail\n"); err = -ENXIO; - goto errout; + goto dma_alloc_fail; } dev->chip->host_cmds_ptr = dev->rtsx_resv_buf; dev->chip->host_cmds_addr = dev->rtsx_resv_buf_addr; @@ -915,7 +915,7 @@ static int rtsx_probe(struct pci_dev *pci, if (rtsx_acquire_irq(dev) < 0) { err = -EBUSY; - goto errout; + goto irq_acquire_fail; } pci_set_master(pci); @@ -935,14 +935,14 @@ static int rtsx_probe(struct pci_dev *pci, if (IS_ERR(th)) { dev_err(&pci->dev, "Unable to start control thread\n"); err = PTR_ERR(th); - goto errout; + goto control_thread_fail; } dev->ctl_thread = th; err = scsi_add_host(host, &pci->dev); if (err) { dev_err(&pci->dev, "Unable to add the scsi host\n"); - goto errout; + goto scsi_add_host_fail; } /* Start up the thread for delayed SCSI-device scanning */ @@ -950,18 +950,16 @@ static int rtsx_probe(struct pci_dev *pci, if (IS_ERR(th)) { dev_err(&pci->dev, "Unable to start the device-scanning thread\n"); complete(&dev->scanning_done); - quiesce_and_remove_host(dev); err = PTR_ERR(th); - goto errout; + goto scan_thread_fail; } /* Start up the thread for polling thread */ th = kthread_run(rtsx_polling_thread, dev, "rtsx-polling"); if (IS_ERR(th)) { dev_err(&pci->dev, "Unable to start the device-polling thread\n"); - quiesce_and_remove_host(dev); err = PTR_ERR(th); - goto errout; + goto scan_thread_fail; } dev->polling_thread = th; @@ -970,9 +968,25 @@ static int rtsx_probe(struct pci_dev *pci, return 0; /* We come here if there are any problems */ -errout: +scan_thread_fail: + quiesce_and_remove_host(dev); +scsi_add_host_fail: + complete(&dev->cmnd_ready); + wait_for_completion(&dev->control_exit); +control_thread_fail: + free_irq(dev->irq, (void *)dev); + rtsx_release_chip(dev->chip); +irq_acquire_fail: + dev->chip->host_cmds_ptr = NULL; + dev->chip->host_sg_tbl_ptr = NULL; + if (dev->chip->msi_en) + pci_disable_msi(dev->pci); +dma_alloc_fail: + iounmap(dev->remap_addr); +ioremap_fail: + kfree(dev->chip); +chip_alloc_fail: dev_err(&pci->dev, "%s failed\n", __func__); - release_everything(dev); return err; } -- 2.17.1