Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Date:   Fri, 24 Aug 2018 08:29:30 +0200
From:   Johan Hovold <johan@kernel.org>
To:     Ding Xiang <dingxiang@cmss.chinamobile.com>
Cc:     johan@kernel.org, elder@kernel.org, gregkh@linuxfoundation.org,
        greybus-dev@lists.linaro.org, devel@driverdev.osuosl.org,
        linux-kernel@vger.kernel.org,
        Viresh Kumar <viresh.kumar@linaro.org>
Subject: Re: [PATCH] staging: greybus: Fix null pointer dereference
Message-ID: <20180824062930.GS14967@localhost>
References: <1535083631-1892-1-git-send-email-dingxiang@cmss.chinamobile.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1535083631-1892-1-git-send-email-dingxiang@cmss.chinamobile.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On Fri, Aug 24, 2018 at 12:07:11AM -0400, Ding Xiang wrote:
> If fw is null then fw->size will trigger null pointer dereference
>
> Signed-off-by: Ding Xiang <dingxiang@cmss.chinamobile.com>
> ---
>  drivers/staging/greybus/bootrom.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/staging/greybus/bootrom.c b/drivers/staging/greybus/bootrom.c
> index e85ffae..3af28a0 100644
> --- a/drivers/staging/greybus/bootrom.c
> +++ b/drivers/staging/greybus/bootrom.c
> @@ -297,7 +297,7 @@ static int gb_bootrom_get_firmware(struct gb_operation *op)
>  
>  queue_work:
>  	/* Refresh timeout */
> -	if (!ret && (offset + size == fw->size))
> +	if (!ret && fw && (offset + size == fw->size))
>  		next_request = NEXT_REQ_READY_TO_BOOT;
>  	else
>  		next_request = NEXT_REQ_GET_FIRMWARE;

How could fw be NULL when ret is 0 here?

It may not be as obvious as one might have wished, but the current code
looks correct to me.

Johan