[PATCH] PCI: Avoid potential NULL pointer dereference inpci_scan_bridge

From: Jesper Juhl
Date: Mon Jan 24 2011 - 15:13:55 EST

pci_add_new_bus() calls pci_alloc_child_bus() which calls pci_alloc_bus()
that allocates memory dynamically with kzalloc(). The return value of
kzalloc() is the pointer that's eventually returned from
pci_add_new_bus(), so since kzalloc() can fail and return NULL so can
pci_add_new_bus(). Thus we may end up dereferencing a NULL pointer in
drivers/pci/probe.c::pci_scan_bridge(). Seems to me we should test for
this and bail out if it happens rather than crashing.
Also removed some trailing whitespace that bugged me while looking at

Signed-off-by: Jesper Juhl <jj@xxxxxxxxxxxxx>
probe.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

compile tested

diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index c84900d..44cbbba 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -764,6 +764,8 @@ int __devinit pci_scan_bridge(struct pci_bus *bus, struct pci_dev *dev, int max,
if (pci_find_bus(pci_domain_nr(bus), max+1))
goto out;
child = pci_add_new_bus(bus, dev, ++max);
+ if (!child)
+ goto out;
buses = (buses & 0xff000000)
| ((unsigned int)(child->primary) << 0)
| ((unsigned int)(child->secondary) << 8)
@@ -777,7 +779,7 @@ int __devinit pci_scan_bridge(struct pci_bus *bus, struct pci_dev *dev, int max,
buses &= ~0xff000000;
* We need to blast all three values with a single write.

Jesper Juhl <jj@xxxxxxxxxxxxx> http://www.chaosbits.net/
Don't top-post http://www.catb.org/~esr/jargon/html/T/top-post.html
Plain text mails only, please.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/