[patch] rapidio: potential null deref in rio_setup_device()

From: Dan Carpenter
Date: Sat Aug 27 2011 - 06:03:10 EST

Next message: Western Union: "[no subject]"
Previous message: Wang Sheng-Hui: "Re: [PATCH] virtio: fix size computation according to the definitionof struct vring_used in vring_size"
Next in thread: Bounine, Alexandre: "RE: [patch] rapidio: potential null deref in rio_setup_device()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The "goto cleanup" path can dereference "rswitch" which is NULL here.

Signed-off-by: Dan Carpenter <error27@xxxxxxxxx>
---
This is sort of embarrassing, I've patched this function before but
missed this. Hopefully it's right now.

diff --git a/drivers/rapidio/rio-scan.c b/drivers/rapidio/rio-scan.c
index 0914f49..882cef9 100644
--- a/drivers/rapidio/rio-scan.c
+++ b/drivers/rapidio/rio-scan.c
@@ -432,7 +432,7 @@ static struct rio_dev __devinit *rio_setup_device(struct rio_net *net,
/* Assign component tag to device */
if (next_comptag >= 0x10000) {
pr_err("RIO: Component Tag Counter Overflow\n");
- goto cleanup;
+ goto out_rdev;
}
rio_mport_write_config_32(port, destid, hopcount,
RIO_COMPONENT_TAG_CSR, next_comptag);
@@ -518,7 +518,7 @@ static struct rio_dev __devinit *rio_setup_device(struct rio_net *net,
cleanup:
if (rio_is_switch(rdev))
kfree(rswitch->route_table);
-
+out_rdev:
kfree(rdev);
return NULL;
}
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Western Union: "[no subject]"
Previous message: Wang Sheng-Hui: "Re: [PATCH] virtio: fix size computation according to the definitionof struct vring_used in vring_size"
Next in thread: Bounine, Alexandre: "RE: [patch] rapidio: potential null deref in rio_setup_device()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]