[PATCH v2] block: fix possible NULL dereference

From: Sudip Mukherjee
Date: Fri Apr 01 2016 - 10:34:29 EST

Next message: Jens Axboe: "Re: [PATCHSET v3][RFC] Make background writeback not suck"
Previous message: Philipp Zabel: "Re: [PATCH 0/2] reset: Add support for Oxford Semiconductor Reset"
Next in thread: Jens Axboe: "Re: [PATCH v2] block: fix possible NULL dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We were checking for iter to be NULL after dereferencing it. There is
actually no need to check for iter to be NULL as all the callers of
blk_rq_map_user_iov() does call it with a valid pointer to
struct iov_iter.
But as iter->count can be NULL so the assignment to copy is being done
after checking for it.

Signed-off-by: Sudip Mukherjee <sudip.mukherjee@xxxxxxxxxxxxxxx>
---

v2: removed the check for iter
v1: moved the assignment to copy after check for iter and iter->count

block/blk-map.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/block/blk-map.c b/block/blk-map.c
index a54f054..e15b4aa 100644
--- a/block/blk-map.c
+++ b/block/blk-map.c
@@ -126,14 +126,15 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
const struct iov_iter *iter, gfp_t gfp_mask)
{
struct iovec iov, prv = {.iov_base = NULL, .iov_len = 0};
- bool copy = (q->dma_pad_mask & iter->count) || map_data;
+ bool copy;
struct bio *bio = NULL;
struct iov_iter i;
int ret;

- if (!iter || !iter->count)
+ if (!iter->count)
return -EINVAL;

+ copy = (q->dma_pad_mask & iter->count) || map_data;
iov_for_each(iov, i, *iter) {
unsigned long uaddr = (unsigned long) iov.iov_base;

--
2.1.4

Next message: Jens Axboe: "Re: [PATCHSET v3][RFC] Make background writeback not suck"
Previous message: Philipp Zabel: "Re: [PATCH 0/2] reset: Add support for Oxford Semiconductor Reset"
Next in thread: Jens Axboe: "Re: [PATCH v2] block: fix possible NULL dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]