diff mbox

net/ethoc: fix null dereference on error exit path

Message ID 1463944098-7061-1-git-send-email-colin.king@canonical.com
State Changes Requested, archived
Delegated to: David Miller
Headers show

Commit Message

Colin Ian King May 22, 2016, 7:08 p.m. UTC 
From: Colin Ian King <colin.king@canonical.com>

priv is assigned to NULL however all the error exit paths to label 'free'
dereference priv, causing a null pointer dereference.

Examination of the code shows that all error exits via the 'free'
label path occur before priv is assigned to netdev_priv(netdev), hence
there is no need to call clk_disable_unprepare and so the location of
the label should be moved to free_netdev statement to avoid this null
dereference on priv.

Fixes issue found by CoverityScan, CID#113260

Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/net/ethernet/ethoc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Max Filippov May 22, 2016, 7:42 p.m. UTC | #1 
Hi Colin,

On Sun, May 22, 2016 at 08:08:18PM +0100, Colin King wrote:
> From: Colin Ian King <colin.king@canonical.com>
> 
> priv is assigned to NULL however all the error exit paths to label 'free'
> dereference priv, causing a null pointer dereference.
> 
> Examination of the code shows that all error exits via the 'free'
> label path occur before priv is assigned to netdev_priv(netdev), hence
> there is no need to call clk_disable_unprepare and so the location of
> the label should be moved to free_netdev statement to avoid this null
> dereference on priv.

This description is a bit inaccurate. Indeed all 'goto free' above the
'priv = netdev_priv(netdev);' need to skip 'if (priv->clk)' check, but
there are two more 'goto free' below that line, and they look correct
now, but after this patch they'll leave the clock enabled.
Colin Ian King May 22, 2016, 9:20 p.m. UTC | #2 
On 22/05/16 20:42, Max Filippov wrote:
> Hi Colin,
> 
> On Sun, May 22, 2016 at 08:08:18PM +0100, Colin King wrote:
>> From: Colin Ian King <colin.king@canonical.com>
>>
>> priv is assigned to NULL however all the error exit paths to label 'free'
>> dereference priv, causing a null pointer dereference.
>>
>> Examination of the code shows that all error exits via the 'free'
>> label path occur before priv is assigned to netdev_priv(netdev), hence
>> there is no need to call clk_disable_unprepare and so the location of
>> the label should be moved to free_netdev statement to avoid this null
>> dereference on priv.
> 
> This description is a bit inaccurate. Indeed all 'goto free' above the
> 'priv = netdev_priv(netdev);' need to skip 'if (priv->clk)' check, but
> there are two more 'goto free' below that line, and they look correct
> now, but after this patch they'll leave the clock enabled.
> 
Oops, I'll resend a corrected fix tomorrow
diff mbox

Patch

diff --git a/drivers/net/ethernet/ethoc.c b/drivers/net/ethernet/ethoc.c
index 41b0106..96403a4 100644
--- a/drivers/net/ethernet/ethoc.c
+++ b/drivers/net/ethernet/ethoc.c
@@ -1241,9 +1241,10 @@  error2:
 error:
 	mdiobus_unregister(priv->mdio);
 	mdiobus_free(priv->mdio);
-free:
+
 	if (priv->clk)
 		clk_disable_unprepare(priv->clk);
+free:
 	free_netdev(netdev);
 out:
 	return ret;