From patchwork Sun Feb 13 21:15:35 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jesper Juhl <jj@chaosbits.net>
X-Patchwork-Id: 83010
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id A88C1B7124
	for <patchwork-incoming@ozlabs.org>;
	Mon, 14 Feb 2011 08:16:47 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755040Ab1BMVQn (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Sun, 13 Feb 2011 16:16:43 -0500
Received: from swampdragon.chaosbits.net ([90.184.90.115]:10884 "EHLO
	swampdragon.chaosbits.net" rhost-flags-OK-OK-OK-OK) by
	vger.kernel.org with ESMTP id S1754922Ab1BMVQk (ORCPT
	<rfc822;netdev@vger.kernel.org>); Sun, 13 Feb 2011 16:16:40 -0500
Received: by swampdragon.chaosbits.net (Postfix, from userid 1000)
	id 2BBC79403D; Sun, 13 Feb 2011 22:15:35 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by swampdragon.chaosbits.net (Postfix) with ESMTP id 22E0B9403B;
	Sun, 13 Feb 2011 22:15:35 +0100 (CET)
Date: Sun, 13 Feb 2011 22:15:35 +0100 (CET)
From: Jesper Juhl <jj@chaosbits.net>
To: linux-kernel@vger.kernel.org
cc: linux-usb@vger.kernel.org, netdev@vger.kernel.org,
	Greg Kroah-Hartman <gregkh@suse.de>,
	Jan Dumon <j.dumon@option.com>, Filip Aben <f.aben@option.com>,
	Denis Joseph Barrow <d.barow@option.com>,
	Andrew Bird <ajb@spheresystems.co.uk>
Subject: [PATCH] Net, USB, Option, hso: Do not dereference NULL pointer
Message-ID: <alpine.LNX.2.00.1102132206390.18930@swampdragon.chaosbits.net>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

In drivers/net/usb/hso.c::hso_create_bulk_serial_device() we have this 
code:
...
	serial = kzalloc(sizeof(*serial), GFP_KERNEL);
	if (!serial)
		goto exit;
...
exit:
	hso_free_tiomget(serial);
...
hso_free_tiomget() directly dereferences its argument, which in the 
example above is a NULL pointer, ouch.
I could just add a 'if (serial)' test at the 'exit' label, but since most 
freeing functions in the kernel accept NULL pointers (and it seems like 
this was also assumed here) I opted to instead change 'hso_free_tiomget()' 
so that it is safe to call it with a NULL argument. I also modified the 
function to get rid of a pointles conditional before the call to 
'usb_free_urb()' since that function already tests for NULL itself - 
besides fixing the NULL deref this change also buys us a few bytes in 
size.
Before:
$ size drivers/net/usb/hso.o
   text    data     bss     dec     hex filename
  32200     592    9960   42752    a700 drivers/net/usb/hso.o
After:
$ size drivers/net/usb/hso.o
   text    data     bss     dec     hex filename
  32196     592    9960   42748    a6fc drivers/net/usb/hso.o

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
---
 hso.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index bed8fce..6d83812 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -2628,15 +2628,15 @@ exit:
 
 static void hso_free_tiomget(struct hso_serial *serial)
 {
-	struct hso_tiocmget *tiocmget = serial->tiocmget;
+	struct hso_tiocmget *tiocmget;
+	if (!serial)
+		return;
+	tiocmget = serial->tiocmget;
 	if (tiocmget) {
-		if (tiocmget->urb) {
-			usb_free_urb(tiocmget->urb);
-			tiocmget->urb = NULL;
-		}
+		usb_free_urb(tiocmget->urb);
+		tiocmget->urb = NULL;
 		serial->tiocmget = NULL;
 		kfree(tiocmget);
-
 	}
 }