From patchwork Fri May 27 03:16:24 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chris Ball X-Patchwork-Id: 822632 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id p4R3FFj7019814 for ; Fri, 27 May 2011 03:15:15 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758637Ab1E0DPO (ORCPT ); Thu, 26 May 2011 23:15:14 -0400 Received: from void.printf.net ([89.145.121.20]:39623 "EHLO void.printf.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752974Ab1E0DPO (ORCPT ); Thu, 26 May 2011 23:15:14 -0400 Received: from 173-166-109-250-newengland.hfc.comcastbusiness.net ([173.166.109.250] helo=pullcord.laptop.org) by void.printf.net with esmtp (Exim 4.69) (envelope-from ) id 1QPnW4-0007E9-TR; Fri, 27 May 2011 04:15:13 +0100 From: Chris Ball To: Dan Carpenter Cc: tony.olech@elandigitalsystems.com, linux-mmc@vger.kernel.org Subject: [PATCH] mmc: vub300: fix null dereferences in error handling References: <20110526171455.GJ14591@shale.localdomain> Date: Thu, 26 May 2011 23:16:24 -0400 Message-ID: MIME-Version: 1.0 Sender: linux-mmc-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-mmc@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter1.kernel.org [140.211.167.41]); Fri, 27 May 2011 03:15:15 +0000 (UTC) Reported-by: Dan Carpenter Signed-off-by: Chris Ball --- On Thu, May 26 2011, Dan Carpenter wrote: > In vub300_probe() from drivers/mmc/host/vub300.c we dereference > vub300 when it's a NULL variable. Btw, let's remove the bogus > initialization to NULL so that gcc will complain if the bug gets > introduced again. Thanks Dan -- I'll queue this fix up: diff --git a/drivers/mmc/host/vub300.c b/drivers/mmc/host/vub300.c index cbb0330..d4455ff 100644 --- a/drivers/mmc/host/vub300.c +++ b/drivers/mmc/host/vub300.c @@ -2096,7 +2096,7 @@ static struct mmc_host_ops vub300_mmc_ops = { static int vub300_probe(struct usb_interface *interface, const struct usb_device_id *id) { /* NOT irq */ - struct vub300_mmc_host *vub300 = NULL; + struct vub300_mmc_host *vub300; struct usb_host_interface *iface_desc; struct usb_device *udev = usb_get_dev(interface_to_usbdev(interface)); int i; @@ -2118,23 +2118,20 @@ static int vub300_probe(struct usb_interface *interface, command_out_urb = usb_alloc_urb(0, GFP_KERNEL); if (!command_out_urb) { retval = -ENOMEM; - dev_err(&vub300->udev->dev, - "not enough memory for the command_out_urb\n"); + dev_err(&udev->dev, "not enough memory for command_out_urb\n"); goto error0; } command_res_urb = usb_alloc_urb(0, GFP_KERNEL); if (!command_res_urb) { retval = -ENOMEM; - dev_err(&vub300->udev->dev, - "not enough memory for the command_res_urb\n"); + dev_err(&udev->dev, "not enough memory for command_res_urb\n"); goto error1; } /* this also allocates memory for our VUB300 mmc host device */ mmc = mmc_alloc_host(sizeof(struct vub300_mmc_host), &udev->dev); if (!mmc) { retval = -ENOMEM; - dev_err(&vub300->udev->dev, - "not enough memory for the mmc_host\n"); + dev_err(&udev->dev, "not enough memory for the mmc_host\n"); goto error4; } /* MMC core transfer sizes tunable parameters */