libnvdimm, namespace: potential NULL deref on allocation error

Commit Message

Dan Carpenter Oct. 12, 2016, 6:34 a.m. UTC

If the kcalloc() fails then "devs" can be NULL and we dereference it
checking "devs[i]".

Fixes: 1b40e09a1232 ('libnvdimm: blk labels and namespace instantiation')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Comments

Dan Williams Oct. 12, 2016, 9:51 p.m. UTC | #1

On Tue, Oct 11, 2016 at 11:34 PM, Dan Carpenter
<dan.carpenter@oracle.com> wrote:
> If the kcalloc() fails then "devs" can be NULL and we dereference it
> checking "devs[i]".
>
> Fixes: 1b40e09a1232 ('libnvdimm: blk labels and namespace instantiation')
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Thanks, applied.

Patch

diff --git a/drivers/nvdimm/namespace_devs.c b/drivers/nvdimm/namespace_devs.c
index 3509cff..abe5c6b 100644
--- a/drivers/nvdimm/namespace_devs.c
+++ b/drivers/nvdimm/namespace_devs.c
@@ -2176,12 +2176,14 @@  static struct device **scan_labels(struct nd_region *nd_region)
 	return devs;
 
  err:
-	for (i = 0; devs[i]; i++)
-		if (is_nd_blk(&nd_region->dev))
-			namespace_blk_release(devs[i]);
-		else
-			namespace_pmem_release(devs[i]);
-	kfree(devs);
+	if (devs) {
+		for (i = 0; devs[i]; i++)
+			if (is_nd_blk(&nd_region->dev))
+				namespace_blk_release(devs[i]);
+			else
+				namespace_pmem_release(devs[i]);
+		kfree(devs);
+	}
 	return NULL;
 }