usb: gadget: goku_udc: fix potential crashes in probe

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

goku_probe() goes to error label "err" and invokes goku_remove()
in case of failures of pci_enable_device(), pci_resource_start()
and ioremap(). goku_remove() gets a device from
pci_get_drvdata(pdev) and works with it without any checks, in
particular it dereferences a corresponding pointer. But
goku_probe() did not set this device yet. So, one can expect
various crashes. The patch moves setting the device just after
allocation of memory for it.

Found by Linux Driver Verification project (linuxtesting.org).

Reported-by: Pavel Andrianov <andrianov@ispras.ru>
Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
Signed-off-by: Felipe Balbi <balbi@kernel.org>

authored by

Evgeny Novikov and committed by

Felipe Balbi 5 years ago 0d66e048 1384ab4f

+1 -1

1 changed file

expand all

drivers

usb

gadget

udc

goku_udc.c

+1 -1

drivers/usb/gadget/udc/goku_udc.c

··· 1760 1760 goto err; 1761 1761 } 1762 1762 1763 + pci_set_drvdata(pdev, dev); 1763 1764 spin_lock_init(&dev->lock); 1764 1765 dev->pdev = pdev; 1765 1766 dev->gadget.ops = &goku_ops; ··· 1794 1793 } 1795 1794 dev->regs = (struct goku_udc_regs __iomem *) base; 1796 1795 1797 - pci_set_drvdata(pdev, dev); 1798 1796 INFO(dev, "%s\n", driver_desc); 1799 1797 INFO(dev, "version: " DRIVER_VERSION " %s\n", dmastr()); 1800 1798 INFO(dev, "irq %d, pci mem %p\n", pdev->irq, base);