[SCSI] libsas: Fix potential NULL dereference in sas_smp_get_phy_events()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In sas_smp_get_phy_events() we never test if the call to
alloc_smp_req(RPEL_REQ_SIZE) succeeds or fails. That means we run
the risk of dereferencing a NULL pointer if it does fail. Far
better to test if we got NULL back and in that case return -ENOMEM
just as we already do for the other memory allocation in that
function.

Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com>
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>

authored by

Jesper Juhl and committed by

James Bottomley 18 years ago 92631fa4 99d4d0a9

+10 -3

1 changed file

expand all

drivers

scsi

libsas

sas_expander.c

+10 -3

drivers/scsi/libsas/sas_expander.c

··· 507 507 int sas_smp_get_phy_events(struct sas_phy *phy) 508 508 { 509 509 int res; 510 + u8 *req; 511 + u8 *resp; 510 512 struct sas_rphy *rphy = dev_to_rphy(phy->dev.parent); 511 513 struct domain_device *dev = sas_find_dev_by_rphy(rphy); 512 - u8 *req = alloc_smp_req(RPEL_REQ_SIZE); 513 - u8 *resp = kzalloc(RPEL_RESP_SIZE, GFP_KERNEL); 514 514 515 - if (!resp) 515 + req = alloc_smp_req(RPEL_REQ_SIZE); 516 + if (!req) 516 517 return -ENOMEM; 518 + 519 + resp = alloc_smp_resp(RPEL_RESP_SIZE); 520 + if (!resp) { 521 + kfree(req); 522 + return -ENOMEM; 523 + } 517 524 518 525 req[1] = SMP_REPORT_PHY_ERR_LOG; 519 526 req[9] = phy->number;