From 9e845abfc8a8973373821aa05302794fd254514b Mon Sep 17 00:00:00 2001 From: =?utf8?q?Andr=C3=A9=20Goddard=20Rosa?= Date: Sun, 25 Oct 2009 11:16:32 -0200 Subject: [PATCH] serial: fix NULL pointer dereference MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit If kzalloc() or alloc_tty_driver() fails, we call: put_tty_driver(normal = NULL). Then: put_tty_driver -> tty_driver_kref_put -> kref_put(&NULL->kref, ...) Signed-off-by: André Goddard Rosa Signed-off-by: Greg Kroah-Hartman --- drivers/serial/serial_core.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/drivers/serial/serial_core.c b/drivers/serial/serial_core.c index dcc7244..885eabe 100644 --- a/drivers/serial/serial_core.c +++ b/drivers/serial/serial_core.c @@ -2344,7 +2344,7 @@ static const struct tty_operations uart_ops = { */ int uart_register_driver(struct uart_driver *drv) { - struct tty_driver *normal = NULL; + struct tty_driver *normal; int i, retval; BUG_ON(drv->state); @@ -2354,13 +2354,12 @@ int uart_register_driver(struct uart_driver *drv) * we have a large number of ports to handle. */ drv->state = kzalloc(sizeof(struct uart_state) * drv->nr, GFP_KERNEL); - retval = -ENOMEM; if (!drv->state) goto out; - normal = alloc_tty_driver(drv->nr); + normal = alloc_tty_driver(drv->nr); if (!normal) - goto out; + goto out_kfree; drv->tty_driver = normal; @@ -2393,12 +2392,14 @@ int uart_register_driver(struct uart_driver *drv) } retval = tty_register_driver(normal); - out: - if (retval < 0) { - put_tty_driver(normal); - kfree(drv->state); - } - return retval; + if (retval >= 0) + return retval; + + put_tty_driver(normal); +out_kfree: + kfree(drv->state); +out: + return -ENOMEM; } /** -- 1.8.2.3