serial: fix NULL pointer dereference
André Goddard Rosa [Sun, 25 Oct 2009 13:16:32 +0000 (11:16 -0200)]
If kzalloc() or alloc_tty_driver() fails, we call:
    put_tty_driver(normal = NULL).

Then:
    put_tty_driver -> tty_driver_kref_put -> kref_put(&NULL->kref, ...)

Signed-off-by: André Goddard Rosa <andre.goddard@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

drivers/serial/serial_core.c

index dcc7244..885eabe 100644 (file)
@@ -2344,7 +2344,7 @@ static const struct tty_operations uart_ops = {
  */
 int uart_register_driver(struct uart_driver *drv)
 {
-       struct tty_driver *normal = NULL;
+       struct tty_driver *normal;
        int i, retval;
 
        BUG_ON(drv->state);
@@ -2354,13 +2354,12 @@ int uart_register_driver(struct uart_driver *drv)
         * we have a large number of ports to handle.
         */
        drv->state = kzalloc(sizeof(struct uart_state) * drv->nr, GFP_KERNEL);
-       retval = -ENOMEM;
        if (!drv->state)
                goto out;
 
-       normal  = alloc_tty_driver(drv->nr);
+       normal = alloc_tty_driver(drv->nr);
        if (!normal)
-               goto out;
+               goto out_kfree;
 
        drv->tty_driver = normal;
 
@@ -2393,12 +2392,14 @@ int uart_register_driver(struct uart_driver *drv)
        }
 
        retval = tty_register_driver(normal);
- out:
-       if (retval < 0) {
-               put_tty_driver(normal);
-               kfree(drv->state);
-       }
-       return retval;
+       if (retval >= 0)
+               return retval;
+
+       put_tty_driver(normal);
+out_kfree:
+       kfree(drv->state);
+out:
+       return -ENOMEM;
 }
 
 /**