[thirdparty/kernel/stable-queue.git] / releases / 4.7.7 / cxl-fix-potential-null-dereference-in-free_adapter.patch

From 8fbaa51d43ef2c6a72849ec34060910723a0365f Mon Sep 17 00:00:00 2001
From: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Date: Fri, 15 Jul 2016 17:20:36 +1000
Subject: cxl: fix potential NULL dereference in free_adapter()

From: Andrew Donnellan <andrew.donnellan@au1.ibm.com>

commit 8fbaa51d43ef2c6a72849ec34060910723a0365f upstream.

If kzalloc() fails when allocating adapter->guest in
cxl_guest_init_adapter(), we call free_adapter() before erroring out.
free_adapter() in turn attempts to dereference adapter->guest, which in
this case is NULL.

In free_adapter(), skip the adapter->guest cleanup if adapter->guest is
NULL.

Fixes: 14baf4d9c739 ("cxl: Add guest-specific code")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/misc/cxl/guest.c |   16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

--- a/drivers/misc/cxl/guest.c
+++ b/drivers/misc/cxl/guest.c
@@ -1052,16 +1052,18 @@ static void free_adapter(struct cxl *ada
 	struct irq_avail *cur;
 	int i;
 
-	if (adapter->guest->irq_avail) {
-		for (i = 0; i < adapter->guest->irq_nranges; i++) {
-			cur = &adapter->guest->irq_avail[i];
-			kfree(cur->bitmap);
+	if (adapter->guest) {
+		if (adapter->guest->irq_avail) {
+			for (i = 0; i < adapter->guest->irq_nranges; i++) {
+				cur = &adapter->guest->irq_avail[i];
+				kfree(cur->bitmap);
+			}
+			kfree(adapter->guest->irq_avail);
 		}
-		kfree(adapter->guest->irq_avail);
+		kfree(adapter->guest->status);
+		kfree(adapter->guest);
 	}
-	kfree(adapter->guest->status);
 	cxl_remove_adapter_nr(adapter);
-	kfree(adapter->guest);
 	kfree(adapter);
 }
Commit	Line	Data
83f48a73 GKH	1	From 8fbaa51d43ef2c6a72849ec34060910723a0365f Mon Sep 17 00:00:00 2001
	2	From: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
	3	Date: Fri, 15 Jul 2016 17:20:36 +1000
	4	Subject: cxl: fix potential NULL dereference in free_adapter()
	5
	6	From: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
	7
	8	commit 8fbaa51d43ef2c6a72849ec34060910723a0365f upstream.
	9
	10	If kzalloc() fails when allocating adapter->guest in
	11	cxl_guest_init_adapter(), we call free_adapter() before erroring out.
	12	free_adapter() in turn attempts to dereference adapter->guest, which in
	13	this case is NULL.
	14
	15	In free_adapter(), skip the adapter->guest cleanup if adapter->guest is
	16	NULL.
	17
	18	Fixes: 14baf4d9c739 ("cxl: Add guest-specific code")
	19	Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
	20	Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
	21	Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
	22	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	23
	24	---
	25	drivers/misc/cxl/guest.c \| 16 +++++++++-------
	26	1 file changed, 9 insertions(+), 7 deletions(-)
	27
	28	--- a/drivers/misc/cxl/guest.c
	29	+++ b/drivers/misc/cxl/guest.c
	30	@@ -1052,16 +1052,18 @@ static void free_adapter(struct cxl *ada
	31	struct irq_avail *cur;
	32	int i;
	33
	34	- if (adapter->guest->irq_avail) {
	35	- for (i = 0; i < adapter->guest->irq_nranges; i++) {
	36	- cur = &adapter->guest->irq_avail[i];
	37	- kfree(cur->bitmap);
	38	+ if (adapter->guest) {
	39	+ if (adapter->guest->irq_avail) {
	40	+ for (i = 0; i < adapter->guest->irq_nranges; i++) {
	41	+ cur = &adapter->guest->irq_avail[i];
	42	+ kfree(cur->bitmap);
	43	+ }
	44	+ kfree(adapter->guest->irq_avail);
	45	}
	46	- kfree(adapter->guest->irq_avail);
	47	+ kfree(adapter->guest->status);
	48	+ kfree(adapter->guest);
	49	}
	50	- kfree(adapter->guest->status);
	51	cxl_remove_adapter_nr(adapter);
	52	- kfree(adapter->guest);
	53	kfree(adapter);
	54	}
	55