[PATCH] mmc: block: fix free of uninitialized 'idata->buf'

From: Ville Viinikka
Date: Fri Jul 08 2016 - 11:43:42 EST

Next message: Josh Poimboeuf: "Re: [PATCH 2/2] livepatch/x86: apply alternatives and paravirt patches after relocations"
Previous message: Colin King: "[PATCH] bnxt_en: initialize rc to zero to avoid returning garbage"
Next in thread: Ulf Hansson: "Re: [PATCH] mmc: block: fix free of uninitialized 'idata->buf'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Set 'idata->buf' to NULL so that it never gets returned without
initialization. This fixes a bug where mmc_blk_ioctl_cmd() would
free both 'idata' and 'idata->buf' but 'idata->buf' was returned
uninitialized.

Fixes: 1ff8950c0433 ("mmc: block: change to use kmalloc when copy data from userspace")
Signed-off-by: Ville Viinikka <ville@xxxxxxxxxx>
---
drivers/mmc/card/block.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
index 747c4b0..334d637 100644
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -355,8 +355,10 @@ static struct mmc_blk_ioc_data *mmc_blk_ioctl_copy_from_user(
goto idata_err;
}

- if (!idata->buf_bytes)
+ if (!idata->buf_bytes) {
+ idata->buf = NULL;
return idata;
+ }

idata->buf = kmalloc(idata->buf_bytes, GFP_KERNEL);
if (!idata->buf) {
--
2.1.4

Next message: Josh Poimboeuf: "Re: [PATCH 2/2] livepatch/x86: apply alternatives and paravirt patches after relocations"
Previous message: Colin King: "[PATCH] bnxt_en: initialize rc to zero to avoid returning garbage"
Next in thread: Ulf Hansson: "Re: [PATCH] mmc: block: fix free of uninitialized 'idata->buf'"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]