staging: comedi: pcmuio: fix possible NULL deref on detach
authorIan Abbott <abbotti@mev.co.uk>
Tue, 20 Aug 2013 10:50:19 +0000 (11:50 +0100)
committerBen Hutchings <ben@decadent.org.uk>
Tue, 1 Apr 2014 23:58:59 +0000 (00:58 +0100)
commit 2fd2bdfccae61efe18f6b92b6a45fbf936d75b48 upstream.

pcmuio_detach() is called by the comedi core even if pcmuio_attach()
returned an error, so `dev->private` might be `NULL`.  Check for that
before dereferencing it.

Also, as pointed out by Dan Carpenter, there is no need to check the
pointer passed to `kfree()` is non-NULL, so remove that check.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
drivers/staging/comedi/drivers/pcmuio.c

index b2c2c89..6c25bd3 100644 (file)
@@ -464,13 +464,13 @@ static int pcmuio_detach(struct comedi_device *dev)
        if (dev->iobase)
                release_region(dev->iobase, ASIC_IOSIZE * thisboard->num_asics);
 
        if (dev->iobase)
                release_region(dev->iobase, ASIC_IOSIZE * thisboard->num_asics);
 
-       for (i = 0; i < MAX_ASICS; ++i) {
-               if (devpriv->asics[i].irq)
-                       free_irq(devpriv->asics[i].irq, dev);
-       }
-
-       if (devpriv && devpriv->sprivs)
+       if (devpriv) {
+               for (i = 0; i < MAX_ASICS; ++i) {
+                       if (devpriv->asics[i].irq)
+                               free_irq(devpriv->asics[i].irq, dev);
+               }
                kfree(devpriv->sprivs);
                kfree(devpriv->sprivs);
+       }
 
        return 0;
 }
 
        return 0;
 }