From: Yunseong Kim <yskelg@xxxxxxxxx>
A null pointer is stored in a local variable after a call of the function
"kzalloc" failed. This pointer was passed to a subsequent call of the
function "raw3270_setup_device" where an undesirable dereference will be
performed then. Thus add corresponding return value checks.
The allocated each memory areas are immediately overwritten by the called
function zero-initialisation be omitted by calling the "kmalloc" instead.
After "ccw_device_enable_console" succeeds, set the bit raw3270 flag to
RAW3270_FLAGS_CONSOLE.
Fixes: 33403dcfcdfd ("[S390] 3270 console: convert from bootmem to slab")
Cc: linux-s390@xxxxxxxxxxxxxxx
Signed-off-by: Yunseong Kim <yskelg@xxxxxxxxx>
---
drivers/s390/char/raw3270.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/drivers/s390/char/raw3270.c b/drivers/s390/char/raw3270.c
index c57694be9bd3..4f3f98bcbc83 100644
--- a/drivers/s390/char/raw3270.c
+++ b/drivers/s390/char/raw3270.c
@@ -811,18 +811,28 @@ struct raw3270 __init *raw3270_setup_console(void)
if (IS_ERR(cdev))
return ERR_CAST(cdev);
- rp = kzalloc(sizeof(*rp), GFP_KERNEL | GFP_DMA);
- ascebc = kzalloc(256, GFP_KERNEL);
+ rp = kmalloc(sizeof(*rp), GFP_KERNEL | GFP_DMA);
+ if (!rp)
+ return ERR_PTR(-ENOMEM);
+ ascebc = kmalloc(256, GFP_KERNEL);
+ if (!ascebc) {
+ kfree(rp);
+ return ERR_PTR(-ENOMEM);
+ }
rc = raw3270_setup_device(cdev, rp, ascebc);
- if (rc)
+ if (rc) {
+ kfree(ascebc);
+ kfree(rp);
return ERR_PTR(rc);
- set_bit(RAW3270_FLAGS_CONSOLE, &rp->flags);
-
+ }
rc = ccw_device_enable_console(cdev);
if (rc) {
ccw_device_destroy_console(cdev);
+ kfree(ascebc);
+ kfree(rp);
return ERR_PTR(rc);
}
+ set_bit(RAW3270_FLAGS_CONSOLE, &rp->flags);
spin_lock_irqsave(get_ccwdev_lock(rp->cdev), flags);
do {
--
2.45.2
