On Fri, May 21, 2021 at 02:43:39PM +0300, Evgeny Novikov wrote: > If fwtty_install() will be invoked with such tty->index that will be > not less than MAX_TOTAL_PORTS then fwtty_port_get() will return NULL and > fwtty_install() will either assign it to tty->driver_data or dereference > in fwtty_port_put() (if tty_standard_install() will fail). The similar > situation is with fwloop_install(). The patch fixes both cases. But how can those cases ever happen? > Found by Linux Driver Verification project (linuxtesting.org). > > Signed-off-by: Evgeny Novikov <novikov@xxxxxxxxx> > --- > drivers/staging/fwserial/fwserial.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/drivers/staging/fwserial/fwserial.c b/drivers/staging/fwserial/fwserial.c > index 1ee6382cafc4..d0810896511e 100644 > --- a/drivers/staging/fwserial/fwserial.c > +++ b/drivers/staging/fwserial/fwserial.c > @@ -1069,6 +1069,9 @@ static int fwtty_install(struct tty_driver *driver, struct tty_struct *tty) > struct fwtty_port *port = fwtty_port_get(tty->index); > int err; > > + if (!port) > + return -ENODEV; there's already a valid tty pointer here, so the index can not be "too big". > + > err = tty_standard_install(driver, tty); > if (!err) > tty->driver_data = port; > @@ -1082,6 +1085,9 @@ static int fwloop_install(struct tty_driver *driver, struct tty_struct *tty) > struct fwtty_port *port = fwtty_port_get(table_idx(tty->index)); > int err; > > + if (!port) > + return -ENODEV; > + Same here, how can this ever happen? thanks, greg k-h
