| Message ID | 1374243017-8515-1-git-send-email-lee.jones@linaro.org |
|---|---|
| State | Accepted |
| Commit | f840e23bcf16068eeffe8991ac38b58b82160e43 |
| Headers | show |
diff --git a/drivers/mfd/ab8500-debugfs.c b/drivers/mfd/ab8500-debugfs.c index 7d1f1b0..c8298b2 100644 --- a/drivers/mfd/ab8500-debugfs.c +++ b/drivers/mfd/ab8500-debugfs.c @@ -2800,6 +2800,9 @@ static ssize_t ab8500_subscribe_write(struct file *file, */ dev_attr[irq_index] = kmalloc(sizeof(struct device_attribute), GFP_KERNEL); + if (!dev_attr[irq_index]) + return -ENOMEM; + event_name[irq_index] = kmalloc(count, GFP_KERNEL); sprintf(event_name[irq_index], "%lu", user_val); dev_attr[irq_index]->show = show_irq;
The AB8500 debugfs driver allocates memory for a new sysfs entry, but fails to apply the proper post-allocation checks. If the device were to run out of memory, the allocation would return NULL. Without the correct checks the driver will continue to populate NULL->[show|store|...], which would obviously cause a pointer dereference Oops. Signed-off-by: Lee Jones <lee.jones@linaro.org> --- drivers/mfd/ab8500-debugfs.c | 3 +++ 1 file changed, 3 insertions(+)