From: Dan Carpenter Date: Tue, 13 Mar 2012 17:18:48 +0000 (+0300) Subject: NFS: null dereference in dev_remove() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=e138ead73f872559778bb0c326e795206f96d3ce;p=GitHub%2Fmt8127%2Fandroid_kernel_alcatel_ttab.git NFS: null dereference in dev_remove() In commit 5ffaf85541 "NFS: replace global bl_wq with per-net one" we made "msg" a pointer instead of a struct stored in stack memory. But we forgot to change the memset() here so we're still clearing stack memory instead clearing the struct like we intended. It will lead to a kernel crash. Signed-off-by: Dan Carpenter Signed-off-by: Trond Myklebust --- diff --git a/fs/nfs/blocklayout/blocklayoutdm.c b/fs/nfs/blocklayout/blocklayoutdm.c index 30fc22af7bbb..737d839bc17b 100644 --- a/fs/nfs/blocklayout/blocklayoutdm.c +++ b/fs/nfs/blocklayout/blocklayoutdm.c @@ -54,7 +54,7 @@ static void dev_remove(struct net *net, dev_t dev) dprintk("Entering %s\n", __func__); bl_pipe_msg.bl_wq = &nn->bl_wq; - memset(&msg, 0, sizeof(*msg)); + memset(msg, 0, sizeof(*msg)); msg->data = kzalloc(1 + sizeof(bl_umount_request), GFP_NOFS); if (!msg->data) goto out;