2018-03-28 06:42:33

by Ji-Hun Kim

[permalink] [raw]
Subject: [PATCH] staging: vt6655: check for memory allocation failures

There are no null pointer checking on rd_info and td_info values which
are allocated by kzalloc. It has potential null pointer dereferencing
issues. Add return when allocation is failed.

Signed-off-by: Ji-Hun Kim <[email protected]>
---
drivers/staging/vt6655/device_main.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c
index fbc4bc6..5d0ba94 100644
--- a/drivers/staging/vt6655/device_main.c
+++ b/drivers/staging/vt6655/device_main.c
@@ -539,7 +539,8 @@ static void device_init_rd0_ring(struct vnt_private *priv)
i ++, curr += sizeof(struct vnt_rx_desc)) {
desc = &priv->aRD0Ring[i];
desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL);
-
+ if (WARN_ON(!desc->rd_info))
+ return;
if (!device_alloc_rx_buf(priv, desc))
dev_err(&priv->pcid->dev, "can not alloc rx bufs\n");

@@ -563,7 +564,8 @@ static void device_init_rd1_ring(struct vnt_private *priv)
i ++, curr += sizeof(struct vnt_rx_desc)) {
desc = &priv->aRD1Ring[i];
desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL);
-
+ if (WARN_ON(!desc->rd_info))
+ return;
if (!device_alloc_rx_buf(priv, desc))
dev_err(&priv->pcid->dev, "can not alloc rx bufs\n");

@@ -621,7 +623,8 @@ static void device_init_td0_ring(struct vnt_private *priv)
i++, curr += sizeof(struct vnt_tx_desc)) {
desc = &priv->apTD0Rings[i];
desc->td_info = kzalloc(sizeof(*desc->td_info), GFP_KERNEL);
-
+ if (WARN_ON(!desc->td_info))
+ return;
desc->td_info->buf = priv->tx0_bufs + i * PKT_BUF_SZ;
desc->td_info->buf_dma = priv->tx_bufs_dma0 + i * PKT_BUF_SZ;

@@ -646,7 +649,8 @@ static void device_init_td1_ring(struct vnt_private *priv)
i++, curr += sizeof(struct vnt_tx_desc)) {
desc = &priv->apTD1Rings[i];
desc->td_info = kzalloc(sizeof(*desc->td_info), GFP_KERNEL);
-
+ if (WARN_ON(!desc->td_info))
+ return;
desc->td_info->buf = priv->tx1_bufs + i * PKT_BUF_SZ;
desc->td_info->buf_dma = priv->tx_bufs_dma1 + i * PKT_BUF_SZ;

--
1.9.1



2018-03-28 09:02:49

by Greg Kroah-Hartman

[permalink] [raw]
Subject: Re: [PATCH] staging: vt6655: check for memory allocation failures

On Wed, Mar 28, 2018 at 03:31:31PM +0900, Ji-Hun Kim wrote:
> There are no null pointer checking on rd_info and td_info values which
> are allocated by kzalloc. It has potential null pointer dereferencing
> issues. Add return when allocation is failed.
>
> Signed-off-by: Ji-Hun Kim <[email protected]>
> ---
> drivers/staging/vt6655/device_main.c | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c
> index fbc4bc6..5d0ba94 100644
> --- a/drivers/staging/vt6655/device_main.c
> +++ b/drivers/staging/vt6655/device_main.c
> @@ -539,7 +539,8 @@ static void device_init_rd0_ring(struct vnt_private *priv)
> i ++, curr += sizeof(struct vnt_rx_desc)) {
> desc = &priv->aRD0Ring[i];
> desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL);
> -
> + if (WARN_ON(!desc->rd_info))
> + return;

Eeek, no, this crashes any machine that runs with "panic on warn". You
don't crash if you can not allocate any memory, you recover and move on.
You don't even need to print anything out, as the call itself will do
that if this happens.

So this patch isn't ok at all, sorry.

greg k-h

2018-03-28 09:57:38

by Jia-Ju Bai

[permalink] [raw]
Subject: Re: [PATCH] staging: vt6655: check for memory allocation failures



On 2018/3/28 14:31, Ji-Hun Kim wrote:
> There are no null pointer checking on rd_info and td_info values which
> are allocated by kzalloc. It has potential null pointer dereferencing
> issues. Add return when allocation is failed.
>
> Signed-off-by: Ji-Hun Kim <[email protected]>
> ---
> drivers/staging/vt6655/device_main.c | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c
> index fbc4bc6..5d0ba94 100644
> --- a/drivers/staging/vt6655/device_main.c
> +++ b/drivers/staging/vt6655/device_main.c
> @@ -539,7 +539,8 @@ static void device_init_rd0_ring(struct vnt_private *priv)
> i ++, curr += sizeof(struct vnt_rx_desc)) {
> desc = &priv->aRD0Ring[i];
> desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL);
> -
> + if (WARN_ON(!desc->rd_info))
> + return;
> if (!device_alloc_rx_buf(priv, desc))
> dev_err(&priv->pcid->dev, "can not alloc rx bufs\n");
>
> @@ -563,7 +564,8 @@ static void device_init_rd1_ring(struct vnt_private *priv)
> i ++, curr += sizeof(struct vnt_rx_desc)) {
> desc = &priv->aRD1Ring[i];
> desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL);
> -
> + if (WARN_ON(!desc->rd_info))
> + return;
> if (!device_alloc_rx_buf(priv, desc))
> dev_err(&priv->pcid->dev, "can not alloc rx bufs\n");
>
> @@ -621,7 +623,8 @@ static void device_init_td0_ring(struct vnt_private *priv)
> i++, curr += sizeof(struct vnt_tx_desc)) {
> desc = &priv->apTD0Rings[i];
> desc->td_info = kzalloc(sizeof(*desc->td_info), GFP_KERNEL);
> -
> + if (WARN_ON(!desc->td_info))
> + return;
> desc->td_info->buf = priv->tx0_bufs + i * PKT_BUF_SZ;
> desc->td_info->buf_dma = priv->tx_bufs_dma0 + i * PKT_BUF_SZ;
>
> @@ -646,7 +649,8 @@ static void device_init_td1_ring(struct vnt_private *priv)
> i++, curr += sizeof(struct vnt_tx_desc)) {
> desc = &priv->apTD1Rings[i];
> desc->td_info = kzalloc(sizeof(*desc->td_info), GFP_KERNEL);
> -
> + if (WARN_ON(!desc->td_info))
> + return;
> desc->td_info->buf = priv->tx1_bufs + i * PKT_BUF_SZ;
> desc->td_info->buf_dma = priv->tx_bufs_dma1 + i * PKT_BUF_SZ;
>

I think the bugs you found are right.
But your patch is not correct, because it is dangerous to return directly.
I think you should return an error and then implement error handling
code for these functions.


Best wishes,
Jia-Ju Bai

2018-03-29 01:57:48

by Ji-Hun Kim

[permalink] [raw]
Subject: Re: [PATCH] staging: vt6655: check for memory allocation failures

On Wed, Mar 28, 2018 at 05:55:57PM +0800, Jia-Ju Bai wrote:
> >@@ -646,7 +649,8 @@ static void device_init_td1_ring(struct vnt_private *priv)
> > i++, curr += sizeof(struct vnt_tx_desc)) {
> > desc = &priv->apTD1Rings[i];
> > desc->td_info = kzalloc(sizeof(*desc->td_info), GFP_KERNEL);
> >-
> >+ if (WARN_ON(!desc->td_info))
> >+ return;
> > desc->td_info->buf = priv->tx1_bufs + i * PKT_BUF_SZ;
> > desc->td_info->buf_dma = priv->tx_bufs_dma1 + i * PKT_BUF_SZ;
>
> I think the bugs you found are right.
> But your patch is not correct, because it is dangerous to return directly.
> I think you should return an error and then implement error handling
> code for these functions.
>
Yes, it needs to free previous allocated values in the for loop. Directly
return could make memory leaks. I am going to make patch v2.

- Delete WARN_ON which could make crashes on some machines.
- Add freeing sequences for previously allocated memory when kzalloc()
failed instead of returning directly.

Does these changes would be fine on this bug?