Received: by 10.213.65.68 with SMTP id h4csp1235890imn; Thu, 29 Mar 2018 00:25:07 -0700 (PDT) X-Google-Smtp-Source: AIpwx48PVetIgjzwqJG0uMP7ZqfCbUokheaOhCiGALML59ubVnsNPddNabXKEkoboLdlMgjNBBOx X-Received: by 10.167.129.217 with SMTP id c25mr5508344pfn.143.1522308307366; Thu, 29 Mar 2018 00:25:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522308307; cv=none; d=google.com; s=arc-20160816; b=aLAt92uXBmZE/8jytPRayfShWHIM5mxcvLKxFoX2JWrBFuSZKayeBSzwQz3uEZK3zs jTcLuEsy0A+JHdkQ0sG/MCf4ZzJzv5n9QShW+u75yjWbceBAdyDGLfiXTzjQ/9NjJx8R Z5owu+g1kCmqrVeDxnvoOvSuRberXDI+ZMJpPzeUR4UYyi8qQMyWSGBHXCSD3KCAv/bn byM6NmVCtoY0WKRGR7Vxuv2/yQCsJfAN//bvRa8gEYVtfnq94du0WKSoHZtsKbzFLw8L 1Ox/+IKx4sMVVCO0jKODK04IY+ktZzmKU+6maLDYQgkn/M73Hz8b61maHwbCLZ5vCZiS Zggw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:dlp-filter:cms-type:message-id :date:subject:cc:to:from:dkim-signature:dkim-filter :arc-authentication-results; bh=htzHiikJNTlCrkj7RfFrJwHd6hs+OkxoDWDU2nBWuAw=; b=KjU/vhoiK9utS8ZupVNdYl7KmNoDP9w2Bv0WZ3mYfcNHYETzIVEs1+sFYl15PwJRRl Vs2FMky0F50hcqtc+rwknAW9Zlf3rr/szr1oubhGoFAiEu1jSJVcrMXfmrkq+Jcz0vQH nSI1w9qkKTbdFXDxU1YE4NksMULpsLpk8IdE0H7UYb+K/+qeIq+peLIZVavA6nlM15+d pv8Q53E561BRoCqljXgiR9C3r0pzlLIDW1gA6x38TuTAqb8wINlMkThgoGIrz0Me+ky8 6QV96xKTjcMA2oOzdjJw5RThv48qy49ETB5zlWBnaFiKRld9FuxB2ZWWOSVJS9YJLj4x O50A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@samsung.com header.s=mail20170921 header.b=MXk2od8n; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=samsung.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c13si3655250pgn.792.2018.03.29.00.24.52; Thu, 29 Mar 2018 00:25:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@samsung.com header.s=mail20170921 header.b=MXk2od8n; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=samsung.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751211AbeC2HWx (ORCPT + 99 others); Thu, 29 Mar 2018 03:22:53 -0400 Received: from mailout3.samsung.com ([203.254.224.33]:25714 "EHLO mailout3.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750708AbeC2HWv (ORCPT ); Thu, 29 Mar 2018 03:22:51 -0400 Received: from epcas1p1.samsung.com (unknown [182.195.41.45]) by mailout3.samsung.com (KnoxPortal) with ESMTP id 20180329072249epoutp036adf6b457a791b61a876600d8a33dbef~gUzb8i3RM2228122281epoutp03V; Thu, 29 Mar 2018 07:22:49 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 mailout3.samsung.com 20180329072249epoutp036adf6b457a791b61a876600d8a33dbef~gUzb8i3RM2228122281epoutp03V DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samsung.com; s=mail20170921; t=1522308169; bh=htzHiikJNTlCrkj7RfFrJwHd6hs+OkxoDWDU2nBWuAw=; h=From:To:Cc:Subject:Date:References:From; b=MXk2od8nsghoUGxnWNj+DN9GRDQZs1Xf9wTa+PXO1dFe5OJhvYNllkqUGYMslBC7c 8HqfTkxrMCPH8oivyt5yrQ3wxOJaCPlXzD+S8JzDPHFwNwwKb/PkXXcyxJYZW9yLM0 Sy2VNQnoLgyh3jXXHdvT5HcMkFqpvlC1Kc0dRgzY= Received: from epsmges2p2.samsung.com (unknown [182.195.40.61]) by epcas1p1.samsung.com (KnoxPortal) with ESMTP id 20180329072249epcas1p18bda18edd0e2220a3789b07de31ef3f2~gUzbeEyI91636416364epcas1p12; Thu, 29 Mar 2018 07:22:49 +0000 (GMT) Received: from epcas2p3.samsung.com ( [182.195.41.55]) by epsmges2p2.samsung.com (Symantec Messaging Gateway) with SMTP id 73.2D.04072.9449CBA5; Thu, 29 Mar 2018 16:22:49 +0900 (KST) Received: from epsmgms2p2new.samsung.com (unknown [182.195.42.143]) by epcas2p3.samsung.com (KnoxPortal) with ESMTP id 20180329072248epcas2p3d12617d41e964252998dd1d34f740a97~gUzbGzswv3122431224epcas2p3Q; Thu, 29 Mar 2018 07:22:48 +0000 (GMT) X-AuditID: b6c32a46-b6dff70000000fe8-fe-5abc94492f95 Received: from epmmp2 ( [203.254.227.17]) by epsmgms2p2new.samsung.com (Symantec Messaging Gateway) with SMTP id CA.A5.03827.8449CBA5; Thu, 29 Mar 2018 16:22:48 +0900 (KST) Received: from localhost.localdomain ([10.253.107.61]) by mmp2.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0P6C00HM5CHUXR70@mmp2.samsung.com>; Thu, 29 Mar 2018 16:22:48 +0900 (KST) From: Ji-Hun Kim To: gregkh@linuxfoundation.org, baijiaju1990@gmail.com, forest@alittletooquiet.net Cc: dartnorris@gmail.com, santhameena13@gmail.com, julia.lawall@lip6.fr, ji_hun.kim@samsung.com, y.k.oh@samsung.com, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH v2] staging: vt6655: check for memory allocation failures Date: Thu, 29 Mar 2018 16:22:37 +0900 Message-id: <1522308157-26463-1-git-send-email-ji_hun.kim@samsung.com> X-Mailer: git-send-email 1.9.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrGKsWRmVeSWpSXmKPExsWy7bCmua7nlD1RBh9mcVism7iQyeLM+7NM FnvO/GK3uD/hEatF8+L1bBb9p7czWix7cJrRYustaYvLu+awWZzcJm+xpesHqwO3R3Pje1aP e/sOs3jsnHWX3WP/3DXsHnu3ZHn0bVnF6PF5k1wAe1SqTUZqYkpqkUJqXnJ+SmZeuq2Sd3C8 c7ypmYGhrqGlhbmSQl5ibqqtkotPgK5bZg7QhUoKZYk5pUChgMTiYiV9O5ui/NKSVIWM/OIS W6VoQ0MjPUMDcz0jIyM9E/NYKyNToJKE1IxJG5eyF7zVrthyyqmBsUWli5GDQ0LAROLzPvUu Ri4OIYEdjBLrzzxhgXC+M0o83PGZtYuRE6xozb0edojEBkaJySvnMEE4PxglHm88wgJSxSag KbGx+xojiC0iECKxYsc2sFHMApcYJRavXckMkhAW8JRon7OODcRmEVCVWPz+DDuIzSvgJtE+ 7SQLxDo5iZPHJrOCNEsITGGTeHzyASNEwkXi+4+37BC2sMSr41ugbGmJZ6s2QtVUSyy4sgNq UI3Ezf9LmSBsY4nengtgRzAL8El0HP7LDgkAXomONiGIEg+JY18nQb3sKPFkwiawO4UEYiWa zixknsAouYCRYRWjWGpBcW56arFRgZFecWJucWleul5yfu4mRnCa0XLbwbjknM8hRgEORiUe XotFu6OEWBPLiitzDzFKcDArifC+1wAK8aYkVlalFuXHF5XmpBYfYjQFBsdEZinR5HxgCswr iTc0sTQwMTMzNDcyNTBXEudtDXCJEhJITyxJzU5NLUgtgulj4uCUamCU3LeGa5XP4rLcXbP9 Zr69uXVK1uavYT3zd5dN+FfU+nfnT4WdazyVMj7teRMoPddo7oLA0uP37defX6Tpt89+/gfO 0PsOS5mZF5wO7XtsfrdYPWP5zuIYr98dhvMOXxHufNTV9ev2eUfFh+y76nZZBwTOVLrNuv68 gu76i/wv7rt/4TYXeJZXrMRSnJFoqMVcVJwIAGIuL2VJAwAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupnluLIzCtJLcpLzFFi42I5/e+xoK7HlD1RBrOWaFqsm7iQyeLM+7NM FnvO/GK3uD/hEatF8+L1bBb9p7czWix7cJrRYustaYvLu+awWZzcJm+xpesHqwO3R3Pje1aP e/sOs3jsnHWX3WP/3DXsHnu3ZHn0bVnF6PF5k1wAexSXTUpqTmZZapG+XQJXxqSNS9kL3mpX bDnl1MDYotLFyMkhIWAiseZeD3sXIxeHkMA6Ront718yQzg/GCVO3VjMDlLFJqApsbH7GiOI LSIQIvG/+SojSBGzwCWgjsdzwRLCAp4S7XPWsYHYLAKqEovfnwFr5hVwk2ifdpIFYp2cxMlj k1knMHItYGRYxSiZWlCcm55bbFRglJdarlecmFtcmpeul5yfu4kRGEzbDmv172B8vCT+EKMA B6MSD6/Fot1RQqyJZcWVuYcYJTiYlUR432sAhXhTEiurUovy44tKc1KLDzFKc7AoifPy5x+L FBJITyxJzU5NLUgtgskycXBKNTDGx7wRcjF+qpVzKCKzwmNG51HHE/9O8i1+vCLqoHuWWahe Vt3cIA1Vq5dCi7U75CeYS8eUJfseZVNmSzg2+4a7rSAjZ4LLwbml/D6mvufzsq1/LF+sxPL4 Jp9Aw8dtFS2NAuxnk9WnXOIuS97p8PhiTEfI73g3mUlKoQ9usWQtuNC+9YPqbyWW4oxEQy3m ouJEAKaIoY8iAgAA X-CMS-MailID: 20180329072248epcas2p3d12617d41e964252998dd1d34f740a97 X-Msg-Generator: CA CMS-TYPE: 102P DLP-Filter: Pass X-CFilter-Loop: Reflected X-CMS-RootMailID: 20180329072248epcas2p3d12617d41e964252998dd1d34f740a97 X-RootMTR: 20180329072248epcas2p3d12617d41e964252998dd1d34f740a97 References: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There are no null pointer checking on rd_info and td_info values which are allocated by kzalloc. It has potential null pointer dereferencing issues. Add return when allocation is failed. Signed-off-by: Ji-Hun Kim --- Change: since v1: - Delete WARN_ON which can makes crashes on some machines. - Instead of return directly, goto freeing function for freeing previously allocated memory in the for loop after kzalloc() failed. - In the freeing function, if td_info and rd_info are not allocated, no needs to free. drivers/staging/vt6655/device_main.c | 64 +++++++++++++++++++++++++----------- 1 file changed, 44 insertions(+), 20 deletions(-) diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c index fbc4bc6..ecbba43 100644 --- a/drivers/staging/vt6655/device_main.c +++ b/drivers/staging/vt6655/device_main.c @@ -539,7 +539,8 @@ static void device_init_rd0_ring(struct vnt_private *priv) i ++, curr += sizeof(struct vnt_rx_desc)) { desc = &priv->aRD0Ring[i]; desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL); - + if (!desc->rd_info) + goto error; if (!device_alloc_rx_buf(priv, desc)) dev_err(&priv->pcid->dev, "can not alloc rx bufs\n"); @@ -550,6 +551,10 @@ static void device_init_rd0_ring(struct vnt_private *priv) if (i > 0) priv->aRD0Ring[i-1].next_desc = cpu_to_le32(priv->rd0_pool_dma); priv->pCurrRD[0] = &priv->aRD0Ring[0]; + + return; +error: + device_free_rd0_ring(priv); } static void device_init_rd1_ring(struct vnt_private *priv) @@ -563,7 +568,8 @@ static void device_init_rd1_ring(struct vnt_private *priv) i ++, curr += sizeof(struct vnt_rx_desc)) { desc = &priv->aRD1Ring[i]; desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL); - + if (!desc->rd_info) + goto error; if (!device_alloc_rx_buf(priv, desc)) dev_err(&priv->pcid->dev, "can not alloc rx bufs\n"); @@ -574,6 +580,10 @@ static void device_init_rd1_ring(struct vnt_private *priv) if (i > 0) priv->aRD1Ring[i-1].next_desc = cpu_to_le32(priv->rd1_pool_dma); priv->pCurrRD[1] = &priv->aRD1Ring[0]; + + return; +error: + device_free_rd1_ring(priv); } static void device_free_rd0_ring(struct vnt_private *priv) @@ -584,12 +594,12 @@ static void device_free_rd0_ring(struct vnt_private *priv) struct vnt_rx_desc *desc = &priv->aRD0Ring[i]; struct vnt_rd_info *rd_info = desc->rd_info; - dma_unmap_single(&priv->pcid->dev, rd_info->skb_dma, - priv->rx_buf_sz, DMA_FROM_DEVICE); - - dev_kfree_skb(rd_info->skb); - - kfree(desc->rd_info); + if (rd_info) { + dma_unmap_single(&priv->pcid->dev, rd_info->skb_dma, + priv->rx_buf_sz, DMA_FROM_DEVICE); + dev_kfree_skb(rd_info->skb); + kfree(desc->rd_info); + } } } @@ -601,12 +611,12 @@ static void device_free_rd1_ring(struct vnt_private *priv) struct vnt_rx_desc *desc = &priv->aRD1Ring[i]; struct vnt_rd_info *rd_info = desc->rd_info; - dma_unmap_single(&priv->pcid->dev, rd_info->skb_dma, - priv->rx_buf_sz, DMA_FROM_DEVICE); - - dev_kfree_skb(rd_info->skb); - - kfree(desc->rd_info); + if (rd_info) { + dma_unmap_single(&priv->pcid->dev, rd_info->skb_dma, + priv->rx_buf_sz, DMA_FROM_DEVICE); + dev_kfree_skb(rd_info->skb); + kfree(desc->rd_info); + } } } @@ -621,7 +631,8 @@ static void device_init_td0_ring(struct vnt_private *priv) i++, curr += sizeof(struct vnt_tx_desc)) { desc = &priv->apTD0Rings[i]; desc->td_info = kzalloc(sizeof(*desc->td_info), GFP_KERNEL); - + if (!desc->td_info) + goto error; desc->td_info->buf = priv->tx0_bufs + i * PKT_BUF_SZ; desc->td_info->buf_dma = priv->tx_bufs_dma0 + i * PKT_BUF_SZ; @@ -632,6 +643,10 @@ static void device_init_td0_ring(struct vnt_private *priv) if (i > 0) priv->apTD0Rings[i-1].next_desc = cpu_to_le32(priv->td0_pool_dma); priv->apTailTD[0] = priv->apCurrTD[0] = &priv->apTD0Rings[0]; + + return; +error: + device_free_td0_ring(priv); } static void device_init_td1_ring(struct vnt_private *priv) @@ -646,7 +661,8 @@ static void device_init_td1_ring(struct vnt_private *priv) i++, curr += sizeof(struct vnt_tx_desc)) { desc = &priv->apTD1Rings[i]; desc->td_info = kzalloc(sizeof(*desc->td_info), GFP_KERNEL); - + if (!desc->td_info) + goto error; desc->td_info->buf = priv->tx1_bufs + i * PKT_BUF_SZ; desc->td_info->buf_dma = priv->tx_bufs_dma1 + i * PKT_BUF_SZ; @@ -657,6 +673,10 @@ static void device_init_td1_ring(struct vnt_private *priv) if (i > 0) priv->apTD1Rings[i-1].next_desc = cpu_to_le32(priv->td1_pool_dma); priv->apTailTD[1] = priv->apCurrTD[1] = &priv->apTD1Rings[0]; + + return; +error: + device_free_td1_ring(priv); } static void device_free_td0_ring(struct vnt_private *priv) @@ -667,8 +687,10 @@ static void device_free_td0_ring(struct vnt_private *priv) struct vnt_tx_desc *desc = &priv->apTD0Rings[i]; struct vnt_td_info *td_info = desc->td_info; - dev_kfree_skb(td_info->skb); - kfree(desc->td_info); + if (td_info) { + dev_kfree_skb(td_info->skb); + kfree(desc->td_info); + } } } @@ -680,8 +702,10 @@ static void device_free_td1_ring(struct vnt_private *priv) struct vnt_tx_desc *desc = &priv->apTD1Rings[i]; struct vnt_td_info *td_info = desc->td_info; - dev_kfree_skb(td_info->skb); - kfree(desc->td_info); + if (td_info) { + dev_kfree_skb(td_info->skb); + kfree(desc->td_info); + } } } -- 1.9.1