Received: by 10.213.65.68 with SMTP id h4csp1107957imn; Sat, 31 Mar 2018 19:43:43 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/kTYujZp8471oj928Lfk5lLdT9T7IiFWGHTon4wqoo2Jk8ykKjAoCjhkRNa9zDV9QqDwDZ X-Received: by 10.98.253.17 with SMTP id p17mr3571356pfh.105.1522550623396; Sat, 31 Mar 2018 19:43:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522550623; cv=none; d=google.com; s=arc-20160816; b=B6u25UQ/O7PmiPD7qAHm4RkxTGi71BWD1pmlHZ+CkL5eHj9i6Mz674B271eq5cLINv kj7rIZRS/5yShfVGTtboExihh5a/YL4gxFlq0PLum5oCKhN6STt3KiwZcZ5t1ilW1CFg f29UvB7Ts/kp1IWNYJfNzypx7JgA6S2YTVLGUWeqMIL/xEG6TfxLB6z8O3jh7Vo0sHQQ 9juUzQWqeE5or1MlrZ8HAIvwKDl/nca1I8FT5j7JJdCALdm89BJeXgu0H4z9qQZUMU5Z gwHsgCcp39EP300eXekkDaAPJBJgh3GuRftxmKIKc7yCiLKMEhWf6lGZPo9V5q+XZxFL utMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=DDLnXS3SCyDLs2nOdDaY5MJWsljcEeQ+fwtT0txAdm4=; b=L2CxK/9j6t7hzkDTyXO8szNuetb4bkBOVPwuPkaJvmpn2no6ejjGVGqH4FvbYKXYa0 02MraUl7I2plCvFkT9gGs0holO+xkmaIFwrfkw5c1Jn9xo9yYDegzhJES28ziHRe6E0E zH6Nz3ktt94AtJoHmQdWEVIynJp9g0jHI5cS5xxLPn5dP7ewQVljGLCyZNIlgFCuOZnV 0JzfkyhDzhRQxlTBnrr4/JBGUoj8LpLz09ODhXQ2HmjTK2yt5KE41jdhD8knPcORyB60 wTuKs5YL3GsWWXzqw3ujSvNWD/VyD0j6SX18ng/Y8a4yV8JDvcRKF1Cz2CwGqqIXOPzn nKGQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=CFwpLqWv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f90-v6si12235220plf.496.2018.03.31.19.43.29; Sat, 31 Mar 2018 19:43:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=CFwpLqWv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753287AbeDACmY (ORCPT + 99 others); Sat, 31 Mar 2018 22:42:24 -0400 Received: from mail-pf0-f195.google.com ([209.85.192.195]:40408 "EHLO mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752826AbeDACmW (ORCPT ); Sat, 31 Mar 2018 22:42:22 -0400 Received: by mail-pf0-f195.google.com with SMTP id y66so7657266pfi.7; Sat, 31 Mar 2018 19:42:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=DDLnXS3SCyDLs2nOdDaY5MJWsljcEeQ+fwtT0txAdm4=; b=CFwpLqWvgD0JqtVE2Z5GGfWqcSa36TR79kti1jWAzBRBaA2qT4MB3xzSyH2gQ0hKrH vAbYz3ln4yDpQPPqE1LcYMLENjoRUD94k7xO5lsVUWS87OiYkbjGbKGmPXeJrnmpjbPC yQNRU7JX128qqD+FSfPt5nd6kxavWiLxF2wMdhK+0JzpP4cA/iBfQuV5ibF9hT5rRedw IhZWt9zPayVA76IFH7v9ygxhCM5vXv1zy4gOKO0tclHp9pjXPMs6xPr7QcC+o21CRhOT GdoHK2969DHa+NsveItWDv2BLCxLw80G4z8VDPzQsLDqdarO5SfZiqwBk4eBWe7R27er I9SA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=DDLnXS3SCyDLs2nOdDaY5MJWsljcEeQ+fwtT0txAdm4=; b=AYqh3c+ByUydAEWezXDFKU1N79iNW0blNGMbPMEDa5y5yHRxPT0QGbOTOXW3vPUdNI KXUzHC8je9eXlj0waWgEz4oojXHd8JcD4Xwi7xYYNtnP5xSggzipsmX10qOzCTya4SBf NNAontG4+hQtVZAq8MqHTeGE33Ahyi9//qjqOrw2mRUeOgNVerSvBYtoeCBtXsBn4L84 1dqfZjuzkHzHq4ut2Dr9cqi9E7XpRvt1PcudJVfb9tQ+WsBGBjr3pJbr7p6EJLfQ27Ki V2m/+tWpuBYS5CxVMDuVMCF2JfZ1bwo0Y1D+e1eGil0LdSE30ZYq44ObExrEoKgDmjbD RVlQ== X-Gm-Message-State: AElRT7GQ7ZdL9IFVSYamii1FfXwWdE0X6OPEPm91vDaS7r7ynI4uFrYm 3Mj+8VIx/K2hizf4eYrLIjPFFf8K X-Received: by 10.99.96.141 with SMTP id u135mr3138163pgb.49.1522550541741; Sat, 31 Mar 2018 19:42:21 -0700 (PDT) Received: from ?IPv6:2402:f000:1:1501:200:5efe:183.172.146.117? ([2402:f000:1:1501:200:5efe:b7ac:9275]) by smtp.gmail.com with ESMTPSA id q62sm24941142pfd.61.2018.03.31.19.42.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 31 Mar 2018 19:42:21 -0700 (PDT) Subject: Re: [PATCH v4 1/2] staging: vt6655: check for memory allocation failures To: Ji-Hun Kim , gregkh@linuxfoundation.org, forest@alittletooquiet.net Cc: dartnorris@gmail.com, santhameena13@gmail.com, julia.lawall@lip6.fr, y.k.oh@samsung.com, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org References: <1522389115-1124-1-git-send-email-ji_hun.kim@samsung.com> From: Jia-Ju Bai Message-ID: Date: Sun, 1 Apr 2018 10:42:02 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.0 MIME-Version: 1.0 In-Reply-To: <1522389115-1124-1-git-send-email-ji_hun.kim@samsung.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018/3/30 13:51, Ji-Hun Kim wrote: > There are no null pointer checking on rd_info and td_info values which > are allocated by kzalloc. It has potential null pointer dereferencing > issues. Implement error handling code on device_init_rd*, device_init_td* > and vnt_start for the allocation failures. > > Signed-off-by: Ji-Hun Kim > --- > Changes v2: > - Delete WARN_ON which can makes crashes on some machines. > - Instead of return directly, goto freeing function for freeing previously > allocated memory in the for loop after kzalloc() failed. > - In the freeing function, add if statement for freeing to only allocated > values. > > Changes v3: > - Modify return type of device_init_rd*, device_init_td*. Then add returns > error code at those functions and vnt_start as well. > > Changes v4: > - Fix potential memory leaks from error handling code of device init > functions in vnt_start(). > > drivers/staging/vt6655/device_main.c | 121 ++++++++++++++++++++++++++--------- > 1 file changed, 89 insertions(+), 32 deletions(-) > > diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c > index fbc4bc6..c9752df 100644 > --- a/drivers/staging/vt6655/device_main.c > +++ b/drivers/staging/vt6655/device_main.c > @@ -124,10 +124,10 @@ > static void device_free_info(struct vnt_private *priv); > static void device_print_info(struct vnt_private *priv); > > -static void device_init_rd0_ring(struct vnt_private *priv); > -static void device_init_rd1_ring(struct vnt_private *priv); > -static void device_init_td0_ring(struct vnt_private *priv); > -static void device_init_td1_ring(struct vnt_private *priv); > +static int device_init_rd0_ring(struct vnt_private *priv); > +static int device_init_rd1_ring(struct vnt_private *priv); > +static int device_init_td0_ring(struct vnt_private *priv); > +static int device_init_td1_ring(struct vnt_private *priv); > > static int device_rx_srv(struct vnt_private *priv, unsigned int idx); > static int device_tx_srv(struct vnt_private *priv, unsigned int idx); > @@ -528,18 +528,22 @@ static void device_free_rings(struct vnt_private *priv) > priv->tx0_bufs, priv->tx_bufs_dma0); > } > > -static void device_init_rd0_ring(struct vnt_private *priv) > +static int device_init_rd0_ring(struct vnt_private *priv) > { > int i; > dma_addr_t curr = priv->rd0_pool_dma; > struct vnt_rx_desc *desc; > + int ret = 0; > > /* Init the RD0 ring entries */ > for (i = 0; i < priv->opts.rx_descs0; > i ++, curr += sizeof(struct vnt_rx_desc)) { > desc = &priv->aRD0Ring[i]; > desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL); > - > + if (!desc->rd_info) { > + ret = -ENOMEM; > + goto error; > + } > if (!device_alloc_rx_buf(priv, desc)) > dev_err(&priv->pcid->dev, "can not alloc rx bufs\n"); > > @@ -550,20 +554,29 @@ static void device_init_rd0_ring(struct vnt_private *priv) > if (i > 0) > priv->aRD0Ring[i-1].next_desc = cpu_to_le32(priv->rd0_pool_dma); > priv->pCurrRD[0] = &priv->aRD0Ring[0]; > + > + return 0; > +error: > + device_free_rd0_ring(priv); > + return ret; > } > > -static void device_init_rd1_ring(struct vnt_private *priv) > +static int device_init_rd1_ring(struct vnt_private *priv) > { > int i; > dma_addr_t curr = priv->rd1_pool_dma; > struct vnt_rx_desc *desc; > + int ret = 0; > > /* Init the RD1 ring entries */ > for (i = 0; i < priv->opts.rx_descs1; > i ++, curr += sizeof(struct vnt_rx_desc)) { > desc = &priv->aRD1Ring[i]; > desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL); > - > + if (!desc->rd_info) { > + ret = -ENOMEM; > + goto error; > + } > if (!device_alloc_rx_buf(priv, desc)) > dev_err(&priv->pcid->dev, "can not alloc rx bufs\n"); > > @@ -574,6 +587,11 @@ static void device_init_rd1_ring(struct vnt_private *priv) > if (i > 0) > priv->aRD1Ring[i-1].next_desc = cpu_to_le32(priv->rd1_pool_dma); > priv->pCurrRD[1] = &priv->aRD1Ring[0]; > + > + return 0; > +error: > + device_free_rd1_ring(priv); > + return ret; > } > > static void device_free_rd0_ring(struct vnt_private *priv) > @@ -584,12 +602,12 @@ static void device_free_rd0_ring(struct vnt_private *priv) > struct vnt_rx_desc *desc = &priv->aRD0Ring[i]; > struct vnt_rd_info *rd_info = desc->rd_info; > > - dma_unmap_single(&priv->pcid->dev, rd_info->skb_dma, > - priv->rx_buf_sz, DMA_FROM_DEVICE); > - > - dev_kfree_skb(rd_info->skb); > - > - kfree(desc->rd_info); > + if (rd_info) { > + dma_unmap_single(&priv->pcid->dev, rd_info->skb_dma, > + priv->rx_buf_sz, DMA_FROM_DEVICE); > + dev_kfree_skb(rd_info->skb); > + kfree(desc->rd_info); > + } > } > } > > @@ -601,27 +619,31 @@ static void device_free_rd1_ring(struct vnt_private *priv) > struct vnt_rx_desc *desc = &priv->aRD1Ring[i]; > struct vnt_rd_info *rd_info = desc->rd_info; > > - dma_unmap_single(&priv->pcid->dev, rd_info->skb_dma, > - priv->rx_buf_sz, DMA_FROM_DEVICE); > - > - dev_kfree_skb(rd_info->skb); > - > - kfree(desc->rd_info); > + if (rd_info) { > + dma_unmap_single(&priv->pcid->dev, rd_info->skb_dma, > + priv->rx_buf_sz, DMA_FROM_DEVICE); > + dev_kfree_skb(rd_info->skb); > + kfree(desc->rd_info); > + } > } > } > > -static void device_init_td0_ring(struct vnt_private *priv) > +static int device_init_td0_ring(struct vnt_private *priv) > { > int i; > dma_addr_t curr; > struct vnt_tx_desc *desc; > + int ret = 0; > > curr = priv->td0_pool_dma; > for (i = 0; i < priv->opts.tx_descs[0]; > i++, curr += sizeof(struct vnt_tx_desc)) { > desc = &priv->apTD0Rings[i]; > desc->td_info = kzalloc(sizeof(*desc->td_info), GFP_KERNEL); > - > + if (!desc->td_info) { > + ret = -ENOMEM; > + goto error; > + } > desc->td_info->buf = priv->tx0_bufs + i * PKT_BUF_SZ; > desc->td_info->buf_dma = priv->tx_bufs_dma0 + i * PKT_BUF_SZ; > > @@ -632,13 +654,19 @@ static void device_init_td0_ring(struct vnt_private *priv) > if (i > 0) > priv->apTD0Rings[i-1].next_desc = cpu_to_le32(priv->td0_pool_dma); > priv->apTailTD[0] = priv->apCurrTD[0] = &priv->apTD0Rings[0]; > + > + return 0; > +error: > + device_free_td0_ring(priv); > + return ret; > } > > -static void device_init_td1_ring(struct vnt_private *priv) > +static int device_init_td1_ring(struct vnt_private *priv) > { > int i; > dma_addr_t curr; > struct vnt_tx_desc *desc; > + int ret = 0; > > /* Init the TD ring entries */ > curr = priv->td1_pool_dma; > @@ -646,7 +674,10 @@ static void device_init_td1_ring(struct vnt_private *priv) > i++, curr += sizeof(struct vnt_tx_desc)) { > desc = &priv->apTD1Rings[i]; > desc->td_info = kzalloc(sizeof(*desc->td_info), GFP_KERNEL); > - > + if (!desc->td_info) { > + ret = -ENOMEM; > + goto error; > + } > desc->td_info->buf = priv->tx1_bufs + i * PKT_BUF_SZ; > desc->td_info->buf_dma = priv->tx_bufs_dma1 + i * PKT_BUF_SZ; > > @@ -657,6 +688,11 @@ static void device_init_td1_ring(struct vnt_private *priv) > if (i > 0) > priv->apTD1Rings[i-1].next_desc = cpu_to_le32(priv->td1_pool_dma); > priv->apTailTD[1] = priv->apCurrTD[1] = &priv->apTD1Rings[0]; > + > + return 0; > +error: > + device_free_td1_ring(priv); > + return ret; > } > > static void device_free_td0_ring(struct vnt_private *priv) > @@ -667,8 +703,10 @@ static void device_free_td0_ring(struct vnt_private *priv) > struct vnt_tx_desc *desc = &priv->apTD0Rings[i]; > struct vnt_td_info *td_info = desc->td_info; > > - dev_kfree_skb(td_info->skb); > - kfree(desc->td_info); > + if (td_info) { > + dev_kfree_skb(td_info->skb); > + kfree(desc->td_info); > + } > } > } > > @@ -680,8 +718,10 @@ static void device_free_td1_ring(struct vnt_private *priv) > struct vnt_tx_desc *desc = &priv->apTD1Rings[i]; > struct vnt_td_info *td_info = desc->td_info; > > - dev_kfree_skb(td_info->skb); > - kfree(desc->td_info); > + if (td_info) { > + dev_kfree_skb(td_info->skb); > + kfree(desc->td_info); > + } > } > } > > @@ -1165,10 +1205,18 @@ static int vnt_start(struct ieee80211_hw *hw) > } > > dev_dbg(&priv->pcid->dev, "call device init rd0 ring\n"); > - device_init_rd0_ring(priv); > - device_init_rd1_ring(priv); > - device_init_td0_ring(priv); > - device_init_td1_ring(priv); > + ret = device_init_rd0_ring(priv); > + if (ret) > + goto err_init_rd0_ring; > + ret = device_init_rd1_ring(priv); > + if (ret) > + goto err_init_rd1_ring; > + ret = device_init_td0_ring(priv); > + if (ret) > + goto err_init_td0_ring; > + ret = device_init_td1_ring(priv); > + if (ret) > + goto err_init_td1_ring; > > device_init_registers(priv); > > @@ -1178,6 +1226,15 @@ static int vnt_start(struct ieee80211_hw *hw) > ieee80211_wake_queues(hw); > > return 0; > + > +err_init_td1_ring: > + device_free_td0_ring(priv); > +err_init_td0_ring: > + device_free_rd1_ring(priv); > +err_init_rd1_ring: > + device_free_rd0_ring(priv); > +err_init_rd0_ring: > + return ret; > } > > static void vnt_stop(struct ieee80211_hw *hw) It looks okay now :) Best wishes, Jia-Ju Bai