Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp900579imm; Wed, 13 Jun 2018 10:01:40 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIU6KyvmsE0JxMjZMXTFlRGfziUl9eT/cZtFej7VqmDrojwB6fvOhDg5zyey2LPst5+uABI X-Received: by 2002:a17:902:988f:: with SMTP id s15-v6mr1114585plp.95.1528909300498; Wed, 13 Jun 2018 10:01:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528909300; cv=none; d=google.com; s=arc-20160816; b=NMxaX2DIXXEBa/U0bFu+rHILrQd/LVGbidxwCtLpHiZycBeJesMQar0L/5H0n7nrbq ivY8GPcv9NctLox71QnGWbqzd07tzQZQFNwggqhEcozHcdJsjFMDmdFYDHevxGz6ndtp J8UenilDJLBk/9Hw7yaP7cFhPT823DukmA+zXKkpqERcHJHhASlHiAaSr4sst9t9WJX6 NEligRODMW9PZmAT6UPxm+NHOu5JXwjKXe2OUGQK7D1lj/fnfCKWJoRBrMypqoWSWADD lPxB23K7wj1UnjEXPf+4TBCOyQh+gAPX3ddlpVgmM2a0YHWzUyI1S883MMwvb7nEI1We 1P3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=oN8x4t5AlnqwLPH5J4s8CXuwHw6OREHTuwpz/aBY1W8=; b=u4ujFvmDlgGGOSp/kKfUHIj19krL/OI4F2Qp0eXTlVmrS2moVpgiJfU1Rc2dTNaatf b/1cKRHK53EnO90H99y4RCldpKuz2+vuI130UT+O1LUCAWK10LjTp+OAW2WTxGP3vlh7 4xbyRKEpy9toUCTtjBI6JlcrN+vVZ3begOZ05zgJ9gok7UkLqYytwygos+wpAm360WYl t0oyUSCyGUmbOOPr6ZYYtjGB/1Rbg+9TkmE2HTVn1BCXQDw8vTVZqUSaFlYT4Qo/Z7Af c8FPM/W/2n+sMdJGi9rAXVAjSPgybdnngvxvqbnVx8GkKbZZLxY7K5r30p4IJvsgJIx+ tneg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=laMpX7qO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g126-v6si2733043pgc.251.2018.06.13.10.01.20; Wed, 13 Jun 2018 10:01:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=laMpX7qO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935060AbeFMRA5 (ORCPT + 99 others); Wed, 13 Jun 2018 13:00:57 -0400 Received: from mail-ua0-f195.google.com ([209.85.217.195]:37643 "EHLO mail-ua0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934747AbeFMRA4 (ORCPT ); Wed, 13 Jun 2018 13:00:56 -0400 Received: by mail-ua0-f195.google.com with SMTP id i3-v6so2198381uad.4 for ; Wed, 13 Jun 2018 10:00:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oN8x4t5AlnqwLPH5J4s8CXuwHw6OREHTuwpz/aBY1W8=; b=laMpX7qOJPpyrf1j7YmRJ+GCOnoFe9uUX9ploWzflJnCArzOqrPg2xSNRvr0Y6hWzE BMqHfQAQKyGkkyHPq/gbxnTEUJWhmzehhI797B+Jg8MzTbyaCJ5sYJBKfj4N7QroeGe0 EbPhPlFbG6cDMfPukLGwyt7+KxVN4XbiF2QT5zN73TAnRTiKks/mqT+X4WwvrtSPMgnM MYBjufOSeuOtbjEXpyIQXiQEkY9A7Hau8EUxsi6j2Vt/8/yz/4dup9fepLxfZjVVPHwh B4RYGOIwImEF2rb01RfAa3EhJelL0QbbQW5910+8gQnmuJcd1nsk7bWnHUgLE5vAd4vB +M1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=oN8x4t5AlnqwLPH5J4s8CXuwHw6OREHTuwpz/aBY1W8=; b=sK9bilP2XZfPMJAzvXTwC9jgNt+DcygcUKyWMBq8jtuyvry+jUofsSLdiwmYhACYh4 ekefrFT7yU5srlUxj2Yeh4KV/D59tXShMUtgAQafqjlyYrDWgCaqusohBy9gFy1Wh+P3 RIIo1Ios60mrpRJNX5z8JpqszGkL2gPX3aJqKr6rQ6X3ZQRpmOcCu6dQS+2pnkINNO4h xB+9otVUsZLl5y3Ko+X633EXD2YzOM3iueydqEJnp3PnTcXrNwmPX+StGrlwQul2Fr1C 431PTP/ZWFZe625orfn3/YcSPxhb4Dc+Tb9QmQb+dN876rI4c5IAgz4b/uxOxf5Ox/dF pVgQ== X-Gm-Message-State: APt69E3IOCJ58cb8fEYYsE2/Dxc05MXWK6ry9mlgLX3s6dx2NLLRZaWv lL39TAvkY1h5s87gnIDm8TK8q0bja18dYjRmrTyz61lA X-Received: by 2002:a9f:3613:: with SMTP id r19-v6mr4054418uad.49.1528909255607; Wed, 13 Jun 2018 10:00:55 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a67:8b02:0:0:0:0:0 with HTTP; Wed, 13 Jun 2018 10:00:55 -0700 (PDT) In-Reply-To: <20180613165501.30669-1-vasilyev@ispras.ru> References: <20180612130640.6lcnn4cj7cval7aw@mwanda> <20180613165501.30669-1-vasilyev@ispras.ru> From: Andy Shevchenko Date: Wed, 13 Jun 2018 20:00:55 +0300 Message-ID: Subject: Re: [PATCH v2] staging: rts5208: add check on NULL before dereference To: Anton Vasilyev Cc: Dan Carpenter , Sinan Kaya , Johannes Thumshirn , Gaurav Pathak , Hannes Reinecke , devel@driverdev.osuosl.org, Linux Kernel Mailing List , ldv-project@linuxtesting.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jun 13, 2018 at 7:55 PM, Anton Vasilyev wrote: > If rtsx_probe() fails to allocate dev->chip, then NULL pointer > dereference occurs at release_everything()->rtsx_release_resources(). > > Found by Linux Driver Verification project (linuxtesting.org). > You forgot to adjust subject and commit message to the new reality which is brought by this change. > Signed-off-by: Anton Vasilyev > --- > v2: Add error handling into rtsx_probe based on Dan Carpenter's comment. > I do not have corresponding hardware, so patch was tested by compilation only. > > I faced with inaccuracy at rtsx_remove() and original rtsx_probe(): > there is quiesce_and_remove_host() call with scsi_remove_host() inside, > whereas release_everything() calls scsi_host_put() after this > scsi_remove_host() call. This is strange for me. > > Also I do not know is it require to check result value of > rtsx_init_chip() call on rtsx_probe(). > --- > drivers/staging/rts5208/rtsx.c | 38 +++++++++++++++++++++++----------- > 1 file changed, 26 insertions(+), 12 deletions(-) > > diff --git a/drivers/staging/rts5208/rtsx.c b/drivers/staging/rts5208/rtsx.c > index 70e0b8623110..69e6abe14abf 100644 > --- a/drivers/staging/rts5208/rtsx.c > +++ b/drivers/staging/rts5208/rtsx.c > @@ -857,7 +857,7 @@ static int rtsx_probe(struct pci_dev *pci, > dev->chip = kzalloc(sizeof(*dev->chip), GFP_KERNEL); > if (!dev->chip) { > err = -ENOMEM; > - goto errout; > + goto chip_alloc_fail; > } > > spin_lock_init(&dev->reg_lock); > @@ -879,7 +879,7 @@ static int rtsx_probe(struct pci_dev *pci, > if (!dev->remap_addr) { > dev_err(&pci->dev, "ioremap error\n"); > err = -ENXIO; > - goto errout; > + goto ioremap_fail; > } > > /* > @@ -894,7 +894,7 @@ static int rtsx_probe(struct pci_dev *pci, > if (!dev->rtsx_resv_buf) { > dev_err(&pci->dev, "alloc dma buffer fail\n"); > err = -ENXIO; > - goto errout; > + goto dma_alloc_fail; > } > dev->chip->host_cmds_ptr = dev->rtsx_resv_buf; > dev->chip->host_cmds_addr = dev->rtsx_resv_buf_addr; > @@ -915,7 +915,7 @@ static int rtsx_probe(struct pci_dev *pci, > > if (rtsx_acquire_irq(dev) < 0) { > err = -EBUSY; > - goto errout; > + goto irq_acquire_fail; > } > > pci_set_master(pci); > @@ -935,14 +935,14 @@ static int rtsx_probe(struct pci_dev *pci, > if (IS_ERR(th)) { > dev_err(&pci->dev, "Unable to start control thread\n"); > err = PTR_ERR(th); > - goto errout; > + goto control_thread_fail; > } > dev->ctl_thread = th; > > err = scsi_add_host(host, &pci->dev); > if (err) { > dev_err(&pci->dev, "Unable to add the scsi host\n"); > - goto errout; > + goto scsi_add_host_fail; > } > > /* Start up the thread for delayed SCSI-device scanning */ > @@ -950,18 +950,16 @@ static int rtsx_probe(struct pci_dev *pci, > if (IS_ERR(th)) { > dev_err(&pci->dev, "Unable to start the device-scanning thread\n"); > complete(&dev->scanning_done); > - quiesce_and_remove_host(dev); > err = PTR_ERR(th); > - goto errout; > + goto scan_thread_fail; > } > > /* Start up the thread for polling thread */ > th = kthread_run(rtsx_polling_thread, dev, "rtsx-polling"); > if (IS_ERR(th)) { > dev_err(&pci->dev, "Unable to start the device-polling thread\n"); > - quiesce_and_remove_host(dev); > err = PTR_ERR(th); > - goto errout; > + goto scan_thread_fail; > } > dev->polling_thread = th; > > @@ -970,9 +968,25 @@ static int rtsx_probe(struct pci_dev *pci, > return 0; > > /* We come here if there are any problems */ > -errout: > +scan_thread_fail: > + quiesce_and_remove_host(dev); > +scsi_add_host_fail: > + complete(&dev->cmnd_ready); > + wait_for_completion(&dev->control_exit); > +control_thread_fail: > + free_irq(dev->irq, (void *)dev); > + rtsx_release_chip(dev->chip); > +irq_acquire_fail: > + dev->chip->host_cmds_ptr = NULL; > + dev->chip->host_sg_tbl_ptr = NULL; > + if (dev->chip->msi_en) > + pci_disable_msi(dev->pci); > +dma_alloc_fail: > + iounmap(dev->remap_addr); > +ioremap_fail: > + kfree(dev->chip); > +chip_alloc_fail: > dev_err(&pci->dev, "%s failed\n", __func__); > - release_everything(dev); > > return err; > } > -- > 2.17.1 > -- With Best Regards, Andy Shevchenko