Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp904174imm;
        Fri, 27 Jul 2018 08:04:21 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpfGRrAZkCKcKEbv8/G7tsxT84w4JcWqweyRamya0c6MgH1XGe7/OkS97oQ/Lb5oklVegeUl
X-Received: by 2002:a62:bd4:: with SMTP id 81-v6mr7056662pfl.67.1532703861856;
        Fri, 27 Jul 2018 08:04:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1532703861; cv=none;
        d=google.com; s=arc-20160816;
        b=rO8MPjqFArpEG6pbxA+q0MZU3i26goCthgObMcu1dm1XYWbpqRV7EmUXjVBYphGn/o
         BSiRReiZTb4oxgMlR+LUioAh7NJ+Y3/Zzy78/PNCe/DHOsH7LMcn/LVg+7wJ7WPOGTJH
         7uSiKoEBEER5q1lOZpA25I9ZjxNh0faHvaV3wOTnk8zNbAoyMgkyK13ps/vW6XzXyFkE
         kdEBMh9BQUGFzHTnbdmwZKuthRNx3Ze5pWOOD5vU4WmJfmOS2Xss8Dn5iyukEupNTZ3o
         5uhW/Pu82kOS9nhn9zhcRIsye5gHfue5eRgW7YSpzZkf6E76/nqZ4FMPBZNKNyzz1grs
         ZzPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=1GBJLTEfD6ACEKRAkCzDCYFnJN/6HoQb9P01Jq3pFoQ=;
        b=a6X00aGsMKTFsCioejA0erCPLoav7/3wQC4KzfmNYjLDJNmsfqcSv35A80qEoJ6aB9
         fWv3S9/dYi6MOuqCsnV/M9w23rNfBbb1RhA3831dRMzqNX6jCWU2BMXsMRRkrdzrCDci
         Kcixs39cinLqxJpQNxq22ZaY1I6+kgtpBuBz7ra0r3brQfOjUvcwBYvg0DUwREXic4N0
         Ux+pkyoCXDkWIQrj9xcHmzAwDEe2VluMKvu//TIvSoNtYc6v0P4hFEYCccTNy0A2zCAZ
         KbG96BI8BIMYoeWSrwHIm90xzTC1anIlJ9iCeGtT9I3WHgywGeWAH7HrrZeTVW/2SeKC
         MipQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c62-v6si4641436pfb.98.2018.07.27.08.04.07;
        Fri, 27 Jul 2018 08:04:21 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388652AbeG0QZa (ORCPT <rfc822;kernelgary@gmail.com>
        + 99 others); Fri, 27 Jul 2018 12:25:30 -0400
Received: from bran.ispras.ru ([83.149.199.196]:13112 "EHLO smtp.ispras.ru"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1730771AbeG0QZ3 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 27 Jul 2018 12:25:29 -0400
Received: from myklebust.intra.ispras.ru (unknown [10.10.2.207])
        by smtp.ispras.ru (Postfix) with ESMTP id 06E4A203B2;
        Fri, 27 Jul 2018 18:03:09 +0300 (MSK)
From:   Anton Vasilyev <vasilyev@ispras.ru>
To:     Alessandro Rubini <rubini@gnudd.com>
Cc:     Anton Vasilyev <vasilyev@ispras.ru>, linux-kernel@vger.kernel.org,
        ldv-project@linuxtesting.org
Subject: [PATCH] fmc: Fix memory leak and NULL pointer dereference
Date:   Fri, 27 Jul 2018 18:02:45 +0300
Message-Id: <20180727150245.22610-1-vasilyev@ispras.ru>
X-Mailer: git-send-email 2.18.0
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

There is no deallocation of fmc memory, allocated at ff_dev_create()
by kmemdup(), and no check on kmemdup() success.

The patch adds deallocation into ff_dev_release() and adds check on
allocation success.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
---
 drivers/fmc/fmc-fakedev.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/drivers/fmc/fmc-fakedev.c b/drivers/fmc/fmc-fakedev.c
index 941d0930969a..ede589f4e8e5 100644
--- a/drivers/fmc/fmc-fakedev.c
+++ b/drivers/fmc/fmc-fakedev.c
@@ -244,7 +244,10 @@ static struct fmc_operations ff_fmc_operations = {
 /* This device is kmalloced: release it */
 static void ff_dev_release(struct device *dev)
 {
+	int i;
 	struct ff_dev *ff = container_of(dev, struct ff_dev, dev);
+	for (i = 0; i < ff_nr_dev; i++)
+		kfree(ff->fmc[i]);
 	kfree(ff);
 }
 
@@ -273,15 +276,17 @@ static struct ff_dev *ff_dev_create(void)
 	ff->dev.release = ff_dev_release;
 
 	ret = device_register(&ff->dev);
-	if (ret < 0) {
-		put_device(&ff->dev);
-		return ERR_PTR(ret);
-	}
+	if (ret < 0)
+		goto err;
 
 	/* Create fmc structures that refer to this new "hw" device */
 	for (i = 0; i < ff_nr_dev; i++) {
 		fmc = kmemdup(&ff_template_fmc, sizeof(ff_template_fmc),
 			      GFP_KERNEL);
+		if (!fmc) {
+			ret = -ENOMEM;
+			goto err;
+		}
 		fmc->hwdev = &ff->dev;
 		fmc->carrier_data = ff;
 		fmc->nr_slots = ff_nr_dev;
@@ -294,6 +299,10 @@ static struct ff_dev *ff_dev_create(void)
 		ff_template_fmc.device_id++;
 	}
 	return ff;
+
+err:
+	put_device(&ff->dev);
+	return ERR_PTR(ret);
 }
 
 /* init and exit */
-- 
2.18.0