Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp448157ybm; Mon, 20 May 2019 20:07:22 -0700 (PDT) X-Google-Smtp-Source: APXvYqwGiD6mXM3626rIhQ9JpOLPqUJlGVCD2Qe25dYsZVr/PXLx12OU7lUYOlAoyqpmILPxM4F3 X-Received: by 2002:a17:902:aa97:: with SMTP id d23mr79975156plr.313.1558408042857; Mon, 20 May 2019 20:07:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558408042; cv=none; d=google.com; s=arc-20160816; b=pDHoHaDk3LFsjvOdLugpCcYRCFPLqm5xFojhCEwCOMR/2rqoHbWyyUU9TjABb8iXsQ DMGAuy+5yB29wYKQSri8srAf3tTt7UyJqoIHT7ls3/eWzipBoY+KGewLdMSc3fjibHjU P4CN09DpwL32DclD1iyf0DUs9n+bNlMItCfhlNIPJHShfZNs5fSPrIpx5mEHukj8Nmni bSt6cqwEt/VQzknWNfF1ijExGJpELduS1VOoQEHTQFq8UtT39DdDg8LDSzOQMkfg/eCR bF6LHKxMfjG6tE+SCM/rXHq5jMF+mpPy8Y/hjILWfmfxJpD0OMigROlrF6cV0zD1Nv2H /wyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=8TZAAG+NpZ722TmQPfHowdMefT5Ykb8OqU88ddSxvso=; b=HGqBL6BUjCJKe/VSs2c9aqmBnpuE2RgRFCtdS51m8DNvGViGXXD9RWRYBRj46L/lv5 nwBBLseLs2nd0lElv8FeclshCIDmO0FH/sfnmfl/YEgILBJnb7ZYrV7AGIpz4DM0ntnI hP9pkL/h7iwfmOx1tmp2O1s1ACTQOt5MYov9GW8SDn//LrmTzlRbFrBGcBouaIPEN23E bU5/oCB9vOr5KNUTHo5E7PjFJAcw8Pnz0KX4TSFf5gLbEZisVLpvI/33WO6Cv/bPzyF5 GTl+WzPQuG23WHm+4roxUrdM4t3ELI/INM9CIBcFk5AtDyqtI7FM7DwAGyEheWahgilD mvGw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@pobox.com header.s=sasl header.b=BN09u28F; dkim=temperror (no key for signature) header.i=@fluxnic.net header.s=2016-12.pbsmtp header.b=e8JKVkqK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q7si12273157pli.379.2019.05.20.20.07.07; Mon, 20 May 2019 20:07:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@pobox.com header.s=sasl header.b=BN09u28F; dkim=temperror (no key for signature) header.i=@fluxnic.net header.s=2016-12.pbsmtp header.b=e8JKVkqK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727339AbfEUDFa (ORCPT + 99 others); Mon, 20 May 2019 23:05:30 -0400 Received: from pb-smtp21.pobox.com ([173.228.157.53]:58692 "EHLO pb-smtp21.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727059AbfEUDFa (ORCPT ); Mon, 20 May 2019 23:05:30 -0400 X-Greylist: delayed 582 seconds by postgrey-1.27 at vger.kernel.org; Mon, 20 May 2019 23:05:27 EDT Received: from pb-smtp21.pobox.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id 395A973621; Mon, 20 May 2019 22:55:45 -0400 (EDT) (envelope-from nico@fluxnic.net) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :cc:subject:in-reply-to:message-id:references:mime-version :content-type; s=sasl; bh=5IkeaPHh8sPETFmUsbaciy9gu1U=; b=BN09u2 8FXJ0eYwUSeuRd8WTABQyJAkn6bPn+2kHZ48zhnfwPne5GrP+VEI9CTQIeQYj4a2 cZzSQwGjCCW4Nw/ufU1zQ3R/yxpJRCvwc4QfK1OIcTdgsTj7gYXb7tveeFVcaysi vmxY6v9tFb6G7gEtPVlEj5z81RJNm2V9KSRT0= Received: from pb-smtp21.sea.icgroup.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id 31A9A73620; Mon, 20 May 2019 22:55:45 -0400 (EDT) (envelope-from nico@fluxnic.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=fluxnic.net; h=date:from:to:cc:subject:in-reply-to:message-id:references:mime-version:content-type; s=2016-12.pbsmtp; bh=wjDQmrdsvtMdPiENTi3BGsvVWTilWEcuxFbWktouuw4=; b=e8JKVkqKVSJ86IfuEs+AeAwavRXtDCtN4ud4wr6uVByl6DbLKaILR9M7lskU2A+iDwMylVUp/q+VoOGr1LEA/qMJS2kMV7YL22nk5HcOXA/eA3U7RLA/EoTrOh5T8+QeYRzkviCYXlpMfcbZwISwMMgub4i3H9WdvC2Pw5gWJ0A= Received: from yoda.home (unknown [70.82.130.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp21.pobox.com (Postfix) with ESMTPSA id 27FBB7361F; Mon, 20 May 2019 22:55:42 -0400 (EDT) (envelope-from nico@fluxnic.net) Received: from xanadu.home (xanadu.home [192.168.2.2]) by yoda.home (Postfix) with ESMTPSA id 38EE62DA01F4; Mon, 20 May 2019 22:55:40 -0400 (EDT) Date: Mon, 20 May 2019 22:55:40 -0400 (EDT) From: Nicolas Pitre To: Gen Zhang cc: linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] vt: Fix a missing-check bug in drivers/tty/vt/vt.c In-Reply-To: <20190521022940.GA4858@zhanggen-UX430UQ> Message-ID: References: <20190521022940.GA4858@zhanggen-UX430UQ> User-Agent: Alpine 2.21 (LFD 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Pobox-Relay-ID: EBF69648-7B73-11E9-933C-8D86F504CC47-78420484!pb-smtp21.pobox.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 21 May 2019, Gen Zhang wrote: > In function con_init(), the pointer variable vc_cons[currcons].d, vc and > vc->vc_screenbuf is allocated a memory space via kzalloc(). And they are > used in the following codes. > However, when there is a memory allocation error, kzalloc() can fail. > Thus null pointer (vc_cons[currcons].d, vc and vc->vc_screenbuf) > dereference may happen. And it will cause the kernel to crash. Therefore, > we should check return value and handle the error. > Further,the loop condition MIN_NR_CONSOLES is defined as 1 in > include/uapi/linux/vt.h. So there is no need to unwind the loop. But what if someone changes that define? It won't be obvious that some code did rely on it to be defined to 1. > Signed-off-by: Gen Zhang > > --- > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c > index fdd12f8..b756609 100644 > --- a/drivers/tty/vt/vt.c > +++ b/drivers/tty/vt/vt.c > @@ -3350,10 +3350,14 @@ static int __init con_init(void) > > for (currcons = 0; currcons < MIN_NR_CONSOLES; currcons++) { > vc_cons[currcons].d = vc = kzalloc(sizeof(struct vc_data), GFP_NOWAIT); > + if (!vc_cons[currcons].d || !vc) Both vc_cons[currcons].d and vc are assigned the same value on the previous line. You don't have to test them both. > + goto err_vc; > INIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK); > tty_port_init(&vc->port); > visual_init(vc, currcons, 1); > vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_NOWAIT); > + if (!vc->vc_screenbuf) > + goto err_vc_screenbuf; > vc_init(vc, vc->vc_rows, vc->vc_cols, > currcons || !vc->vc_sw->con_save_screen); > } > @@ -3375,6 +3379,14 @@ static int __init con_init(void) > register_console(&vt_console_driver); > #endif > return 0; > +err_vc: > + console_unlock(); > + return -ENOMEM; > +err_vc_screenbuf: > + console_unlock(); > + kfree(vc); > + vc_cons[currcons].d = NULL; > + return -ENOMEM; As soon as you release the lock, another thread could come along and start using the memory pointed by vc_cons[currcons].d you're about to free here. This is unlikely for an initcall, but still. You should consider this ordering instead: err_vc_screenbuf: kfree(vc); vc_cons[currcons].d = NULL; err_vc: console_unlock(); return -ENOMEM; > } > console_initcall(con_init); > > --- >