Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp1699556ybm; Tue, 21 May 2019 19:45:14 -0700 (PDT) X-Google-Smtp-Source: APXvYqzxIM93D1rs36Xmnb/uFo+LGw+O4NanMaY4foTuUx4xdih7BvErctPfQ5VYW/Xm55v5kbbx X-Received: by 2002:a63:ff23:: with SMTP id k35mr56254972pgi.139.1558493114403; Tue, 21 May 2019 19:45:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558493114; cv=none; d=google.com; s=arc-20160816; b=ZmsV9HZzaMbQyfKOlBJAzM6gmgbpXZZKAU3ACWdcT2dRdOhPM8eIdsTpCHM22UJXjB Rr4DVVISrA+aTPlomvJ+wfQhJlK0E89d0jF4kYOrXzmaiTagYQY1sUHMcSbrp5pTXypb eqsXOECQPLABwm876eayPlHh9f6cMm6uWoByVANW8EUqIXFg5B1nSz3V3PZ6tfu4x+GG KYjbK4eM28VRqOxrXM72OOtb40Ni5icPmY2QO2EHHGsdqoufelpNDgLDYpsfDzQAS7RA EXQEyEtvBJpDilLfPv5ey7C4VevLv/aMpSJCk3+U4F2Ic43Prggi4tEJ6CHrEAVIbOzf u6tw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=y7GlXXPXxH8tGlOVDOqhZ77ZVc11rdecpgwMZ92lwDE=; b=xINOCaP5ArSnH625hvoB2gcobDPHl+kaYlGgX2X8ZvPmOYgWwHjHtOofUsamK1rJTI CqHeqs9HOUwGYOQPh8GpSUCjuACLjwBAV3if+rRwq/2VHCNaC9T1OK1/uLw7qvpHdilg sb2B9F6pDNPHvl5/Xa5Wc5KN/jj7kqsm43+MGW+I+6AGV/Q0JjxKlIPvl2ZrjOyiFneK NrGG7OXMWAu2QTv01vNITY2o9I1F8x3WdldyCJKH+tTTEgyE+dBfmhDDD/DqUCZ1U638 v1lN+JP0dDIsfJJDmhbKk5JKcmF0PU86o85mjyHfIS/Gm4krqdkiJ5d1TlPmLIbH4e1v kJRg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@pobox.com header.s=sasl header.b=ePCxXmvL; dkim=temperror (no key for signature) header.i=@fluxnic.net header.s=2016-12.pbsmtp header.b=C9wSUhPf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n81si25740915pfb.258.2019.05.21.19.44.56; Tue, 21 May 2019 19:45:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@pobox.com header.s=sasl header.b=ePCxXmvL; dkim=temperror (no key for signature) header.i=@fluxnic.net header.s=2016-12.pbsmtp header.b=C9wSUhPf; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728341AbfEVCnR (ORCPT + 99 others); Tue, 21 May 2019 22:43:17 -0400 Received: from pb-smtp1.pobox.com ([64.147.108.70]:59832 "EHLO pb-smtp1.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727208AbfEVCnR (ORCPT ); Tue, 21 May 2019 22:43:17 -0400 Received: from pb-smtp1.pobox.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id 0AD8D15C70D; Tue, 21 May 2019 22:43:13 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :cc:subject:in-reply-to:message-id:references:mime-version :content-type; s=sasl; bh=f1aVdB0GW/xbTEb9TCQThuKnddE=; b=ePCxXm vL1oVvrRySOJd9Zui1dj+EN/XNkQr3DLSTT7PEJnYdbMC9+4XRW9DdkxffIgmv9f gn7ha1b+MfSwvf3F+lx9Sn3OhJRJuKJt8GswrofK5AMVudjdZ4IfPc/LL6otILDp 5yxgTXuLO1TS9f/HZrDFZxb447UynC6EovCl8= Received: from pb-smtp1.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id 021DB15C70C; Tue, 21 May 2019 22:43:13 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=fluxnic.net; h=date:from:to:cc:subject:in-reply-to:message-id:references:mime-version:content-type; s=2016-12.pbsmtp; bh=HoxQRB22GIbOcLcVnjiMCS108F1Dfhfhq6HyGAkQViM=; b=C9wSUhPfFMm4ZmPLN4PEKcIGKEOdPeP6sVTQaXAoku0R14M0EjJGuZc+ke8vENXcLaBaiuO3m/JdydfkEqVcOkAuuw7994Q1CnhkcC1z5v5VSEADKT34mPIPpxAjhR4lWMGzoN1jtl+VvdlWkLyilydUuqBUQZlflV7mRTCAknk= Received: from yoda.home (unknown [70.82.130.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp1.pobox.com (Postfix) with ESMTPSA id 3E69715C70B; Tue, 21 May 2019 22:43:12 -0400 (EDT) Received: from xanadu.home (xanadu.home [192.168.2.2]) by yoda.home (Postfix) with ESMTPSA id 56FA02DA01D5; Tue, 21 May 2019 22:43:11 -0400 (EDT) Date: Tue, 21 May 2019 22:43:11 -0400 (EDT) From: Nicolas Pitre To: Gen Zhang cc: linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] vt: Fix a missing-check bug in drivers/tty/vt/vt.c In-Reply-To: <20190521073901.GF5263@zhanggen-UX430UQ> Message-ID: References: <20190521022940.GA4858@zhanggen-UX430UQ> <20190521030905.GB5263@zhanggen-UX430UQ> <20190521040019.GD5263@zhanggen-UX430UQ> <20190521073901.GF5263@zhanggen-UX430UQ> User-Agent: Alpine 2.21 (LFD 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Pobox-Relay-ID: 5765B69E-7C3B-11E9-935B-46F8B7964D18-78420484!pb-smtp1.pobox.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 21 May 2019, Gen Zhang wrote: > On Tue, May 21, 2019 at 12:30:38AM -0400, Nicolas Pitre wrote: > > Now imagine that MIN_NR_CONSOLES is defined to 10 instead of 1. > > > > What happens with allocated memory if the err_vc condition is met on the > > 5th loop? > Yes, vc->vc_screenbuf from the last loop is still not freed, right? I > don't have idea to solve this one. Could please give some advice? Since > we have to consider the err_vc condition. > > > If err_vc_screenbuf condition is encountered on the 5th loop (curcons = > > 4), what is the value of vc_cons[4].d? Isn't it the same as vc that you > > just freed? > > > > > > Nicolas > Thanks for your explaination! You mean a double free situation may > happen, right? But in vc_allocate() there is also such a kfree(vc) and > vc_cons[currcons].d = NULL operation. This situation is really confusing > me. What you could do is something that looks like: for (currcons = 0; currcons < MIN_NR_CONSOLES; currcons++) { vc_cons[currcons].d = vc = kzalloc(...); if (!vc) goto fail1; ... vc->vc_screenbuf = kzalloc(...); if (!vc->vc_screenbuf) goto fail2; ... return 0; /* free already allocated memory on error */ fail1: while (curcons > 0) { curcons--; kfree(vc_cons[currcons].d->vc_screenbuf); fail2: kfree(vc_cons[currcons].d); vc_cons[currcons].d = NULL; } console_unlock(); return -ENOMEM; Nicolas