Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp1699556ybm;
        Tue, 21 May 2019 19:45:14 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzxIM93D1rs36Xmnb/uFo+LGw+O4NanMaY4foTuUx4xdih7BvErctPfQ5VYW/Xm55v5kbbx
X-Received: by 2002:a63:ff23:: with SMTP id k35mr56254972pgi.139.1558493114403;
        Tue, 21 May 2019 19:45:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1558493114; cv=none;
        d=google.com; s=arc-20160816;
        b=ZmsV9HZzaMbQyfKOlBJAzM6gmgbpXZZKAU3ACWdcT2dRdOhPM8eIdsTpCHM22UJXjB
         Rr4DVVISrA+aTPlomvJ+wfQhJlK0E89d0jF4kYOrXzmaiTagYQY1sUHMcSbrp5pTXypb
         eqsXOECQPLABwm876eayPlHh9f6cMm6uWoByVANW8EUqIXFg5B1nSz3V3PZ6tfu4x+GG
         KYjbK4eM28VRqOxrXM72OOtb40Ni5icPmY2QO2EHHGsdqoufelpNDgLDYpsfDzQAS7RA
         EXQEyEtvBJpDilLfPv5ey7C4VevLv/aMpSJCk3+U4F2Ic43Prggi4tEJ6CHrEAVIbOzf
         u6tw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date:dkim-signature
         :dkim-signature;
        bh=y7GlXXPXxH8tGlOVDOqhZ77ZVc11rdecpgwMZ92lwDE=;
        b=xINOCaP5ArSnH625hvoB2gcobDPHl+kaYlGgX2X8ZvPmOYgWwHjHtOofUsamK1rJTI
         CqHeqs9HOUwGYOQPh8GpSUCjuACLjwBAV3if+rRwq/2VHCNaC9T1OK1/uLw7qvpHdilg
         sb2B9F6pDNPHvl5/Xa5Wc5KN/jj7kqsm43+MGW+I+6AGV/Q0JjxKlIPvl2ZrjOyiFneK
         NrGG7OXMWAu2QTv01vNITY2o9I1F8x3WdldyCJKH+tTTEgyE+dBfmhDDD/DqUCZ1U638
         v1lN+JP0dDIsfJJDmhbKk5JKcmF0PU86o85mjyHfIS/Gm4krqdkiJ5d1TlPmLIbH4e1v
         kJRg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@pobox.com header.s=sasl header.b=ePCxXmvL;
       dkim=temperror (no key for signature) header.i=@fluxnic.net header.s=2016-12.pbsmtp header.b=C9wSUhPf;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n81si25740915pfb.258.2019.05.21.19.44.56;
        Tue, 21 May 2019 19:45:14 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@pobox.com header.s=sasl header.b=ePCxXmvL;
       dkim=temperror (no key for signature) header.i=@fluxnic.net header.s=2016-12.pbsmtp header.b=C9wSUhPf;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728341AbfEVCnR (ORCPT <rfc822;austinkernel.kim@gmail.com>
        + 99 others); Tue, 21 May 2019 22:43:17 -0400
Received: from pb-smtp1.pobox.com ([64.147.108.70]:59832 "EHLO
        pb-smtp1.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727208AbfEVCnR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 21 May 2019 22:43:17 -0400
Received: from pb-smtp1.pobox.com (unknown [127.0.0.1])
        by pb-smtp1.pobox.com (Postfix) with ESMTP id 0AD8D15C70D;
        Tue, 21 May 2019 22:43:13 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to
        :cc:subject:in-reply-to:message-id:references:mime-version
        :content-type; s=sasl; bh=f1aVdB0GW/xbTEb9TCQThuKnddE=; b=ePCxXm
        vL1oVvrRySOJd9Zui1dj+EN/XNkQr3DLSTT7PEJnYdbMC9+4XRW9DdkxffIgmv9f
        gn7ha1b+MfSwvf3F+lx9Sn3OhJRJuKJt8GswrofK5AMVudjdZ4IfPc/LL6otILDp
        5yxgTXuLO1TS9f/HZrDFZxb447UynC6EovCl8=
Received: from pb-smtp1.nyi.icgroup.com (unknown [127.0.0.1])
        by pb-smtp1.pobox.com (Postfix) with ESMTP id 021DB15C70C;
        Tue, 21 May 2019 22:43:13 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=fluxnic.net;
 h=date:from:to:cc:subject:in-reply-to:message-id:references:mime-version:content-type; s=2016-12.pbsmtp; bh=HoxQRB22GIbOcLcVnjiMCS108F1Dfhfhq6HyGAkQViM=; b=C9wSUhPfFMm4ZmPLN4PEKcIGKEOdPeP6sVTQaXAoku0R14M0EjJGuZc+ke8vENXcLaBaiuO3m/JdydfkEqVcOkAuuw7994Q1CnhkcC1z5v5VSEADKT34mPIPpxAjhR4lWMGzoN1jtl+VvdlWkLyilydUuqBUQZlflV7mRTCAknk=
Received: from yoda.home (unknown [70.82.130.96])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by pb-smtp1.pobox.com (Postfix) with ESMTPSA id 3E69715C70B;
        Tue, 21 May 2019 22:43:12 -0400 (EDT)
Received: from xanadu.home (xanadu.home [192.168.2.2])
        by yoda.home (Postfix) with ESMTPSA id 56FA02DA01D5;
        Tue, 21 May 2019 22:43:11 -0400 (EDT)
Date:   Tue, 21 May 2019 22:43:11 -0400 (EDT)
From:   Nicolas Pitre <nico@fluxnic.net>
To:     Gen Zhang <blackgod016574@gmail.com>
cc:     linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] vt: Fix a missing-check bug in drivers/tty/vt/vt.c
In-Reply-To: <20190521073901.GF5263@zhanggen-UX430UQ>
Message-ID: <nycvar.YSQ.7.76.1905212218090.1558@knanqh.ubzr>
References: <20190521022940.GA4858@zhanggen-UX430UQ> <nycvar.YSQ.7.76.1905202242410.1558@knanqh.ubzr> <20190521030905.GB5263@zhanggen-UX430UQ> <nycvar.YSQ.7.76.1905202323290.1558@knanqh.ubzr> <20190521040019.GD5263@zhanggen-UX430UQ>
 <nycvar.YSQ.7.76.1905210022050.1558@knanqh.ubzr> <20190521073901.GF5263@zhanggen-UX430UQ>
User-Agent: Alpine 2.21 (LFD 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Pobox-Relay-ID: 5765B69E-7C3B-11E9-935B-46F8B7964D18-78420484!pb-smtp1.pobox.com
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 21 May 2019, Gen Zhang wrote:

> On Tue, May 21, 2019 at 12:30:38AM -0400, Nicolas Pitre wrote:
> > Now imagine that MIN_NR_CONSOLES is defined to 10 instead of 1.
> > 
> > What happens with allocated memory if the err_vc condition is met on the 
> > 5th loop?
> Yes, vc->vc_screenbuf from the last loop is still not freed, right? I
> don't have idea to solve this one. Could please give some advice? Since
> we have to consider the err_vc condition.
> 
> > If err_vc_screenbuf condition is encountered on the 5th loop (curcons = 
> > 4), what is the value of vc_cons[4].d? Isn't it the same as vc that you 
> > just freed?
> > 
> > 
> > Nicolas
> Thanks for your explaination! You mean a double free situation may 
> happen, right? But in vc_allocate() there is also such a kfree(vc) and 
> vc_cons[currcons].d = NULL operation. This situation is really confusing
> me.

What you could do is something that looks like:

	for (currcons = 0; currcons < MIN_NR_CONSOLES; currcons++) {
		vc_cons[currcons].d = vc = kzalloc(...);
		if (!vc)
			goto fail1;
		...
		vc->vc_screenbuf = kzalloc(...);
		if (!vc->vc_screenbuf)
			goto fail2;
		...

	return 0;

	/* free already allocated memory on error */
fail1:
	while (curcons > 0) {
		curcons--;
		kfree(vc_cons[currcons].d->vc_screenbuf);
fail2:
		kfree(vc_cons[currcons].d);
		vc_cons[currcons].d = NULL;
	}
	console_unlock();
	return -ENOMEM;


Nicolas