Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp526650ybm; Wed, 22 May 2019 07:20:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqyw72wAYMNPbjrvj7GKf2SWUfsnBGAXCojIHaP5fraBXPGLoOiNMT9Ap9fZapsyJWP9zfcx X-Received: by 2002:a17:902:424:: with SMTP id 33mr90931852ple.102.1558534833925; Wed, 22 May 2019 07:20:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558534833; cv=none; d=google.com; s=arc-20160816; b=g39GvEZnilJUUuu3vOfYlXDKinwueylRi+z8o7SdSuag5RJnuQSidsAtGfCUT7jxRi e3n6f5zQKAQ0g0Z3k4kVzv/G+PXJEaWqGtcwxo/2mhByZWp6GqAHRK4UzN1ZS1GPHn+n M3ERBAsY71wzdP1/jyl/OLuMa71e9mY4+lT0J4P6/g6iHscN1CoNK7C91O8VHtHov2aS s57j+OcWT5ZFeBK2Eoni8Sh8Yl036swmxbxqIHCNxpB/1f5V0D3FOnMkm9aIIaX0XOYM H67ahw3PKNTdi5IJ2RusNepn3td+oxID30wLDRpKhqRqj4/PeD++vETNmqbSPIZnmItM Fbww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=2u6+oGe2zIyFzzmHeiJCHfv1qL9AaZG37oV93wDpuLo=; b=RZ4ByJ7MZSxgBb7swO9kjxUzhkK96l3d1s529hDJJQ8uS+sSMYtNucy2r9tIScnktx v+V5VZUHtUqpUSsjs/wO2Pg31C1QCBWcQlIBhq02PyyrwdliPot35O/JJq8ZvN6JI0Kg RKoXbT1468zN6O9RGv8bDZv0IOpcEfNnBVUfBzptSHgVpy5pZ+lLLvPAC1gVqKtmKcKj 4ziwz999SaZB0kqYh7tk+QTow1S04Qso3Mc3ZSZV/TtSOotCgXw5olaG/GPYK1EOoyR+ 8l6btQyHAmUxeeWqcXq6XpqoEPJAcy7qIOn3FJzQ8gkNKJjqvSEk0VjtLJLsKOiQ0jJu bxww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@pobox.com header.s=sasl header.b=FjbZggep; dkim=temperror (no key for signature) header.i=@fluxnic.net header.s=2016-12.pbsmtp header.b=Xa5m7xy3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j10si26417524pgh.273.2019.05.22.07.20.18; Wed, 22 May 2019 07:20:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@pobox.com header.s=sasl header.b=FjbZggep; dkim=temperror (no key for signature) header.i=@fluxnic.net header.s=2016-12.pbsmtp header.b=Xa5m7xy3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728744AbfEVOS6 (ORCPT + 99 others); Wed, 22 May 2019 10:18:58 -0400 Received: from pb-smtp2.pobox.com ([64.147.108.71]:63833 "EHLO pb-smtp2.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728528AbfEVOS6 (ORCPT ); Wed, 22 May 2019 10:18:58 -0400 Received: from pb-smtp2.pobox.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 4F31315D3EC; Wed, 22 May 2019 10:18:56 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :cc:subject:in-reply-to:message-id:references:mime-version :content-type; s=sasl; bh=4nI4mWcGR82GTPyz6GNRLkoyBvU=; b=FjbZgg ep8Ao4H5xCLthcgEtauVqtFwALMSC4K0AmdXLjHqRtSpxcwLIUtkcW3XhnBayKPZ ef9zAHzb68yrQKpWuQ/e+wUpsOw2WPp67ezSaDzw1Frfc568VDzHFHuF4wR9j9v5 ZlNrwxbY/84OPZPlNVpmUwoxedgEFGXW8bvV0= Received: from pb-smtp2.nyi.icgroup.com (unknown [127.0.0.1]) by pb-smtp2.pobox.com (Postfix) with ESMTP id 478BB15D3EB; Wed, 22 May 2019 10:18:56 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=fluxnic.net; h=date:from:to:cc:subject:in-reply-to:message-id:references:mime-version:content-type; s=2016-12.pbsmtp; bh=WFrM67U78+f3aOMO3UgklP9/4Y6FDeoJx5G6ciC3808=; b=Xa5m7xy3vopuVhmfMkEU2iICbr7ZTrr2wCKR7pMQfrGme/SH00RNKWP1jYZ7IHcgG47l0gNuDTuOUHV9bOKx8Ym3rw6/6zmTiwl9r4FDvQgiqG8M+5xEis5CGSGsE77RaYNQeN9hJEIqG42mAFitjMQnq5pwoEgC/fj6XD0qE6M= Received: from yoda.home (unknown [70.82.130.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp2.pobox.com (Postfix) with ESMTPSA id C674915D3EA; Wed, 22 May 2019 10:18:55 -0400 (EDT) Received: from xanadu.home (xanadu.home [192.168.2.2]) by yoda.home (Postfix) with ESMTPSA id D96052DA01F4; Wed, 22 May 2019 10:18:54 -0400 (EDT) Date: Wed, 22 May 2019 10:18:54 -0400 (EDT) From: Nicolas Pitre To: Gen Zhang cc: linux-kernel@vger.kernel.org Subject: Re: [PATCH v3] vt: Fix a missing-check bug in drivers/tty/vt/vt.c In-Reply-To: <20190522121908.GA6772@zhanggen-UX430UQ> Message-ID: References: <20190521022940.GA4858@zhanggen-UX430UQ> <20190521030905.GB5263@zhanggen-UX430UQ> <20190521040019.GD5263@zhanggen-UX430UQ> <20190521073901.GF5263@zhanggen-UX430UQ> <20190522121908.GA6772@zhanggen-UX430UQ> User-Agent: Alpine 2.21 (LFD 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Pobox-Relay-ID: 887EC8E0-7C9C-11E9-A701-E828E74BB12D-78420484!pb-smtp2.pobox.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 22 May 2019, Gen Zhang wrote: > In function con_init(), the pointer variable vc_cons[currcons].d, vc and > vc->vc_screenbuf is allocated a memory space via kzalloc(). And they are > used in the following codes. > However, when there is a memory allocation error, kzalloc() can fail. > Thus null pointer (vc_cons[currcons].d, vc and vc->vc_screenbuf) > dereference may happen. And it will cause the kernel to crash. Therefore, > we should check return value and handle the error. > Further, since the allcoation is in a loop, we should free all the > allocated memory in a loop. > > Signed-off-by: Gen Zhang Reviewed-by: Nicolas Pitre > > --- > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c > index fdd12f8..d50f68f 100644 > --- a/drivers/tty/vt/vt.c > +++ b/drivers/tty/vt/vt.c > @@ -3350,10 +3350,14 @@ static int __init con_init(void) > > for (currcons = 0; currcons < MIN_NR_CONSOLES; currcons++) { > vc_cons[currcons].d = vc = kzalloc(sizeof(struct vc_data), GFP_NOWAIT); > + if (!vc) > + goto fail1; > INIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK); > tty_port_init(&vc->port); > visual_init(vc, currcons, 1); > vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_NOWAIT); > + if (!vc->vc_screenbuf) > + goto fail2; > vc_init(vc, vc->vc_rows, vc->vc_cols, > currcons || !vc->vc_sw->con_save_screen); > } > @@ -3375,6 +3379,16 @@ static int __init con_init(void) > register_console(&vt_console_driver); > #endif > return 0; > +fail1: > + while (currcons > 0) { > + currcons--; > + kfree(vc_cons[currcons].d->vc_screenbuf); > +fail2: > + kfree(vc_cons[currcons].d); > + vc_cons[currcons].d = NULL; > + } > + console_unlock(); > + return -ENOMEM; > } > console_initcall(con_init); > > --- >