Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1424625ybi; Sat, 8 Jun 2019 09:24:38 -0700 (PDT) X-Google-Smtp-Source: APXvYqzUD2VOLv075+96TJxM9zYRuNw/pNA5ABT6C/5dqkg9JNlC9wlAefG585cj2O0OoMnHWzeN X-Received: by 2002:a17:902:8493:: with SMTP id c19mr62980856plo.58.1560011078312; Sat, 08 Jun 2019 09:24:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560011078; cv=none; d=google.com; s=arc-20160816; b=BGT5CVsatlzz76dd1GA/na/RjOZ1o9OXVseoEFW/TcQZZU9dg7eAn1FrY9+/EL+sKC ++2cIuVX7auU5b21Q9FtjE3xHG8Hs2ByaZdDzwU7akwBB/EUMsbOnbo9DzkxYD9daEXI 8qT5kF54EuwB9+EM0WL9OzN/q2gAyJcGBfYEyj3rpP1TVD/jBhF3iOSA1+Kl9dCns/Dp fOl2Ib/CypLuKp2RdirTulLzgnM02JIWKfS7P6FYaI5wcha5ge+G2I3p6mK3NrYBgI8x eIpW7D8pucBhmDj839G62DXxbnPZg24ozGuNInvD8fnwKZ4UisMXNwkJZWW5sT7xRLt8 13vA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=p6SmVZEWLCRFQqAFaDA5ytTUVAe2ZGcHUVTeSNkqHj0=; b=E28KxfFY3K9Z3HQx51qI9PixmKuXccn5WTb4IjaVWH3xuHirf9gjd73IEmHBYTIs9h LCZESR4Uj6L2qqKHhTGuwVrYx43WA1irepdZttV+TwkmqRccugVgcF81ejPhvNOvBtEN frlpE9A6/iEiCIeuHXM9He9PlxJ6D7cGGZ4n1dywmt1jd/wQVsyzTBM4UH2kmpXd/CH5 OsfnjFHWciK8/0iJko2XZNlOzuHMMpVX/631aThYIB9+BLjHrHVlrKgL/8f6ASj1PsOP n0o9r4xCEZQr1TV3mweSHZ0yi4RFmYaHHV/Bf7wefIbeZNIiP5i5SBvxpkaI2ofu2v6l 2H8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ah34S3EV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y5si4771553pgv.390.2019.06.08.09.24.21; Sat, 08 Jun 2019 09:24:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ah34S3EV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727324AbfFHQWW (ORCPT + 99 others); Sat, 8 Jun 2019 12:22:22 -0400 Received: from mail.kernel.org ([198.145.29.99]:50708 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727160AbfFHQWW (ORCPT ); Sat, 8 Jun 2019 12:22:22 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DCDBF20840; Sat, 8 Jun 2019 16:22:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560010941; bh=bKeCeyYZMiI2oC+jpHjvKSKu4C9rYdn3PxcDcnqK+yk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ah34S3EV0Y1L8xc3YBaoDdzSXsgZVKgC8oWN704vnkYrGELqyEkCxwYrjtjFsZmCe 6nst4dzWTHVVUkCDhfTj8RxPZLhW3A0HMwxeK4Q0hkvvK19/4m+SwzpZMb5Ohl5Jm1 Cv7xl08+uHfm81/hbZlvKPIM6gnwVgIN7htrbPHY= Date: Sat, 8 Jun 2019 18:22:19 +0200 From: Greg KH To: Gen Zhang Cc: jslaby@suse.com, nico@fluxnic.net, kilobyte@angband.pl, textshell@uchuujin.de, mpatocka@redhat.com, daniel.vetter@ffwll.ch, linux-kernel@vger.kernel.org Subject: Re: [PATCH v3] vt: Fix a missing-check bug in con_init() Message-ID: <20190608162219.GB11699@kroah.com> References: <20190528004529.GA12388@zhanggen-UX430UQ> <20190608160138.GA3840@zhanggen-UX430UQ> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190608160138.GA3840@zhanggen-UX430UQ> User-Agent: Mutt/1.12.0 (2019-05-25) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jun 09, 2019 at 12:01:38AM +0800, Gen Zhang wrote: > On Tue, May 28, 2019 at 08:45:29AM +0800, Gen Zhang wrote: > > In function con_init(), the pointer variable vc_cons[currcons].d, vc and > > vc->vc_screenbuf is allocated by kzalloc(). And they are used in the > > following codes. However, kzalloc() returns NULL when fails, and null > > pointer dereference may happen. And it will cause the kernel to crash. > > Therefore, we should check the return value and handle the error. > > > > Further, since the allcoation is in a loop, we should free all the > > allocated memory in a loop. > > > > Signed-off-by: Gen Zhang > > Reviewed-by: Nicolas Pitre > > --- > > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c > > index fdd12f8..d50f68f 100644 > > --- a/drivers/tty/vt/vt.c > > +++ b/drivers/tty/vt/vt.c > > @@ -3350,10 +3350,14 @@ static int __init con_init(void) > > > > for (currcons = 0; currcons < MIN_NR_CONSOLES; currcons++) { > > vc_cons[currcons].d = vc = kzalloc(sizeof(struct vc_data), GFP_NOWAIT); > > + if (!vc) > > + goto fail1; > > INIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK); > > tty_port_init(&vc->port); > > visual_init(vc, currcons, 1); > > vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_NOWAIT); > > + if (!vc->vc_screenbuf) > > + goto fail2; > > vc_init(vc, vc->vc_rows, vc->vc_cols, > > currcons || !vc->vc_sw->con_save_screen); > > } > > @@ -3375,6 +3379,16 @@ static int __init con_init(void) > > register_console(&vt_console_driver); > > #endif > > return 0; > > +fail1: > > + while (currcons > 0) { > > + currcons--; > > + kfree(vc_cons[currcons].d->vc_screenbuf); > > +fail2: > > + kfree(vc_cons[currcons].d); > > + vc_cons[currcons].d = NULL; > > + } Wait, will that even work? You can jump into the middle of a while loop? Ugh, that's beyond ugly. And please provide "real" names for the labels, "fail1" and "fail2" do not tell anything here. Also, have you actually be able to trigger this? thanks, greg k-h