Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1732029ybi; Sat, 8 Jun 2019 17:17:31 -0700 (PDT) X-Google-Smtp-Source: APXvYqxlZQ4JcvrmhDLQNfJV6SBRX2zRbKGA6+Z/g4+VlwOy1O3dkMUt7SViYdVuW48/P9lLcNXR X-Received: by 2002:aa7:90ce:: with SMTP id k14mr67065120pfk.239.1560039451891; Sat, 08 Jun 2019 17:17:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560039451; cv=none; d=google.com; s=arc-20160816; b=BIbyjosHk+haZ67czu8My3w9TR8Lpoh9sbfG09IKvob5487/D0eu4gdNoSGneQk5k+ VjURQTMkiTsGGKAyoAwdDC9D627GuYIx331PfJOsKDXN6ppUxZyvs5xVQIaRAsacjlFt 6608N6sqgVHeGVIO4qiFZqGyNZdbNVSVLHQINGQB2uTs3FYiTFCuXUYJ2tq8IpbAaTMZ sfvx1eqIe+tAIUs0gSCWp/tL44+8J4CrZ3jNZivOn9IGm7N7ggXt0wQ5SV1m67t6kn30 e4tGCeWY7lMwlk5wP6rE2MpLbMhgpcD15Fonf2cRz4GoQRifv34d9xI6tb9Z07GBjNQe JRZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=H/SyP/vaGNqrsL8nh2QWz+wUPqTwy0aSIhRPLTy2mbA=; b=GdC3EQqrcH2uIFCfqn7wvNo3n2KzHmjDMSvOh6aF+EGVuGVqFNCsR9XHOqvy4+hc5r zRRZtzlZ7XhKTdZYgvHm34wUz0EC8ny6VnjYVFirXm2ip3/GHYKFvUZ2QvoPvu9IhTZ3 U4ZT0RNaiGiH2MSZPzk7LCy4zttqZny67IZ+Jcakrh67NSqE7v0QMKmcRuv+eaUVptPy z5+9IdvUi5vPMIrCBmCcY+hBuN6WbgGcbX3BSTIEZG59WNZGLuS26hTRYpVSFmOAssLt hDMG0hIi2hutoPy5lTdZWsiFyVoLatiMYPfQ80bW7JlOJ+Vpia7FkwXl+2fqnoO3fmLX OIlA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@pobox.com header.s=sasl header.b=GMgccx4I; dkim=temperror (no key for signature) header.i=@fluxnic.net header.s=2016-12.pbsmtp header.b=RlScfWzD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k13si5946412pgj.257.2019.06.08.17.17.13; Sat, 08 Jun 2019 17:17:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@pobox.com header.s=sasl header.b=GMgccx4I; dkim=temperror (no key for signature) header.i=@fluxnic.net header.s=2016-12.pbsmtp header.b=RlScfWzD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727577AbfFIAPy (ORCPT + 99 others); Sat, 8 Jun 2019 20:15:54 -0400 Received: from pb-smtp21.pobox.com ([173.228.157.53]:56699 "EHLO pb-smtp21.pobox.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726190AbfFIAPy (ORCPT ); Sat, 8 Jun 2019 20:15:54 -0400 Received: from pb-smtp21.pobox.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id C465E5C8FF; Sat, 8 Jun 2019 20:15:51 -0400 (EDT) (envelope-from nico@fluxnic.net) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :cc:subject:in-reply-to:message-id:references:mime-version :content-type; s=sasl; bh=bd142Ou0olyyhQXEUfvxQXeeF6g=; b=GMgccx 4I3F1VrOghv9H9D8lzc7LPCuoOIlryTo43cDuCOF75GDERlIYxcCjOSVgX6jW7kR VLax+TR9NXYFT6h31uvWE67QokTo61PZk1dXv4+fK2BRUeqselThdd7DD862u3gw GqK5bL4vPfN+XieQXqbNBHSwF92Kd06ukhzX8= Received: from pb-smtp21.sea.icgroup.com (unknown [127.0.0.1]) by pb-smtp21.pobox.com (Postfix) with ESMTP id BC7B75C8FE; Sat, 8 Jun 2019 20:15:51 -0400 (EDT) (envelope-from nico@fluxnic.net) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=fluxnic.net; h=date:from:to:cc:subject:in-reply-to:message-id:references:mime-version:content-type; s=2016-12.pbsmtp; bh=7zuctmsW7EpJgtHD/eoEiJtcUTAjwVvVHUiIgul0tD4=; b=RlScfWzD+tc27aWDfIK8TapB268mkVWGGbDFrLwh7bAoCp1ams0kA9NUySVkqcA6dDcAt4/qDT27e/wSEILo5Cg9bYPAxx+GPgmcxZNNYfa5Sv39NIVkEucPZ1rOZK98IYpgdMOg1qod7mtG0AwjPDL6JDxQpFVUS0lIMymivkM= Received: from yoda.home (unknown [70.82.130.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp21.pobox.com (Postfix) with ESMTPSA id AEE805C8FD; Sat, 8 Jun 2019 20:15:48 -0400 (EDT) (envelope-from nico@fluxnic.net) Received: from xanadu.home (xanadu.home [192.168.2.2]) by yoda.home (Postfix) with ESMTPSA id E472F2DA03AA; Sat, 8 Jun 2019 20:15:46 -0400 (EDT) Date: Sat, 8 Jun 2019 20:15:46 -0400 (EDT) From: Nicolas Pitre To: Greg KH cc: Gen Zhang , jslaby@suse.com, kilobyte@angband.pl, textshell@uchuujin.de, mpatocka@redhat.com, daniel.vetter@ffwll.ch, linux-kernel@vger.kernel.org Subject: Re: [PATCH v3] vt: Fix a missing-check bug in con_init() In-Reply-To: <20190608162219.GB11699@kroah.com> Message-ID: References: <20190528004529.GA12388@zhanggen-UX430UQ> <20190608160138.GA3840@zhanggen-UX430UQ> <20190608162219.GB11699@kroah.com> User-Agent: Alpine 2.21 (LFD 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Pobox-Relay-ID: BBAC4D20-8A4B-11E9-AE4A-8D86F504CC47-78420484!pb-smtp21.pobox.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 8 Jun 2019, Greg KH wrote: > On Sun, Jun 09, 2019 at 12:01:38AM +0800, Gen Zhang wrote: > > On Tue, May 28, 2019 at 08:45:29AM +0800, Gen Zhang wrote: > > > In function con_init(), the pointer variable vc_cons[currcons].d, vc and > > > vc->vc_screenbuf is allocated by kzalloc(). And they are used in the > > > following codes. However, kzalloc() returns NULL when fails, and null > > > pointer dereference may happen. And it will cause the kernel to crash. > > > Therefore, we should check the return value and handle the error. > > > > > > Further, since the allcoation is in a loop, we should free all the > > > allocated memory in a loop. > > > > > > Signed-off-by: Gen Zhang > > > Reviewed-by: Nicolas Pitre > > > --- > > > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c > > > index fdd12f8..d50f68f 100644 > > > --- a/drivers/tty/vt/vt.c > > > +++ b/drivers/tty/vt/vt.c > > > @@ -3350,10 +3350,14 @@ static int __init con_init(void) > > > > > > for (currcons = 0; currcons < MIN_NR_CONSOLES; currcons++) { > > > vc_cons[currcons].d = vc = kzalloc(sizeof(struct vc_data), GFP_NOWAIT); > > > + if (!vc) > > > + goto fail1; > > > INIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK); > > > tty_port_init(&vc->port); > > > visual_init(vc, currcons, 1); > > > vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_NOWAIT); > > > + if (!vc->vc_screenbuf) > > > + goto fail2; > > > vc_init(vc, vc->vc_rows, vc->vc_cols, > > > currcons || !vc->vc_sw->con_save_screen); > > > } > > > @@ -3375,6 +3379,16 @@ static int __init con_init(void) > > > register_console(&vt_console_driver); > > > #endif > > > return 0; > > > +fail1: > > > + while (currcons > 0) { > > > + currcons--; > > > + kfree(vc_cons[currcons].d->vc_screenbuf); > > > +fail2: > > > + kfree(vc_cons[currcons].d); > > > + vc_cons[currcons].d = NULL; > > > + } > > Wait, will that even work? You can jump into the middle of a while > loop? Absolutely. > Ugh, that's beyond ugly. That was me who suggested to do it like that. To me, this is nicer than the proposed alternatives. For an error path that is rather unlikely to happen, I think this is a very concise and eleguant way to do it. > And please provide "real" names for the > labels, "fail1" and "fail2" do not tell anything here. That I agree with. Nicolas