Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp161246rdb; Tue, 5 Dec 2023 01:31:05 -0800 (PST) X-Google-Smtp-Source: AGHT+IHYcSX586kJKy+dRlRtNif9MCKL9B+ejAT+WAIUJJUQO0oYQfKUB2cbbITdoOwI+/9QSZQz X-Received: by 2002:a05:6a20:96d1:b0:18f:97c:9780 with SMTP id hq17-20020a056a2096d100b0018f097c9780mr5199840pzc.104.1701768665578; Tue, 05 Dec 2023 01:31:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701768665; cv=none; d=google.com; s=arc-20160816; b=SH9y0pVtFJmUNFMp+OPzI0LnNx5dmtHDbkxHucraicBYLKoyv38MWUU27guB2WKK7H RoyDEUB7r2uOWVxGrQLvKv756NFPwpoRn64Mn9qMkn6Gy+5EreMhevbgwK/9AI2DXp4x Jq+qFmlHVLOK799+z/SA62hMd+hH6pkz77we7vDa2MXx33VGdX2EUtXyHMRka7/wQbfU CavHGP9JuXXaP/40d6U0t4d4cIgOWnZrRqubeSWne1zLmYWd8+dSD05zXOGOqj1OJwlA LlAWsr/FirN7kB3USHcSpfYk75qsLoltThgdkwesQ1b/pjW+kbeCSEOVGFWgtIw03fq3 QDXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:subject:user-agent:mime-version:date:message-id; bh=Ggsvn1oIPfVQKYNUVn/ueOWb2J2/Pm/mtvtpIZpcNSU=; fh=HZBPp5lvjRlkf8GexLhDNKNu7cKjM5pdH1xAa0pRkKY=; b=SIlywcZ0SJT9+aCg24pnmPFWpsErCjdUgk0DR0dGRFA7klcIQqbgTPIDBxQwPq9f0M iEM9U6j58PRG6T3/wlN6e0exswgd3phRxTD/5gQat/DO8mR6JeRrh0SnRETUbE+8d9H6 iIBAViE6Ebr1IUCRkBoX5YEE83ij6XCKXHW3VVzvIPSvJjOvYkS172Z9ZEhTIuqjgDNP e0yEu05Ya2oxDxQhEkIMrZKy6dsk0lLBg1NjeuD6FOcbyFj0b1g/JsZiDxGKjl5Yk6xE XfWBsIgguuRrkKPVYjRSFREFqkqi+48uix6A7WJy+jBbKXFgqj5R9QzR4JkNWyCJIJxX NqPA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from pete.vger.email (pete.vger.email. [2620:137:e000::3:6]) by mx.google.com with ESMTPS id j4-20020a056a00130400b006cbd8368e73si9487094pfu.173.2023.12.05.01.31.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Dec 2023 01:31:05 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) client-ip=2620:137:e000::3:6; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:6 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id D0E66805C174; Tue, 5 Dec 2023 01:30:59 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235669AbjLEJ3N (ORCPT + 99 others); Tue, 5 Dec 2023 04:29:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57782 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235627AbjLEJ2v (ORCPT ); Tue, 5 Dec 2023 04:28:51 -0500 Received: from mailgw.kylinos.cn (mailgw.kylinos.cn [124.126.103.232]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C76FB188 for ; Tue, 5 Dec 2023 01:28:44 -0800 (PST) X-UUID: 2aa5a5f3ecf24832a2cd6db6e3ab7ebb-20231205 X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.33,REQID:550d1e5a-49cd-4e19-8ab4-4c8269f71884,IP:5,U RL:0,TC:0,Content:-5,EDM:0,RT:0,SF:-15,FILE:0,BULK:0,RULE:Release_Ham,ACTI ON:release,TS:-15 X-CID-INFO: VERSION:1.1.33,REQID:550d1e5a-49cd-4e19-8ab4-4c8269f71884,IP:5,URL :0,TC:0,Content:-5,EDM:0,RT:0,SF:-15,FILE:0,BULK:0,RULE:Release_Ham,ACTION :release,TS:-15 X-CID-META: VersionHash:364b77b,CLOUDID:871a2b96-10ce-4e4b-85c2-c9b5229ff92b,B ulkID:2312041843482P8UAYLL,BulkQuantity:3,Recheck:0,SF:19|44|64|66|38|24|1 7|102,TC:nil,Content:0,EDM:-3,IP:-2,URL:0,File:nil,Bulk:40,QS:nil,BEC:nil, COL:0,OSI:0,OSA:0,AV:0,LES:1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0 X-CID-BVR: 0 X-CID-BAS: 0,_,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR,TF_CID_SPAM_FAS,TF_CID_SPAM_FSD,TF_CID_SPAM_FSI X-UUID: 2aa5a5f3ecf24832a2cd6db6e3ab7ebb-20231205 X-User: chentao@kylinos.cn Received: from [172.20.15.254] [(116.128.244.169)] by mailgw (envelope-from ) (Generic MTA) with ESMTP id 1414185240; Tue, 05 Dec 2023 17:28:31 +0800 Message-ID: <7be4a5ac-d0b8-4f5d-848a-b54ab3c67228@kylinos.cn> Date: Tue, 5 Dec 2023 17:28:30 +0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] cxl: Fix null pointer dereference in cxl_get_fd To: Frederic Barrat , ajd@linux.ibm.com, arnd@arndb.de, gregkh@linuxfoundation.org, mpe@ellerman.id.au, mrochs@linux.vnet.ibm.com Cc: kunwu.chan@hotmail.com, linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org References: <20231204020745.2445944-1-chentao@kylinos.cn> From: Kunwu Chan In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Tue, 05 Dec 2023 01:31:00 -0800 (PST) Hi Fred, Thanks for your reply. But there is a question, whether we should return an error code in error path so that the caller of the 'cxl_get_fd' can know the specific reason. rather than just return NULL. Such as: - int rc, flags, fdtmp; + int rc = 0, flags, fdtmp; char *name = NULL; /* only allow one per context */ - if (ctx->mapping) - return ERR_PTR(-EEXIST); + if (ctx->mapping) { + rc = -EEXIST; + goto err; + } flags = O_RDWR | O_CLOEXEC; /* This code is similar to anon_inode_getfd() */ rc = get_unused_fd_flags(flags); - if (rc < 0) - return ERR_PTR(rc); + if (rc < 0) { + goto err; + } fdtmp = rc; name = kasprintf(GFP_KERNEL, "cxl:%d", ctx->pe); + if (!name) { + rc = -ENOMEM; + goto err_fd; + } file = cxl_getfile(name, fops, ctx, flags); kfree(name); @@ -434,6 +437,9 @@ struct file *cxl_get_fd(struct cxl_context *ctx, struct file_operations *fops, err_fd: put_unused_fd(fdtmp); +err: + if (rc) + return ERR_PTR(rc); return NULL; Thanks again, Kunwu On 2023/12/4 18:43, Frederic Barrat wrote: > > > On 04/12/2023 03:07, Kunwu Chan wrote: >> kasprintf() returns a pointer to dynamically allocated memory >> which can be NULL upon failure. >> >> Fixes: bdecf76e319a ("cxl: Fix coredump generation when cxl_get_fd() >> is used") >> Signed-off-by: Kunwu Chan >> --- >>   drivers/misc/cxl/api.c | 4 ++++ >>   1 file changed, 4 insertions(+) >> >> diff --git a/drivers/misc/cxl/api.c b/drivers/misc/cxl/api.c >> index d85c56530863..bfd7ccd4d7e1 100644 >> --- a/drivers/misc/cxl/api.c >> +++ b/drivers/misc/cxl/api.c >> @@ -419,6 +419,10 @@ struct file *cxl_get_fd(struct cxl_context *ctx, >> struct file_operations *fops, >>           fops = (struct file_operations *)&afu_fops; >>       name = kasprintf(GFP_KERNEL, "cxl:%d", ctx->pe); >> +    if (!name) { >> +        put_unused_fd(fdtmp); >> +        return ERR_PTR(-ENOMEM); >> +    } > > > That works, but you might as well follow the existing error path: > >     name = kasprintf(GFP_KERNEL, "cxl:%d", ctx->pe); >     if (!name) >         goto err_fd; > >   Fred > > >>       file = cxl_getfile(name, fops, ctx, flags); >>       kfree(name); >>       if (IS_ERR(file))