On 12/24/21 3:03 AM, Jiasheng Jiang wrote:
As the possible alloc failure of devm_kcalloc, it could return null pointer. To prevent the dereference of the null pointer, it should be checked.
I think this is a good change, but I would like you to improve the description, and fix some different bugs introduced by your change. What you are specifically doing is checking for a null return from devm_kcalloc() in gb_generate_enum_strings(), and are returning the NULL pointer if that occurs. That means you need to update all the callers of gb_generate_enum_strings() to also handle a possible null return value. The fix does a good thing, and your description is correct about what you are fixing. But it should supply more complete context for the change. More below.
Fixes: e65579e335da ("greybus: audio: topology: Enable enumerated control support") Signed-off-by: Jiasheng Jiang <jiasheng@xxxxxxxxxxx> --- drivers/staging/greybus/audio_topology.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/drivers/staging/greybus/audio_topology.c b/drivers/staging/greybus/audio_topology.c index 1fc7727ab7be..e9f47a1f0d28 100644 --- a/drivers/staging/greybus/audio_topology.c +++ b/drivers/staging/greybus/audio_topology.c @@ -146,7 +146,11 @@ static const char **gb_generate_enum_strings(struct gbaudio_module_info *gb, __u8 *data;items = le32_to_cpu(gbenum->items);+ strings = devm_kcalloc(gb->dev, items, sizeof(char *), GFP_KERNEL); + if (!strings) + return NULL; + data = gbenum->names;for (i = 0; i < items; i++) {@@ -654,7 +658,10 @@ static int gbaudio_tplg_create_enum_kctl(struct gbaudio_module_info *gb,/* since count=1, and reg is dummy */gbe->items = le32_to_cpu(gb_enum->items); + gbe->texts = gb_generate_enum_strings(gb, gb_enum); + if (!gbe->texts) + return -ENOMEM;/* debug enum info */dev_dbg(gb->dev, "Max:%d, name_length:%d\n", gbe->items, @@ -861,7 +868,10 @@ static int gbaudio_tplg_create_enum_ctl(struct gbaudio_module_info *gb,/* since count=1, and reg is dummy */gbe->items = le32_to_cpu(gb_enum->items); + gbe->texts = gb_generate_enum_strings(gb, gb_enum); + if (!gbe->texts) + return -ENOMEM;/* debug enum info */dev_dbg(gb->dev, "Max:%d, name_length:%d\n", gbe->items, @@ -1032,8 +1042,12 @@ static int gbaudio_tplg_create_widget(struct gbaudio_module_info *module, csize += offsetof(struct gb_audio_ctl_elem_info, value); csize += offsetof(struct gb_audio_enumerated, names); csize += le16_to_cpu(gbenum->names_length); + control->texts = (const char * const *) gb_generate_enum_strings(module, gbenum); + if (!control->texts) + return -ENOMEM; +
You can't simply return here. If you look a bit above this, where the call to allocate a control structure is done, you see that a NULL return there jumps to the "error" label, so any already allocated and initialized control widgets get cleaned up before returning.
control->items = le32_to_cpu(gbenum->items);
} else {
csize = sizeof(struct gb_audio_control);
@@ -1181,8 +1195,12 @@ static int gbaudio_tplg_process_kcontrols(struct gbaudio_module_info *module,
csize += offsetof(struct gb_audio_ctl_elem_info, value);
csize += offsetof(struct gb_audio_enumerated, names);
csize += le16_to_cpu(gbenum->names_length);
+
control->texts = (const char * const *)
gb_generate_enum_strings(module, gbenum);
+ if (!control->texts)
+ return -ENOMEM;
+
You have basically the same issue here. You can't just return, you must do some cleanup too. -Alex
control->items = le32_to_cpu(gbenum->items);
} else {
csize = sizeof(struct gb_audio_control);
_______________________________________________ greybus-dev mailing list greybus-dev@xxxxxxxxxxxxxxxx https://lists.linaro.org/mailman/listinfo/greybus-dev
|