From: Arnd Bergmann > Sent: 13 February 2017 17:02 ... > >> > + ioctl_ptr = memdup_user(arg, _IOC_SIZE(cmd)); > >> > + if (IS_ERR_OR_NULL(ioctl_ptr)) { > >> > + ret = PTR_ERR(ioctl_ptr); > >> > + goto out; > >> ... > >> > + out: > >> > + kfree(ioctl_ptr); > >> > + return ret; ... > >> That error path doesn't look quite right to me. ... > > good god, this is a mess this morning. Thanks for the catch, I'll review these > > more aggressively before sending out. > > memdup_user() never returns NULL, and generally speaking any use of > IS_ERR_OR_NULL() indicates that there is something wrong with the > interface, so aside from passing the right pointer (or NULL) into kfree() > I think using IS_ERR() is the correct solution. You missed the problem entirely. Code needs to be: if (IS_ERR(ioctl_ptr)) return PTR_ERR(ioctl_ptr); David