On 2018/3/29 15:22, Ji-Hun Kim wrote:
There are no null pointer checking on rd_info and td_info values which
are allocated by kzalloc. It has potential null pointer dereferencing
issues. Add return when allocation is failed.
Signed-off-by: Ji-Hun Kim <ji_hun.kim@xxxxxxxxxxx>
---
Change: since v1:
- Delete WARN_ON which can makes crashes on some machines.
- Instead of return directly, goto freeing function for freeing previously
allocated memory in the for loop after kzalloc() failed.
- In the freeing function, if td_info and rd_info are not allocated, no
needs to free.
drivers/staging/vt6655/device_main.c | 64 +++++++++++++++++++++++++-----------
1 file changed, 44 insertions(+), 20 deletions(-)
diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c
index fbc4bc6..ecbba43 100644
--- a/drivers/staging/vt6655/device_main.c
+++ b/drivers/staging/vt6655/device_main.c
@@ -539,7 +539,8 @@ static void device_init_rd0_ring(struct vnt_private *priv)
i ++, curr += sizeof(struct vnt_rx_desc)) {
desc = &priv->aRD0Ring[i];
desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL);
-
+ if (!desc->rd_info)
+ goto error;
if (!device_alloc_rx_buf(priv, desc))
dev_err(&priv->pcid->dev, "can not alloc rx bufs\n");
@@ -550,6 +551,10 @@ static void device_init_rd0_ring(struct vnt_private *priv)
if (i > 0)
priv->aRD0Ring[i-1].next_desc = cpu_to_le32(priv->rd0_pool_dma);
priv->pCurrRD[0] = &priv->aRD0Ring[0];
+
+ return;
+error:
+ device_free_rd0_ring(priv);
}
I think you should return an error number here, because
device_init_rd0_ring() is called by vnt_start().
You should also implement error handling code in vnt_start(), and let
vnt_start() returns an error number too.
The same for device_init_rd1_ring(), device_init_td0_ring() and
device_init_td1_ring().
Best wishes,
Jia-Ju Bai
--
To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html