On Mon, 14 Dec 2015, Nicholas Mc Guire wrote: > On Thu, Dec 10, 2015 at 11:13:38AM -0500, Mike Marciniszyn wrote: > > From: Easwar Hariharan <easwar.hariharan@xxxxxxxxx> > > > > A code inspection pointed out that kmalloc_array may return NULL and > > memset doesn't check the input pointer for NULL, resulting in a possible > > NULL dereference. This patch fixes this. > > > > Reviewed-by: Mike Marciniszyn <mike.marciniszyn@xxxxxxxxx> > > Signed-off-by: Easwar Hariharan <easwar.hariharan@xxxxxxxxx> > > --- > > drivers/staging/rdma/hfi1/chip.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/drivers/staging/rdma/hfi1/chip.c b/drivers/staging/rdma/hfi1/chip.c > > index dc69159..49d49b2 100644 > > --- a/drivers/staging/rdma/hfi1/chip.c > > +++ b/drivers/staging/rdma/hfi1/chip.c > > @@ -10129,6 +10129,8 @@ static void init_qos(struct hfi1_devdata *dd, u32 first_ctxt) > > if (num_vls * qpns_per_vl > dd->chip_rcv_contexts) > > goto bail; > > rsmmap = kmalloc_array(NUM_MAP_REGS, sizeof(u64), GFP_KERNEL); > > + if (!rsmmap) > > + goto bail; > > memset(rsmmap, rxcontext, NUM_MAP_REGS * sizeof(u64)); > > /* init the local copy of the table */ > > for (i = 0, ctxt = first_ctxt; i < num_vls; i++) { > > > > -- > > Based on this report a generalization of unchecked use turned up one more > case in the current kernel (patch sent). Probably the when block needs > some cleanup, but findings like this definitely are a case for coccinelle > scanners. > > <snip> > /// check for missing NULL check before use > // > // missing check in: > // ./drivers/staging/rdma/hfi1/chip.c:10131 unchecked allocation > // in -next-20151214 > // reported-by Mike Marciniszyn <mike.marciniszyn@xxxxxxxxx> > // > // after generalization this also found: > // ./drivers/clk/shmobile/clk-div6.c:197 unchecked allocation > > virtual context > virtual org > virtual report > > @badmemset@ > expression mem; > position p; > statement S; > @@ > > <+... > *mem = kmalloc_array@p(...); > ... when != if (!mem || ...) S > when != if (... && !mem) S > when != if (mem == NULL || ...) S > when != if (... && mem == NULL) S > when != if (unlikely(mem == NULL)) S > when != if (unlikely(!mem)) S > when != if (likely(!mem)) S > when != if (likely(mem == NULL)) S > return; > ...+> > > @script:python@ > p << badmemset.p; > @@ > > print "%s:%s unchecked allocation" % (p[0].file,p[0].line) > > <snip> How about the following? I got two hits with this, in drivers/clk/shmobile/clk-div6.c and drivers/staging/rdma/hfi1/chip.c. @@ expression mem; identifier f; @@ *mem = kmalloc_array(...); ... when != mem == NULL when != mem != NULL ( f(...,mem,...) | mem->f | mem[...] ) There is a semantic patch in the kernel called kmerr that goes in this direction, but it seems to be overly restrictive and it doesn't address this function: /// This semantic patch looks for kmalloc etc that are not followed by a /// NULL check. It only gives a report in the case where there is some /// error handling code later in the function, which may be helpful /// in determining what the error handling code for the call to kmalloc etc /// should be. Probably there are a lot of other functions that should be considered. julia -- To unsubscribe from this list: send the line "unsubscribe linux-next" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html