On Thu, 7 Sep 2023 09:25:12 +0800
"yiyang (D)" <yiyang13@xxxxxxxxxx> wrote:
> On 2023/9/5 22:19, Hugo Villeneuve wrote:
> > On Mon, 4 Sep 2023 11:52:20 +0800
> > Yi Yang <yiyang13@xxxxxxxxxx> wrote:
> >
> >> Add check for the return value of kstrdup() and return the error, if it
> >> fails in order to avoid NULL pointer dereference.
> >>
> >> Fixes: 5d171050e28f ("sparc64: vcc: Enable VCC port probe and removal")
> >> Signed-off-by: Yi Yang <yiyang13@xxxxxxxxxx>
> >> ---
> >> V2: Add goto target for error paths.
> >> ---
> >> drivers/tty/vcc.c | 16 +++++++++++++---
> >> 1 file changed, 13 insertions(+), 3 deletions(-)
> >>
> >> diff --git a/drivers/tty/vcc.c b/drivers/tty/vcc.c
> >> index a39ed981bfd3..5b625f20233b 100644
> >> --- a/drivers/tty/vcc.c
> >> +++ b/drivers/tty/vcc.c
> >> @@ -579,18 +579,22 @@ static int vcc_probe(struct vio_dev *vdev, const struct vio_device_id *id)
> >> return -ENOMEM;
> >>
> >> name = kstrdup(dev_name(&vdev->dev), GFP_KERNEL);
> >> + if (!name) {
> >> + rv = -ENOMEM;
> >> + goto free_port;
> >
> > Hi,
> > at this point, the port is not yet allocated, so you should not jump to
> > free_port. You should simply return with -ENOMEM.
> >
> The port was already allocated by kzalloc(), and should be free before
> return -ENOMEM.
You are right, dismiss all my comments.
Hugo.
> >
> >> + }
> >>
> >> rv = vio_driver_init(&port->vio, vdev, VDEV_CONSOLE_CON, vcc_versions,
> >> ARRAY_SIZE(vcc_versions), NULL, name);
> >> if (rv)
> >> - goto free_port;
> >> + goto free_name;
> >>
> >> port->vio.debug = vcc_dbg_vio;
> >> vcc_ldc_cfg.debug = vcc_dbg_ldc;
> >>
> >> rv = vio_ldc_alloc(&port->vio, &vcc_ldc_cfg, port);
> >> if (rv)
> >> - goto free_port;
> >> + goto free_name;
> >
> > You should still jump to free_port, not free_name, after seeing my
> > comments below
> >
> >
> >>
> >> spin_lock_init(&port->lock);
> >>
> >> @@ -624,6 +628,11 @@ static int vcc_probe(struct vio_dev *vdev, const struct vio_device_id *id)
> >> goto unreg_tty;
> >> }
> >> port->domain = kstrdup(domain, GFP_KERNEL);
> >> + if (!port->domain) {
> >> + rv = -ENOMEM;
> >> + goto unreg_tty;
> >> + }
> >> +
> >> and should be free before return -ENOMEM.
> >> mdesc_release(hp);
> >>
> >> @@ -653,8 +662,9 @@ static int vcc_probe(struct vio_dev *vdev, const struct vio_device_id *id)
> >> vcc_table_remove(port->index);
> >> free_ldc:
> >> vio_ldc_free(&port->vio);
> >> -free_port:
> >> +free_name:
> >> kfree(name);
> >> +free_port:
> >> kfree(port);
> >
> > free_name should come after free_port...
> >
> > Hugo.
> The release process should be in reverse order.
>
> --
> Yi Yang
> >
> >
> >>
> >> return rv;
> >> --
> >> 2.17.1
> >>
> >
> > .
> >
>
--
Hugo Villeneuve <hugo@xxxxxxxxxxx>
