On 2021/7/1 1:41, Alison Schofield wrote:
> On Tue, Jun 15, 2021 at 08:38:33PM +0800, Zhiqiang Liu wrote:
>> ndctl_pfn_get_namespace() may return NULL, so callers
>> should check return value of it. Otherwise, it may
>> cause access NULL pointer problem.
>>
> Hi Zhiqiang,
>
> I see you mentioned this was found by Coverity in the cover letter.
> Please repeat that in the commit log here.
>
> What about the call path:
> ndctl_dax_get_namespace() --> ndctl_pfn_get_namespace()
>
> Seems like another place where ndctl_pfn_get_namespace() could
> eventually lead to a NULL ptr dereference.
>
> Alison
Thanks for your reply.
Call path:
namespace_clear_bb
-> if (dax) dax_clear_badblocks(dax)
->ndctl_dax_get_namespace(dax)
->ndctl_pfn_get_namespace(&dax->pfn)
->ndctl_pfn_get_ctx(pfn)
struct ndctl_dax {
struct ndctl_pfn pfn;
struct daxctl_region *region;
};
Here, we have checked that dax is not NULL before calling
ndctl_dax_get_namespace(dax).
If dax is not a NULL pointer, the dax->pfn will not be a NULL pointer.
As for ndctl_pfn_get_ctx(pfn), it will access pfn->region->bus without
NULL-checking, which
may lead to a NULL ptr dereference as you said. I will correct it in the v2
patch.
Regards,
Zhiqiang Liu
>> Signed-off-by: Zhiqiang Liu <[email protected]>
>> ---
>> ndctl/namespace.c | 18 ++++++++++++++----
>> test/libndctl.c | 4 ++--
>> util/json.c | 2 ++
>> 3 files changed, 18 insertions(+), 6 deletions(-)
>>
>> diff --git a/ndctl/namespace.c b/ndctl/namespace.c
>> index 0c8df9f..21089d7 100644
>> --- a/ndctl/namespace.c
>> +++ b/ndctl/namespace.c
>> @@ -1417,11 +1417,16 @@ static int nstype_clear_badblocks(struct
>> ndctl_namespace *ndns,
>>
>> static int dax_clear_badblocks(struct ndctl_dax *dax)
>> {
>> - struct ndctl_namespace *ndns = ndctl_dax_get_namespace(dax);
>> - const char *devname = ndctl_dax_get_devname(dax);
>> + struct ndctl_namespace *ndns;
>> + const char *devname;
>> unsigned long long begin, size;
>> int rc;
>>
>> + ndns = ndctl_dax_get_namespace(dax);
>> + if (!ndns)
>> + return -ENXIO;
>> +
>> + devname = ndctl_dax_get_devname(dax);
>> begin = ndctl_dax_get_resource(dax);
>> if (begin == ULLONG_MAX)
>> return -ENXIO;
>> @@ -1441,11 +1446,16 @@ static int dax_clear_badblocks(struct ndctl_dax *dax)
>>
>> static int pfn_clear_badblocks(struct ndctl_pfn *pfn)
>> {
>> - struct ndctl_namespace *ndns = ndctl_pfn_get_namespace(pfn);
>> - const char *devname = ndctl_pfn_get_devname(pfn);
>> + struct ndctl_namespace *ndns;
>> + const char *devname;
>> unsigned long long begin, size;
>> int rc;
>>
>> + ndns = ndctl_pfn_get_namespace(pfn);
>> + if (!ndns)
>> + return -ENXIO;
>> +
>> + devname = ndctl_pfn_get_devname(pfn);
>> begin = ndctl_pfn_get_resource(pfn);
>> if (begin == ULLONG_MAX)
>> return -ENXIO;
>> diff --git a/test/libndctl.c b/test/libndctl.c
>> index 24d72b3..05e5ff2 100644
>> --- a/test/libndctl.c
>> +++ b/test/libndctl.c
>> @@ -1275,7 +1275,7 @@ static int check_pfn_autodetect(struct ndctl_bus *bus,
>> if (!ndctl_pfn_is_enabled(pfn))
>> continue;
>> pfn_ndns = ndctl_pfn_get_namespace(pfn);
>> - if (strcmp(ndctl_namespace_get_devname(pfn_ndns), devname) != 0)
>> + if (!pfn_ndns || strcmp(ndctl_namespace_get_devname(pfn_ndns),
>> devname) != 0)
>> continue;
>> fprintf(stderr, "%s: pfn_ndns: %p ndns: %p\n", __func__,
>> pfn_ndns, ndns);
>> @@ -1372,7 +1372,7 @@ static int check_dax_autodetect(struct ndctl_bus *bus,
>> if (!ndctl_dax_is_enabled(dax))
>> continue;
>> dax_ndns = ndctl_dax_get_namespace(dax);
>> - if (strcmp(ndctl_namespace_get_devname(dax_ndns), devname) != 0)
>> + if (!dax_ndns || strcmp(ndctl_namespace_get_devname(dax_ndns),
>> devname) != 0)
>> continue;
>> fprintf(stderr, "%s: dax_ndns: %p ndns: %p\n", __func__,
>> dax_ndns, ndns);
>> diff --git a/util/json.c b/util/json.c
>> index ca0167b..249f021 100644
>> --- a/util/json.c
>> +++ b/util/json.c
>> @@ -1002,6 +1002,8 @@ static struct json_object
>> *util_pfn_badblocks_to_json(struct ndctl_pfn *pfn,
>> pfn_begin = ndctl_pfn_get_resource(pfn);
>> if (pfn_begin == ULLONG_MAX) {
>> struct ndctl_namespace *ndns = ndctl_pfn_get_namespace(pfn);
>> + if (!ndns)
>> + return NULL;
>>
>> return util_namespace_badblocks_to_json(ndns, bb_count, flags);
>> }
>> --
>> 2.23.0
>>
>>
>>
>>
>> .
>>
>>
>>
> .
