In clk_cpy_name(), '*dst_p'('parent->name'and 'parent->fw_name') and
'dst' are allcoted by kstrdup_const(). According to doc: "Strings
allocated by kstrdup_const should be freed by kfree_const". So
'parent->name', 'parent->fw_name' and 'dst' should be freed.
Signed-off-b
In get_vdev_port_node_info(), 'node_info->vdev_port.name' is allcoated
by kstrdup_const(), and it returns NULL when fails. So
'node_info->vdev_port.name' should be checked.
Signed-off-by: Gen Zhang
---
diff --git a/arch/sparc/kernel/mdesc.c b/arch/sparc/kernel/mdesc.c
index 9a26b44..8
inconsistent data and potential errors as cmnd is used in
the following codes.
Thus we should check opcode between the two fetches to prevent this.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index d3f1531..a2971b8 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi
In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It
returns NULL when fails. So 'arg' should be checked.
Signed-off-by: Gen Zhang
Reviewed-by: Ondrej Mosnacek
Fixes: 99dbbb593fe6 ("selinux: rewrite selinux_sb_eat_lsm_opts()")
---
diff --git a/security/selinux
On Fri, May 31, 2019 at 11:55:23AM -0400, Paul Moore wrote:
> On Thu, May 30, 2019 at 4:55 AM Gen Zhang wrote:
> >
> > In selinux_add_mnt_opt(), 'val' is allcoted by kmemdup_nul(). It returns
> > NULL when fails. So 'val' should be checked.
> >
> > Si
On Fri, May 31, 2019 at 11:45:28AM -0400, Paul Moore wrote:
> On Thu, May 30, 2019 at 9:34 PM Gen Zhang wrote:
> >
> > In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It
> > returns NULL when fails. So 'arg' should be checked.
> >
> > Signe
In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It
returns NULL when fails. So 'arg' should be checked. And 'mnt_opts'
should be freed when error.
Signed-off-by: Gen Zhang
Reviewed-by: Ondrej Mosnacek
Fixes: 99dbbb593fe6 ("selinux: rewrite selinux_sb_eat_lsm
On Sat, Jun 01, 2019 at 03:25:27AM +0100, Al Viro wrote:
> On Sat, Jun 01, 2019 at 10:15:26AM +0800, Gen Zhang wrote:
> > In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It
> > returns NULL when fails. So 'arg' should be checked. And 'mnt_opts'
> > shoul
On Sat, Jun 01, 2019 at 03:34:49AM +0100, Al Viro wrote:
> On Sat, Jun 01, 2019 at 03:25:27AM +0100, Al Viro wrote:
> > On Sat, Jun 01, 2019 at 10:15:26AM +0800, Gen Zhang wrote:
> > > In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It
> > > retur
vc->vc_screenbuf)
dereference may happen. And it will cause the kernel to crash. Therefore,
we should check return value and handle the error.
Further,the loop condition MIN_NR_CONSOLES is defined as 1 in
include/uapi/linux/vt.h. So there is no need to unwind the loop.
Signed-off-by: Gen Zhang
--
On Fri, May 17, 2019 at 11:24:27AM +0200, Ard Biesheuvel wrote:
> On Fri, 17 May 2019 at 11:06, Gen Zhang wrote:
> >
> > On Fri, May 17, 2019 at 10:41:28AM +0200, Ard Biesheuvel wrote:
> > > Returning an error here is not going to make much difference, giv
On Mon, May 20, 2019 at 10:55:40PM -0400, Nicolas Pitre wrote:
> On Tue, 21 May 2019, Gen Zhang wrote:
>
> > In function con_init(), the pointer variable vc_cons[currcons].d, vc and
> > vc->vc_screenbuf is allocated a memory space via kzalloc(). And they are
> >
return value and handle the error.
Further,the loop condition MIN_NR_CONSOLES is defined as 1 in
include/uapi/linux/vt.h and it is not changed. So there is no need to
unwind the loop.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index fdd12f8..ea47eb3 100644
-
On Mon, May 20, 2019 at 11:26:20PM -0400, Nicolas Pitre wrote:
> On Tue, 21 May 2019, Gen Zhang wrote:
>
> > On Mon, May 20, 2019 at 10:55:40PM -0400, Nicolas Pitre wrote:
> > > On Tue, 21 May 2019, Gen Zhang wrote:
> > >
> > > > In function con_init()
On Tue, May 21, 2019 at 12:30:38AM -0400, Nicolas Pitre wrote:
> Now imagine that MIN_NR_CONSOLES is defined to 10 instead of 1.
>
> What happens with allocated memory if the err_vc condition is met on the
> 5th loop?
Yes, vc->vc_screenbuf from the last loop is still not freed, right? I
don't
check the return value and handle the error.
Further, in __rh_find(), we should also check the return value and
handle the error.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/md/dm-region-hash.c b/drivers/md/dm-region-hash.c
index 1f76045..2fa1641 100644
--- a/drivers/md/dm-region-hash.c
+++ b
should check the return value and handle the error.
Signed-off-by: Gen Zhang
---
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 82f341e..d445839 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -343,6 +343,8 @@ int ip_ra_control(struct sock *sk, unsigned char
should check the return value and handle the error.
Signed-off-by: Gen Zhang
---
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 40f21fe..0a3d035 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -68,6 +68,8 @@ int ip6_ra_control(struct sock *sk, int
should check the return value and handle the error.
Signed-off-by: Gen Zhang
---
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 82f341e..aa3fd61 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -343,6 +343,8 @@ int ip_ra_control(struct sock *sk, unsigned char
In function con_insert_unipair(), when allocation for p2 and p1[n]
fails, ENOMEM is returned, but previously allocated p1 is not freed,
remains as leaking memory. Thus we should free p1 as well when this
allocation fails.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/tty/vt/consolemap.c b
uld check this allocation.
Further, if kstrdup() returns NULL, we should free de and panic().
Signed-off-by: Gen Zhang
---
diff --git a/init/initramfs.c b/init/initramfs.c
index 178130f..dc8063f 100644
--- a/init/initramfs.c
+++ b/init/initramfs.c
@@ -125,6 +125,10 @@ static void __init dir_add(c
kernel go wrong. Thus we should check tty->dev.
Further, if tty_get_device() returns NULL, we should free tty and
return NULL.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 033ac7e..1444b59 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.
On Tue, May 21, 2019 at 01:44:33PM -0700, Kees Cook wrote:
> This doesn't look safe to me: p->uni_pgdir[n] will still have a handle
> to the freed memory, won't it?
>
Thanks for your reply, Kees!
I think you are right. Maybe we should do this:
kfree(p1);
p->uni_pgdir[n] = NULL;
Is
On Wed, May 22, 2019 at 10:00:37AM +0800, Li Zhijian wrote:
>
> On 5/22/19 09:04, Gen Zhang wrote:
> >In dir_add(), de and de->name are allocated by kmalloc() and kstrdup().
> >And de->name is dereferenced in the following codes. However, memory
> >alloca
the kernel go wrong. Thus we
should check these two kstrdup() operations.
Further, if kstrdup() returns NULL, we should free de in dir_add().
Signed-off-by: Gen Zhang
---
diff --git a/init/initramfs.c b/init/initramfs.c
index 178130f..1421488 100644
--- a/init/initramfs.c
+++ b/init/initramf
check these two kstrdup() operations.
Further, if kstrdup() returns NULL, we should free de in dir_add().
Signed-off-by: Gen Zhang
---
diff --git a/init/initramfs.c b/init/initramfs.c
index 178130f..1421488 100644
--- a/init/initramfs.c
+++ b/init/initramfs.c
@@ -125,6 +125,10 @@ static void
On Wed, May 22, 2019 at 06:25:36AM +0200, Jiri Slaby wrote:
> On 22. 05. 19, 3:40, Gen Zhang wrote:
> > In alloc_tty_struct(), tty->dev is assigned by tty_get_device(). And it
> > calls class_find_device(). And class_find_device() may return NULL.
> > And tty->dev is de
On Tue, May 21, 2019 at 10:43:11PM -0400, Nicolas Pitre wrote:
> On Tue, 21 May 2019, Gen Zhang wrote:
>
> > On Tue, May 21, 2019 at 12:30:38AM -0400, Nicolas Pitre wrote:
> > > Now imagine that MIN_NR_CONSOLES is defined to 10 instead of 1.
> > >
> >
On Wed, May 22, 2019 at 12:29:00PM +0200, Johan Hovold wrote:
> Where do you see that the kernel is dereferencing tty->dev without
> checking for NULL first? If you can find that, then that would indeed be
> a bug that needs fixing.
Thanks for your reply, Johan!
I examined the code but failed to
On Wed, May 22, 2019 at 10:15:56AM +0200, Jiri Slaby wrote:
> Look at the top of alloc_tty_struct: there is tty_ldisc_init. If
> tty_get_device fails here, you have to call tty_ldisc_deinit. Better,
> you should add a failure-handling tail to this function and "goto" there.
Thanks for your
On Wed, May 22, 2019 at 01:19:49PM +0200, Johan Hovold wrote:
> On Wed, May 22, 2019 at 07:13:54PM +0800, Gen Zhang wrote:
> > On Wed, May 22, 2019 at 12:29:00PM +0200, Johan Hovold wrote:
> > > Where do you see that the kernel is dereferencing tty->dev without
> >
vc->vc_screenbuf)
dereference may happen. And it will cause the kernel to crash. Therefore,
we should check return value and handle the error.
Further, since the allcoation is in a loop, we should free all the
allocated memory in a loop.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/tty/vt/
to recheck the 'ioc_number' in the second fetch.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
index b2bb47c..5181c03 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
@@ -2319,6 +2319,10
On Wed, May 22, 2019 at 01:54:47PM -0700, Kees Cook wrote:
> On Wed, May 22, 2019 at 09:50:55AM +0800, Gen Zhang wrote:
> > On Tue, May 21, 2019 at 01:44:33PM -0700, Kees Cook wrote:
> > > This doesn't look safe to me: p->uni_pgdir[n] will still have a handle
> > &
In function con_insert_unipair(), when allocation for p2 and p1[n]
fails, ENOMEM is returned, but previously allocated p1 is not freed,
remains as leaking memory. Thus we should free p1 as well when this
allocation fails.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/tty/vt/consolemap.c b
Hi Andrew,
I am starting submitting patches these days and got some patches
"Reviewed-by" from maintainers. After checking the
submitting-patches.html, I figured out what "Reviewed-by" means. But I
didn't get the guidance on what to do after getting "Reviewed-by".
Am I supposed to send this
inconsistent data and potential errors as cmnd is used in
the following codes.
Thus we should check opcode between the two fetches to prevent this.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index d3f1531..a2971b8 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi
before wl1271_probe() ends to prevent leaking memory.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/net/wireless/ti/wlcore/sdio.c
b/drivers/net/wireless/ti/wlcore/sdio.c
index 4d4b0770..e134f30 100644
--- a/drivers/net/wireless/ti/wlcore/sdio.c
+++ b/drivers/net/wireless/ti/wlcore/sdio.c
@@
ormally ends to prevent leaking memory.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/net/wireless/ti/wlcore/spi.c
b/drivers/net/wireless/ti/wlcore/spi.c
index 62ce54a..3a020bd 100644
--- a/drivers/net/wireless/ti/wlcore/spi.c
+++ b/drivers/net/wireless/ti/wlcore/spi.c
@@ -480,7 +480,7 @
.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/net/wireless/ti/wlcore/sdio.c
b/drivers/net/wireless/ti/wlcore/sdio.c
index 4d4b0770..232ce5f 100644
--- a/drivers/net/wireless/ti/wlcore/sdio.c
+++ b/drivers/net/wireless/ti/wlcore/sdio.c
@@ -298,8 +298,10 @@ static int wl1271_probe(struct
uld free 'machine->util_data', 'machine->codec' and
'machine' before this function normally ends to prevent memory leaking.
Signed-off-by: Gen Zhang
---
diff --git a/sound/soc/tegra/tegra_wm9712.c b/sound/soc/tegra/tegra_wm9712.c
index 864a334..295c41d 100644
--- a/sound/soc/tegra/tegra_wm971
uld free 'pdata' when 'pdata->codec_device' is NULL.
And we should free 'pdata->codec_device' and 'pdata' when 'ret' is error
to prevent memory leaking.
Signed-off-by: Gen Zhang
---
diff --git a/sound/soc/fsl/pcm030-audio-fabric.c
b/sound/soc/fsl/pcm030-audio-fabric.c
index a7fe4ad..d2e6e
On Thu, May 23, 2019 at 09:54:18AM -0700, Kees Cook wrote:
> On Thu, May 23, 2019 at 08:34:52AM +0800, Gen Zhang wrote:
> > In function con_insert_unipair(), when allocation for p2 and p1[n]
> > fails, ENOMEM is returned, but previously allocated p1 is not freed,
> > rema
In function con_insert_unipair(), when allocation for p2 and p1[n]
fails, ENOMEM is returned, but previously allocated p1 is not freed,
remains as leaking memory. Thus we should free p1 as well when this
allocation fails.
Signed-off-by: Gen Zhang
Reviewed-by: Kees Cook
---
diff --git a/drivers
vc->vc_screenbuf)
dereference may happen. And it will cause the kernel to crash. Therefore,
we should check return value and handle the error.
Further, since the allcoation is in a loop, we should free all the
allocated memory in a loop.
Signed-off-by: Gen Zhang
Reviewed-by: Nicolas Pitre
--
.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/net/wireless/ti/wlcore/sdio.c
b/drivers/net/wireless/ti/wlcore/sdio.c
index 4d4b0770..9110891 100644
--- a/drivers/net/wireless/ti/wlcore/sdio.c
+++ b/drivers/net/wireless/ti/wlcore/sdio.c
@@ -298,8 +298,10 @@ static int wl1271_probe(struct
ormally ends to prevent leaking memory.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/net/wireless/ti/wlcore/spi.c
b/drivers/net/wireless/ti/wlcore/spi.c
index 62ce54a..ea0ec26 100644
--- a/drivers/net/wireless/ti/wlcore/spi.c
+++ b/drivers/net/wireless/ti/wlcore/spi.c
@@ -480,7 +480,7 @
should check the return value and handle the error.
Signed-off-by: Gen Zhang
---
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 40f21fe..0a3d035 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -68,6 +68,8 @@ int ip6_ra_control(struct sock *sk, int
should check the return value and handle the error.
Signed-off-by: Gen Zhang
---
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 82f341e..aa3fd61 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -343,6 +343,8 @@ int ip_ra_control(struct sock *sk, unsigned char
check these two kstrdup() operations.
Further, if kstrdup() returns NULL, we should free de in dir_add().
Signed-off-by: Gen Zhang
---
diff --git a/init/initramfs.c b/init/initramfs.c
index 178130f..1421488 100644
--- a/init/initramfs.c
+++ b/init/initramfs.c
@@ -125,6 +125,10 @@ static void
On Thu, May 23, 2019 at 08:35:23PM -0700, Andrew Morton wrote:
> On Fri, 24 May 2019 11:30:45 +0800 Gen Zhang wrote:
>
> > In dir_add() and do_name(), de->name and vcollected are allocated by
> > kstrdup(). And de->name and vcollected are dereferenced in the following
&g
On Fri, May 24, 2019 at 09:33:13AM +0100, Jon Hunter wrote:
>
> On 24/05/2019 01:50, Gen Zhang wrote:
> > In tegra_wm9712_driver_probe(), 'machine->codec' is allocated by
> > platform_device_alloc(). When it is NULL, function returns ENOMEM.
> > However, 'machine' i
On Fri, May 24, 2019 at 03:47:34PM +0100, Jon Hunter wrote:
>
> On 24/05/2019 15:33, Gen Zhang wrote:
> > On Fri, May 24, 2019 at 09:33:13AM +0100, Jon Hunter wrote:
> >>
> >> On 24/05/2019 01:50, Gen Zhang wrote:
> >>> In tegra_wm9712_dri
On Fri, May 24, 2019 at 04:36:54PM +0100, Jon Hunter wrote:
> There could well be cases where you need to explicitly call
> devm_kfree(), but having a quick glance at the example above, I don't
> see why you would call devm_kfree() here and yes looks like that code
> could be simplified
On Tue, May 28, 2019 at 08:45:29AM +0800, Gen Zhang wrote:
> In function con_init(), the pointer variable vc_cons[currcons].d, vc and
> vc->vc_screenbuf is allocated by kzalloc(). And they are used in the
> following codes. However, kzalloc() returns NULL when fails, and nul
On Thu, May 30, 2019 at 09:19:20AM +0800, Gen Zhang wrote:
> In tegra_hsp_doorbell_create(), 'db->name' is allocated by
> devm_kstrdup_const(). It returns NULL when fails. So 'db->name' should
> be checked.
>
> Signed-off-by: Gen Zhang
> Acked-by: Thierry Reding
>
On Sat, Jun 08, 2019 at 06:21:27PM +0200, Greg KH wrote:
> On Sun, Jun 09, 2019 at 12:01:38AM +0800, Gen Zhang wrote:
> > On Tue, May 28, 2019 at 08:45:29AM +0800, Gen Zhang wrote:
> > > In function con_init(), the pointer variable vc_cons[currcons].d, vc and
> > > vc
On Sat, Jun 08, 2019 at 06:22:19PM +0200, Greg KH wrote:
> On Sun, Jun 09, 2019 at 12:01:38AM +0800, Gen Zhang wrote:
> > On Tue, May 28, 2019 at 08:45:29AM +0800, Gen Zhang wrote:
> > > In function con_init(), the pointer variable vc_cons[currcons].d, vc and
> > > vc
On Sat, Jun 08, 2019 at 06:21:27PM +0200, Greg KH wrote:
> On Sun, Jun 09, 2019 at 12:01:38AM +0800, Gen Zhang wrote:
> > On Tue, May 28, 2019 at 08:45:29AM +0800, Gen Zhang wrote:
> > > In function con_init(), the pointer variable vc_cons[currcons].d, vc and
> > > vc
On Sat, Jun 08, 2019 at 08:15:46PM -0400, Nicolas Pitre wrote:
> On Sat, 8 Jun 2019, Greg KH wrote:
>
> > On Sun, Jun 09, 2019 at 12:01:38AM +0800, Gen Zhang wrote:
> > > On Tue, May 28, 2019 at 08:45:29AM +0800, Gen Zhang wrote:
> > > > In function con_ini
On Mon, Jun 10, 2019 at 03:31:50PM -0400, Paul Moore wrote:
> On Fri, Jun 7, 2019 at 8:11 AM Gen Zhang wrote:
> >
> > On Fri, Jun 07, 2019 at 10:39:05AM +0200, Ondrej Mosnacek wrote:
> > > On Thu, Jun 6, 2019 at 11:23 AM Gen Zhang
> > > wrote:
>
On Mon, Jun 10, 2019 at 04:20:28PM -0400, Paul Moore wrote:
> On Fri, Jun 7, 2019 at 4:41 AM Ondrej Mosnacek wrote:
> >
> > On Thu, Jun 6, 2019 at 10:55 AM Gen Zhang wrote:
> > > In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It
> > > returns
In drivers/md/dm-init.c, kstrndup() is incorrectly used twice.
It should be: char *kstrndup(const char *s, size_t max, gfp_t gfp);
Signed-off-by: Gen Zhang
---
diff --git a/drivers/md/dm-init.c b/drivers/md/dm-init.c
index 352e803..526e261 100644
--- a/drivers/md/dm-init.c
+++ b/drivers/md/dm
In wcd9335_codec_enable_dec(), 'widget_name' is allocated by kstrndup().
However, according to doc: "Note: Use kmemdup_nul() instead if the size
is known exactly." So we should use kmemdup_nul() here instead of
kstrndup().
Signed-off-by: Gen Zhang
---
diff --git a/sound/soc/codecs/w
In dlpar_parse_cc_property(), 'prop->name' is allocated by kstrdup().
kstrdup() may return NULL, so it should be checked and handle error.
And prop should be freed if 'prop->name' is NULL.
Signed-off-by: Gen Zhang
Acked-by: Nathan Lynch
---
diff --git a/arch/powerpc/platforms/pseries/dlpa
to recheck the 'ioc_number' in the second fetch.
Signed-off-by: Gen Zhang
Ack-by: Suganath Prabu S
---
diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
index b2bb47c..5181c03 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+++ b/drivers/scsi/mpt3sas
In tegra_hsp_doorbell_create(), 'db->name' is allocated by
devm_kstrdup_const(). It returns NULL when fails. So 'db->name' should
be checked.
Signed-off-by: Gen Zhang
Acked-by: Thierry Reding
---
diff --git a/drivers/mailbox/tegra-hsp.c b/drivers/mailbox/tegra-hsp.c
index 11fc9fd..b
In knav_pool_create(), 'pool->name' is allocated by kstrndup(). It
returns NULL when fails. So 'pool->name' should be checked. And free
'pool' when error.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/soc/ti/knav_qmss_queue.c b/drivers/soc/ti/knav_qmss_queue.c
index 8b41837..0f8cb28
In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It
returns NULL when fails. So 'arg' should be checked.
Signed-off-by: Gen Zhang
---
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3ec702c..5a9e959 100644
--- a/security/selinux/hooks.c
+++ b/security
On Wed, May 29, 2019 at 09:39:50PM -0700, William Roberts wrote:
> On Wed, May 29, 2019 at 8:55 PM Gen Zhang wrote:
> >
> > In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It
> > returns NULL when fails. So 'arg' should be checked.
> >
&
In selinux_add_mnt_opt(), 'val' is allcoted by kmemdup_nul(). It returns
NULL when fails. So 'val' should be checked.
Signed-off-by: Gen Zhang
---
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3ec702c..4797c63 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux
In selinux_sb_eat_lsm_opts(), 'arg' is allocated by kmemdup_nul(). It
returns NULL when fails. So 'arg' should be checked.
Signed-off-by: Gen Zhang
Fixes: 99dbbb593fe6 ("selinux: rewrite selinux_sb_eat_lsm_opts()")
---
diff --git a/security/selinux/hooks.c b/security/selinux/hoo
In selinux_add_mnt_opt(), 'val' is allcoted by kmemdup_nul(). It returns
NULL when fails. So 'val' should be checked.
Signed-off-by: Gen Zhang
Fixes: 757cbe597fe8 ("LSM: new method: ->sb_add_mnt_opt()")
---
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3ec
In debug_string_to_mask(), 'strsep_fodder' is allocated by kstrdup().
It returns NULL when fails. So 'strsep_fodder' should be checked.
Signed-off-by: Gen Zhang
---
diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c
index 87b1a6f..a9a9aac 100644
--- a/fs/orangefs
On Thu, May 30, 2019 at 12:11:33PM +0300, Sergei Shtylyov wrote:
> Hello!
>
> On 30.05.2019 11:06, Gen Zhang wrote:
>
> >In selinux_add_mnt_opt(), 'val' is allcoted by kmemdup_nul(). It returns
>
>Allocated?
Thanks for your reply, Sergei. I used 'allocated' because
On Thu, May 30, 2019 at 12:22:15PM +0300, Sergei Shtylyov wrote:
> On 30.05.2019 12:18, Gen Zhang wrote:
>
> >>On 30.05.2019 11:06, Gen Zhang wrote:
> >>
> >>>In selinux_add_mnt_opt(), 'val' is allcoted by kmemdup_nul(). It returns
> >>
> >>
In d_parse_params(), 'params_orig' is allocated by kstrdup(). It returns
NULL when fails. So 'params_orig' should be checked.
Signed-off-by: Gen Zhang
---
diff --git a/include/linux/wimax/debug.h b/include/linux/wimax/debug.h
index aaf24ba..bacd6cb 100644
--- a/include/linux/wimax/debug.h
+++ b
devm_kmalloc() is used to allocate memory for a driver dev. Comments
above the definition and doc
(https://www.kernel.org/doc/Documentation/driver-model/devres.txt) all
imply that allocated the memory is automatically freed on driver attach,
no matter allocation fail or not. However, I examined
On Fri, May 24, 2019 at 04:21:36PM -0700, Randy Dunlap wrote:
> On 5/22/19 6:17 PM, Gen Zhang wrote:
> > Hi Andrew,
> > I am starting submitting patches these days and got some patches
> > "Reviewed-by" from maintainers. After checking the
> > submit
On Sat, May 25, 2019 at 07:06:48AM +0200, Willy Tarreau wrote:
> On Sat, May 25, 2019 at 10:12:41AM +0800, Gen Zhang wrote:
> > On Fri, May 24, 2019 at 04:21:36PM -0700, Randy Dunlap wrote:
> > > On 5/22/19 6:17 PM, Gen Zhang wrote:
> > > > Hi Andrew,
> >
In dlpar_parse_cc_property(), 'prop->name' is allocated by kstrdup().
kstrdup() may return NULL, so it should be checked and handle error.
And prop should be freed if 'prop->name' is NULL.
Signed-off-by: Gen Zhang
---
diff --git a/arch/powerpc/platforms/pseries/dlpar.c
b/arch/powerpc/pla
to recheck the 'ioc_number' in the second fetch.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
index b2bb47c..5181c03 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
@@ -2319,6 +2319,10
inconsistent data and potential errors as cmnd is used in
the following codes.
Thus we should check opcode between the two fetches to prevent this.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index d3f1531..a2971b8 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi
In get_vdev_port_node_info(), 'node_info->vdev_port.name' is allcoated
by kstrdup_const(), and it returns NULL when fails. So
'node_info->vdev_port.name' should be checked.
Signed-off-by: Gen Zhang
---
diff --git a/arch/sparc/kernel/mdesc.c b/arch/sparc/kernel/mdesc.c
index 9a26b44..8
In tegra_hsp_doorbell_create(), 'db->name' is allocated by
devm_kstrdup_const(). It returns NULL when fails. So 'db->name' should
be checked.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/mailbox/tegra-hsp.c b/drivers/mailbox/tegra-hsp.c
index 11fc9fd..b613c46 100644
--- a/drivers/m
In clk_cpy_name(), '*dst_p'('parent->name'and 'parent->fw_name') and
'dst' are allcoted by kstrdup_const(). According to doc: "Strings
allocated by kstrdup_const should be freed by kfree_const". So
'parent->name', 'parent->fw_name' and 'dst' should be freed.
Signed-off-b
On Mon, May 27, 2019 at 04:05:49PM +0200, Thierry Reding wrote:
> On Mon, May 27, 2019 at 09:04:30PM +0800, Gen Zhang wrote:
> > In tegra_hsp_doorbell_create(), 'db->name' is allocated by
> > devm_kstrdup_const(). It returns NULL when fails. So 'db->name' should
> >
devm_kmalloc() is used to allocate memory for a driver dev. Comments
above the definition and doc
(https://www.kernel.org/doc/Documentation/driver-model/devres.txt) all
imply that allocated the memory is automatically freed on driver attach,
no matter allocation fail or not. However, I examined
ore, we should check the return value and handle the error.
Further, since the allcoation is in a loop, we should free all the
allocated memory in a loop.
Signed-off-by: Gen Zhang
Reviewed-by: Nicolas Pitre
---
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index fdd12f8..d50f68f 100
In flush_cache_ent(), 'ce->ce_path' is allocated by kstrdup_const().
It should be freed by kfree_const(), rather than kfree().
Signed-off-by: Gen Zhang
---
diff --git a/fs/cifs/dfs_cache.c b/fs/cifs/dfs_cache.c
index 85dc89d..e3e1c13 100644
--- a/fs/cifs/dfs_cache.c
+++ b/fs/cifs/dfs_cach
In sunxi_divs_clk_setup(), 'derived_name' is allocated by kstrndup().
It returns NULL when fails. 'derived_name' should be checked.
Signed-off-by: Gen Zhang
---
diff --git a/drivers/clk/sunxi/clk-sunxi.c b/drivers/clk/sunxi/clk-sunxi.c
index f5b1c00..830bfb7 100644
--- a/drivers/clk/sunxi/clk
On Tue, May 28, 2019 at 11:44:35AM +0530, Suganath Prabu Subramani wrote:
> Please consider this patch as Ack-by: Suganath Prabu S
>
>
> Thanks,
> Suganath.
>
>
> On Mon, May 27, 2019 at 6:27 AM Gen Zhang wrote:
> >
> > In _ctl_ioctl_main(), 'ioctl_he
On Tue, May 28, 2019 at 08:49:49AM +0200, Greg KH wrote:
> On Tue, May 28, 2019 at 08:32:57AM +0800, Gen Zhang wrote:
> > devm_kmalloc() is used to allocate memory for a driver dev. Comments
> > above the definition and doc
> > (https://www.kernel.org/doc/Documentation/dr
On Tue, May 28, 2019 at 11:39:22AM +, Kalle Valo wrote:
> Gen Zhang wrote:
>
> > In wl1271_probe(), 'glue->core' is allocated by platform_device_alloc(),
> > when this allocation fails, ENOMEM is returned. However, 'pdev_data'
> > and 'glue' are allocated by devm_k
devm_kmalloc().
> >
> > On Tue, May 28, 2019 at 08:32:57AM +0800, Gen Zhang wrote:
> >> devm_kmalloc() is used to allocate memory for a driver dev. Comments
> >> above the definition and doc
> >> (https://www.kernel.org/doc/Documentation/driver-model/devres.txt) all
&g
On Tue, May 28, 2019 at 02:41:38PM +0200, Greg KH wrote:
> No, you are not leaking any memory if you do not call that function.
> Try it and see :)
>
> The function is there if you just want to "free the memory now!", it's
> not necessary if you return an error as when the device is removed the
>
On Sun, Jun 09, 2019 at 12:11:44AM +0800, Gen Zhang wrote:
> On Thu, May 30, 2019 at 09:19:20AM +0800, Gen Zhang wrote:
> > In tegra_hsp_doorbell_create(), 'db->name' is allocated by
> > devm_kstrdup_const(). It returns NULL when fails. So 'db->name' should
> > be c
On Mon, Jul 01, 2019 at 10:57:36AM +0200, Jiri Slaby wrote:
> On 24. 05. 19, 5:19, Gen Zhang wrote:
> > In function ip6_ra_control(), the pointer new_ra is allocated a memory
> > space via kmalloc(). And it is used in the following codes. However,
> > when there is a me
On Wed, Jun 05, 2019 at 08:41:11AM +0200, Jiri Slaby wrote:
> On 31. 05. 19, 3:27, Gen Zhang wrote:
> > In sg_write(), the opcode of the command is fetched the first time from
> > the userspace by __get_user(). Then the whole command, the opcode
> > included, is fetched
On Wed, Jun 05, 2019 at 08:38:00AM +0200, Jiri Slaby wrote:
> On 31. 05. 19, 3:14, Gen Zhang wrote:
> > In clk_cpy_name(), '*dst_p'('parent->name'and 'parent->fw_name') and
> > 'dst' are allcoted by kstrdup_const(). According to doc: "Strings
> > allocated
1 - 100 of 129 matches
Mail list logo
