from:"Kangjie Lu"

[PATCH] staging: rtl8192e: initializing the wep buffer

2019-10-17 Thread Kangjie Lu

The "wep" buffer is not initialized. To avoid memory disclosures,
the fix initializes it, as peer functions like rtllib_ccmp_set_key
do.

Signed-off-by: Kangjie Lu 
---
 drivers/staging/rtl8192e/rtllib_crypt_wep.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/staging/rtl8192e/rtllib_crypt_wep.c 
b/drivers/staging/rtl8192e/rtllib_crypt_wep.c
index b1ea650036d2..0931777ed157 100644
--- a/drivers/staging/rtl8192e/rtllib_crypt_wep.c
+++ b/drivers/staging/rtl8192e/rtllib_crypt_wep.c
@@ -232,6 +232,7 @@ static int prism2_wep_set_key(void *key, int len, u8 *seq, 
void *priv)
if (len < 0 || len > WEP_KEY_LEN)
return -1;
 
+   memset(wep, 0, sizeof(*wep));
memcpy(wep->key, key, len);
wep->key_len = len;
 
-- 
2.17.1

[PATCH] media: rcar_drif: fix a memory disclosure

2019-10-17 Thread Kangjie Lu

"f->fmt.sdr.reserved" is uninitialized. As other peer drivers
like msi2500 and airspy do, the fix initializes it to avoid
memory disclosures.

Signed-off-by: Kangjie Lu 
---
 drivers/media/platform/rcar_drif.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/media/platform/rcar_drif.c 
b/drivers/media/platform/rcar_drif.c
index 608e5217ccd5..0f267a237b42 100644
--- a/drivers/media/platform/rcar_drif.c
+++ b/drivers/media/platform/rcar_drif.c
@@ -912,6 +912,7 @@ static int rcar_drif_g_fmt_sdr_cap(struct file *file, void 
*priv,
 {
struct rcar_drif_sdr *sdr = video_drvdata(file);
 
+   memset(f->fmt.sdr.reserved, 0, sizeof(f->fmt.sdr.reserved));
f->fmt.sdr.pixelformat = sdr->fmt->pixelformat;
f->fmt.sdr.buffersize = sdr->fmt->buffersize;
 
-- 
2.17.1

[PATCH] net/lib80211: scrubbing the buffer for key

2019-10-17 Thread Kangjie Lu

The "key" is not scrubbed. As what peer modules do, the fixes zeros
out the key buffer.

Signed-off-by: Kangjie Lu 
---
 net/wireless/lib80211_crypt_wep.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/wireless/lib80211_crypt_wep.c 
b/net/wireless/lib80211_crypt_wep.c
index dafc6f3571db..08e511aaa1ff 100644
--- a/net/wireless/lib80211_crypt_wep.c
+++ b/net/wireless/lib80211_crypt_wep.c
@@ -202,6 +202,7 @@ static int lib80211_wep_set_key(void *key, int len, u8 * 
seq, void *priv)
if (len < 0 || len > WEP_KEY_LEN)
return -1;
 
+   memset(wep, 0, sizeof(*wep));
memcpy(wep->key, key, len);
wep->key_len = len;
 
-- 
2.17.1

[tip:x86/cleanups] x86/platform/uv: Fix missing checks of kcalloc() return values

2019-03-26 Thread tip-bot for Kangjie Lu

Commit-ID:  766460852cfaeca4042e5f3aeb9616b3689147bc
Gitweb: https://git.kernel.org/tip/766460852cfaeca4042e5f3aeb9616b3689147bc
Author: Kangjie Lu 
AuthorDate: Mon, 25 Mar 2019 15:29:22 -0500
Committer:  Borislav Petkov 
CommitDate: Tue, 26 Mar 2019 17:01:30 +0100

x86/platform/uv: Fix missing checks of kcalloc() return values

Handle potential errors returned from kcalloc().

 [ bp: rewrite commit message. ]

Signed-off-by: Kangjie Lu 
Signed-off-by: Borislav Petkov 
Cc: Andrew Banman 
Cc: Andy Shevchenko 
Cc: Colin Ian King 
Cc: Darren Hart 
Cc: "Gustavo A. R. Silva" 
Cc: "H. Peter Anvin" 
Cc: Ingo Molnar 
Cc: Kees Cook 
Cc: Mike Travis 
Cc: Nicolai Stange 
Cc: pakki...@umn.edu
Cc: platform-driver-...@vger.kernel.org
Cc: Thomas Gleixner 
Cc: Varsha Rao 
Cc: x86-ml 
Link: https://lkml.kernel.org/r/20190325202924.4624-1-k...@umn.edu
---
 arch/x86/platform/uv/tlb_uv.c | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/arch/x86/platform/uv/tlb_uv.c b/arch/x86/platform/uv/tlb_uv.c
index 2c53b0f19329..1297e185b8c8 100644
--- a/arch/x86/platform/uv/tlb_uv.c
+++ b/arch/x86/platform/uv/tlb_uv.c
@@ -2133,14 +2133,19 @@ static int __init summarize_uvhub_sockets(int nuvhubs,
  */
 static int __init init_per_cpu(int nuvhubs, int base_part_pnode)
 {
-   unsigned char *uvhub_mask;
struct uvhub_desc *uvhub_descs;
+   unsigned char *uvhub_mask = NULL;
 
if (is_uv3_hub() || is_uv2_hub() || is_uv1_hub())
timeout_us = calculate_destination_timeout();
 
uvhub_descs = kcalloc(nuvhubs, sizeof(struct uvhub_desc), GFP_KERNEL);
+   if (!uvhub_descs)
+   goto fail;
+
uvhub_mask = kzalloc((nuvhubs+7)/8, GFP_KERNEL);
+   if (!uvhub_mask)
+   goto fail;
 
if (get_cpu_topology(base_part_pnode, uvhub_descs, uvhub_mask))
goto fail;

[PATCH v3] PCI: xilinx: Check for __get_free_pages() failure

2019-03-25 Thread Kangjie Lu

If __get_free_pages() fails, the patch returns -ENOMEM to avoid
NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
v3: remove "unlikely", as suggested by Bjorn Helgaas.
v2: caller is redefined to accept the error code, as suggested by
Steven Price 
---
 drivers/pci/controller/pcie-xilinx.c | 12 ++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/pci/controller/pcie-xilinx.c 
b/drivers/pci/controller/pcie-xilinx.c
index 9bd1a35cd5d8..abc214e94f7c 100644
--- a/drivers/pci/controller/pcie-xilinx.c
+++ b/drivers/pci/controller/pcie-xilinx.c
@@ -336,14 +336,19 @@ static const struct irq_domain_ops msi_domain_ops = {
  * xilinx_pcie_enable_msi - Enable MSI support
  * @port: PCIe port information
  */
-static void xilinx_pcie_enable_msi(struct xilinx_pcie_port *port)
+static int xilinx_pcie_enable_msi(struct xilinx_pcie_port *port)
 {
phys_addr_t msg_addr;
 
port->msi_pages = __get_free_pages(GFP_KERNEL, 0);
+   if (!port->msi_pages)
+   return -ENOMEM;
+
msg_addr = virt_to_phys((void *)port->msi_pages);
pcie_write(port, 0x0, XILINX_PCIE_REG_MSIBASE1);
pcie_write(port, msg_addr, XILINX_PCIE_REG_MSIBASE2);
+
+   return 0;
 }
 
 /* INTx Functions */
@@ -498,6 +503,7 @@ static int xilinx_pcie_init_irq_domain(struct 
xilinx_pcie_port *port)
struct device *dev = port->dev;
struct device_node *node = dev->of_node;
struct device_node *pcie_intc_node;
+   int ret;
 
/* Setup INTx */
pcie_intc_node = of_get_next_child(node, NULL);
@@ -526,7 +532,9 @@ static int xilinx_pcie_init_irq_domain(struct 
xilinx_pcie_port *port)
return -ENODEV;
}
 
-   xilinx_pcie_enable_msi(port);
+   ret = xilinx_pcie_enable_msi(port);
+   if (ret)
+   return ret;
}
 
return 0;
-- 
2.17.1

[PATCH v2] pci: pcie-xilinx: fix a missing-check bug for __get_free_pages

2019-03-25 Thread Kangjie Lu

In case __get_free_pages fail, the fix returns -ENOMEMto avoid
NULL pointer dereference.

Signed-off-by: Kangjie Lu 
Reviewed-by: Steven Price 
---
v2: caller is redefined to accept the error code, as suggested by
Steven Price 
---
 drivers/pci/controller/pcie-xilinx.c | 12 ++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/pci/controller/pcie-xilinx.c 
b/drivers/pci/controller/pcie-xilinx.c
index 9bd1a35cd5d8..abc214e94f7c 100644
--- a/drivers/pci/controller/pcie-xilinx.c
+++ b/drivers/pci/controller/pcie-xilinx.c
@@ -336,14 +336,19 @@ static const struct irq_domain_ops msi_domain_ops = {
  * xilinx_pcie_enable_msi - Enable MSI support
  * @port: PCIe port information
  */
-static void xilinx_pcie_enable_msi(struct xilinx_pcie_port *port)
+static int xilinx_pcie_enable_msi(struct xilinx_pcie_port *port)
 {
phys_addr_t msg_addr;
 
port->msi_pages = __get_free_pages(GFP_KERNEL, 0);
+   if (unlikely(!port->msi_pages))
+   return -ENOMEM;
+
msg_addr = virt_to_phys((void *)port->msi_pages);
pcie_write(port, 0x0, XILINX_PCIE_REG_MSIBASE1);
pcie_write(port, msg_addr, XILINX_PCIE_REG_MSIBASE2);
+
+   return 0;
 }
 
 /* INTx Functions */
@@ -498,6 +503,7 @@ static int xilinx_pcie_init_irq_domain(struct 
xilinx_pcie_port *port)
struct device *dev = port->dev;
struct device_node *node = dev->of_node;
struct device_node *pcie_intc_node;
+   int ret;
 
/* Setup INTx */
pcie_intc_node = of_get_next_child(node, NULL);
@@ -526,7 +532,9 @@ static int xilinx_pcie_init_irq_domain(struct 
xilinx_pcie_port *port)
return -ENODEV;
}
 
-   xilinx_pcie_enable_msi(port);
+   ret = xilinx_pcie_enable_msi(port);
+   if (ret)
+   return ret;
}
 
return 0;
-- 
2.17.1

[PATCH v2] sound: codecs: fix a potential NULL pointer dereference

2019-03-25 Thread Kangjie Lu

In case devm_kzalloc fails, the patch returns -ENOMEM to avoid
potential NULL pointer dereference.

Also add a check for rt5663_parse_dp to pass the error code
upstream

Signed-off-by: Kangjie Lu 
Reviewed-by: Mukesh Ojha 
---
v2: pass error code upstream in the caller as suggested by
Mukesh Ojha 
---
 sound/soc/codecs/rt5663.c | 9 +++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/sound/soc/codecs/rt5663.c b/sound/soc/codecs/rt5663.c
index da6647015708..ab03ba499ad2 100644
--- a/sound/soc/codecs/rt5663.c
+++ b/sound/soc/codecs/rt5663.c
@@ -3480,6 +3480,8 @@ static int rt5663_parse_dp(struct rt5663_priv *rt5663, 
struct device *dev)
table_size = sizeof(struct impedance_mapping_table) *
rt5663->pdata.impedance_sensing_num;
rt5663->imp_table = devm_kzalloc(dev, table_size, GFP_KERNEL);
+   if (!rt5663->imp_table)
+   return -ENOMEM;
device_property_read_u32_array(dev,
"realtek,impedance_sensing_table",
(u32 *)rt5663->imp_table, table_size);
@@ -3507,8 +3509,11 @@ static int rt5663_i2c_probe(struct i2c_client *i2c,
 
if (pdata)
rt5663->pdata = *pdata;
-   else
-   rt5663_parse_dp(rt5663, >dev);
+   else {
+   ret = rt5663_parse_dp(rt5663, >dev);
+   if (ret)
+   return ret;
+   }
 
for (i = 0; i < ARRAY_SIZE(rt5663->supplies); i++)
rt5663->supplies[i].supply = rt5663_supply_names[i];
-- 
2.17.1

[PATCH] firmware: arm_scmi: check return value of idr_find

2019-03-25 Thread Kangjie Lu

Thanks for Steven Price's review of this patch. In the current code,
idr_find won't return NULL because the SCMI_PROTOCOL_BASE id must 
exist. However, it might return NULL in the future code if the check
is on another node while processing the children in subsequent calls 
to scmi_mbox_chan_setup().
Therefore, the patch conservatively checks the return value and 
returns -EINVAL when it indeed failed.

Signed-off-by: Kangjie Lu 
Reviewed-by: Steven Price 
---
 drivers/firmware/arm_scmi/driver.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/firmware/arm_scmi/driver.c 
b/drivers/firmware/arm_scmi/driver.c
index 8f952f2f1a29..35faa203d549 100644
--- a/drivers/firmware/arm_scmi/driver.c
+++ b/drivers/firmware/arm_scmi/driver.c
@@ -709,6 +709,8 @@ scmi_mbox_chan_setup(struct scmi_info *info, struct device 
*dev, int prot_id)
 
if (scmi_mailbox_check(np)) {
cinfo = idr_find(>tx_idr, SCMI_PROTOCOL_BASE);
+   if (!cinfo)
+   return -EINVAL;
goto idr_alloc;
}
 
-- 
2.17.1

[PATCH v2] platform: uv: fix missing checks for kcalloc

2019-03-25 Thread Kangjie Lu

In case kcalloc fails, the patch return an error to avoid
potential NULL pointer dereference.

Signed-off-by: Kangjie Lu 

---
v2: reuse existing error path as suggested by
Borislav Petkov 
---
 arch/x86/platform/uv/tlb_uv.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/arch/x86/platform/uv/tlb_uv.c b/arch/x86/platform/uv/tlb_uv.c
index 2c53b0f19329..7b41b51b9a86 100644
--- a/arch/x86/platform/uv/tlb_uv.c
+++ b/arch/x86/platform/uv/tlb_uv.c
@@ -2133,14 +2133,18 @@ static int __init summarize_uvhub_sockets(int nuvhubs,
  */
 static int __init init_per_cpu(int nuvhubs, int base_part_pnode)
 {
-   unsigned char *uvhub_mask;
struct uvhub_desc *uvhub_descs;
+   unsigned char *uvhub_mask = NULL;
 
if (is_uv3_hub() || is_uv2_hub() || is_uv1_hub())
timeout_us = calculate_destination_timeout();
 
uvhub_descs = kcalloc(nuvhubs, sizeof(struct uvhub_desc), GFP_KERNEL);
+   if (!uvhub_descs)
+   goto fail;
uvhub_mask = kzalloc((nuvhubs+7)/8, GFP_KERNEL);
+   if (!uvhub_mask)
+   goto fail;
 
if (get_cpu_topology(base_part_pnode, uvhub_descs, uvhub_mask))
goto fail;
-- 
2.17.1

[PATCH v2] thunderbolt: property: fix a missing check of kzalloc

2019-03-25 Thread Kangjie Lu

No check is enforced for the return value of kzalloc,
which may lead to NULL-pointer dereference.

The patch fixes this issue.

Signed-off-by: Kangjie Lu 
Reviewed-by: Mukesh Ojha 

---
V2: no overflow issue, as pointed out by
Mika Westerberg 
---
 drivers/thunderbolt/property.c | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/thunderbolt/property.c b/drivers/thunderbolt/property.c
index 841314deb446..d5b0cdb8f0b1 100644
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -587,7 +587,12 @@ int tb_property_add_text(struct tb_property_dir *parent, 
const char *key,
return -ENOMEM;
 
property->length = size / 4;
-   property->value.data = kzalloc(size, GFP_KERNEL);
+   property->value.text = kzalloc(size, GFP_KERNEL);
+   if (!property->value.text) {
+   kfree(property);
+   return -ENOMEM;
+   }
+
strcpy(property->value.text, text);
 
list_add_tail(>list, >properties);
-- 
2.17.1

[PATCH] sound: codecs: fix a missing check for regmap_update_bits

2019-03-24 Thread Kangjie Lu

regmap_update_bits could fail. The fix checks its status and if
it fails, returns its error code upstream.

Signed-off-by: Kangjie Lu 
---
 sound/soc/codecs/cs35l34.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sound/soc/codecs/cs35l34.c b/sound/soc/codecs/cs35l34.c
index 5063c05afa27..a456b1ac9019 100644
--- a/sound/soc/codecs/cs35l34.c
+++ b/sound/soc/codecs/cs35l34.c
@@ -262,6 +262,8 @@ static int cs35l34_sdin_event(struct snd_soc_dapm_widget *w,
}
ret = regmap_update_bits(priv->regmap, CS35L34_PWRCTL1,
CS35L34_PDN_ALL, CS35L34_PDN_ALL);
+   if (ret < 0)
+   return ret;
break;
default:
pr_err("Invalid event = 0x%x\n", event);
-- 
2.17.1

[PATCH] sound: codecs: fix a potential NULL pointer dereference

2019-03-24 Thread Kangjie Lu

In case devm_kzalloc fails, the patch returns -ENOMEM to avoid
potential NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 sound/soc/codecs/rt5663.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sound/soc/codecs/rt5663.c b/sound/soc/codecs/rt5663.c
index da6647015708..909ab99a1995 100644
--- a/sound/soc/codecs/rt5663.c
+++ b/sound/soc/codecs/rt5663.c
@@ -3480,6 +3480,8 @@ static int rt5663_parse_dp(struct rt5663_priv *rt5663, 
struct device *dev)
table_size = sizeof(struct impedance_mapping_table) *
rt5663->pdata.impedance_sensing_num;
rt5663->imp_table = devm_kzalloc(dev, table_size, GFP_KERNEL);
+   if (!rt5663->imp_table)
+   return -ENOMEM;
device_property_read_u32_array(dev,
"realtek,impedance_sensing_table",
(u32 *)rt5663->imp_table, table_size);
-- 
2.17.1

[PATCH] gpio: fix a potential NULL pointer dereference

2019-03-24 Thread Kangjie Lu

In case devm_kzalloc, the patch returns ENOMEM to avoid potential
NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/gpio/gpio-aspeed.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/gpio/gpio-aspeed.c b/drivers/gpio/gpio-aspeed.c
index 854bce4fb9e7..217507002dbc 100644
--- a/drivers/gpio/gpio-aspeed.c
+++ b/drivers/gpio/gpio-aspeed.c
@@ -1224,6 +1224,8 @@ static int __init aspeed_gpio_probe(struct 
platform_device *pdev)
 
gpio->offset_timer =
devm_kzalloc(>dev, gpio->chip.ngpio, GFP_KERNEL);
+   if (!gpio->offset_timer)
+   return -ENOMEM;
 
return aspeed_gpio_setup_irqs(gpio, pdev);
 }
-- 
2.17.1

[PATCH] platform: uv: fix missing checks for kcalloc

2019-03-24 Thread Kangjie Lu

In case kcalloc fails, the patch return an error to avoid
potential NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 arch/x86/platform/uv/tlb_uv.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/arch/x86/platform/uv/tlb_uv.c b/arch/x86/platform/uv/tlb_uv.c
index 2c53b0f19329..1ac777f14846 100644
--- a/arch/x86/platform/uv/tlb_uv.c
+++ b/arch/x86/platform/uv/tlb_uv.c
@@ -2140,7 +2140,13 @@ static int __init init_per_cpu(int nuvhubs, int 
base_part_pnode)
timeout_us = calculate_destination_timeout();
 
uvhub_descs = kcalloc(nuvhubs, sizeof(struct uvhub_desc), GFP_KERNEL);
+   if (!uvhub_descs)
+   return 1;
uvhub_mask = kzalloc((nuvhubs+7)/8, GFP_KERNEL);
+   if (!uvhub_mask) {
+   kfree(uvhub_descs);
+   return 1;
+   }
 
if (get_cpu_topology(base_part_pnode, uvhub_descs, uvhub_mask))
goto fail;
-- 
2.17.1

[PATCH] thunderbolt: property: fix a buffer overflow and a missing check

2019-03-24 Thread Kangjie Lu

First, no memory is allocated for "property->value.text"; the
following strcpy will lead to a buffer overflow.

Second, no check is enforced for the return value of kzalloc,
which may lead to NULL-pointer dereference.

The patch fixes the two issues.

Signed-off-by: Kangjie Lu 
---
 drivers/thunderbolt/property.c | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/thunderbolt/property.c b/drivers/thunderbolt/property.c
index 841314deb446..d5b0cdb8f0b1 100644
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -587,7 +587,12 @@ int tb_property_add_text(struct tb_property_dir *parent, 
const char *key,
return -ENOMEM;
 
property->length = size / 4;
-   property->value.data = kzalloc(size, GFP_KERNEL);
+   property->value.text = kzalloc(size, GFP_KERNEL);
+   if (!property->value.text) {
+   kfree(property);
+   return -ENOMEM;
+   }
+
strcpy(property->value.text, text);
 
list_add_tail(>list, >properties);
-- 
2.17.1

[PATCH] vc04_services: vchiq_arm: fix a NULL pointer dereference

2019-03-24 Thread Kangjie Lu

When kzalloc fails, "platform_state->inited = 1" is a NULL pointer
dereference. The fix returns VCHIQ_ERROR in case it failed to
avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 .../staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c  | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c 
b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
index dd4898861b83..0f12fe617575 100644
--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
@@ -209,6 +209,8 @@ vchiq_platform_init_state(struct vchiq_state *state)
struct vchiq_2835_state *platform_state;
 
state->platform_state = kzalloc(sizeof(*platform_state), GFP_KERNEL);
+   if (!state->platform_state)
+   return VCHIQ_ERROR;
platform_state = (struct vchiq_2835_state *)state->platform_state;
 
platform_state->inited = 1;
-- 
2.17.1

[PATCH] dma: ti: fix a missing check in omap_dma_prep_dma_cyclic

2019-03-23 Thread Kangjie Lu

It is invalid when "buf_len" is not aligned with "period_len".

The fix adds a check for the alignment.

Signed-off-by: Kangjie Lu 
---
 drivers/dma/ti/omap-dma.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/dma/ti/omap-dma.c b/drivers/dma/ti/omap-dma.c
index a4a931ddf6f6..5f0ce1975e52 100644
--- a/drivers/dma/ti/omap-dma.c
+++ b/drivers/dma/ti/omap-dma.c
@@ -1065,6 +1065,9 @@ static struct dma_async_tx_descriptor 
*omap_dma_prep_dma_cyclic(
unsigned es;
u32 burst;
 
+   if (buf_len % period_len)
+   return NULL;
+
if (dir == DMA_DEV_TO_MEM) {
dev_addr = c->cfg.src_addr;
dev_width = c->cfg.src_addr_width;
-- 
2.17.1

[PATCH] firmware: edd: fix a NULL pointer dereference

2019-03-23 Thread Kangjie Lu

As other functions in this module do, edev should be checked to
ensure that it is not NULL.
The fix inserts such as check to avoid potential NULL pointer
dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/firmware/edd.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/firmware/edd.c b/drivers/firmware/edd.c
index 1b82c89a49df..7ebfaca53721 100644
--- a/drivers/firmware/edd.c
+++ b/drivers/firmware/edd.c
@@ -279,6 +279,8 @@ static ssize_t
 edd_show_mbr_signature(struct edd_device *edev, char *buf)
 {
char *p = buf;
+   if (!edev)
+   return -EINVAL;
p += scnprintf(p, left, "0x%08x\n", edev->mbr_signature);
return (p - buf);
 }
-- 
2.17.1

Re: [PATCH] mfd: fix a potential NULL pointer dereference

2019-03-22 Thread Kangjie Lu

Hi Lee Jones,

Can you review this patch?

Thanks. 

> On Mar 9, 2019, at 2:04 AM, Kangjie Lu  wrote:
> 
> In case devm_kzalloc fails, the fix does NULL check and returns
> -ENOMEM upon failure so as to avoid NULL pointer dereference.
> 
> Signed-off-by: Kangjie Lu 
> ---
> drivers/mfd/sm501.c | 3 +++
> 1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c
> index a530972c5a7e..e0173bf4b0dc 100644
> --- a/drivers/mfd/sm501.c
> +++ b/drivers/mfd/sm501.c
> @@ -1145,6 +1145,9 @@ static int sm501_register_gpio_i2c_instance(struct 
> sm501_devdata *sm,
>   lookup = devm_kzalloc(>dev,
> sizeof(*lookup) + 3 * sizeof(struct gpiod_lookup),
> GFP_KERNEL);
> + if (!lookup)
> + return -ENOMEM;
> +
>   lookup->dev_id = "i2c-gpio";
>   if (iic->pin_sda < 32)
>   lookup->table[0].chip_label = "SM501-LOW";
> -- 
> 2.17.1
>

Re: [PATCH] memstick: fix a potential NULL pointer dereference

2019-03-22 Thread Kangjie Lu

Hi Maxim,

Can you review this patch? 

Thanks,

> On Mar 9, 2019, at 1:59 AM, Kangjie Lu  wrote:
> 
> In case alloc_ordered_workqueue fails, the fix returns ENOMEM to
> avoid potential NULL pointer dereference.
> 
> Signed-off-by: Kangjie Lu 
> ---
> drivers/memstick/core/ms_block.c | 5 +
> 1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/memstick/core/ms_block.c 
> b/drivers/memstick/core/ms_block.c
> index 82daccc9ea62..8e00de414567 100644
> --- a/drivers/memstick/core/ms_block.c
> +++ b/drivers/memstick/core/ms_block.c
> @@ -2149,6 +2149,11 @@ static int msb_init_disk(struct memstick_dev *card)
> 
>   msb->usage_count = 1;
>   msb->io_queue = alloc_ordered_workqueue("ms_block", WQ_MEM_RECLAIM);
> + if (!msb->io_queue) {
> + rc = -ENOMEM;
> + goto out_put_disk;
> + }
> +
>   INIT_WORK(>io_work, msb_io_work);
>   sg_init_table(msb->prealloc_sg, MS_BLOCK_MAX_SEGS+1);
> 
> -- 
> 2.17.1
>

[PATCH] input: pm8xxx-vibrator: fix a potential NULL pointer dereference

2019-03-22 Thread Kangjie Lu

In case of_device_get_match_data fails to find the matched data,
returns -ENODEV

Signed-off-by: Kangjie Lu 
---
 drivers/input/misc/pm8xxx-vibrator.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/input/misc/pm8xxx-vibrator.c 
b/drivers/input/misc/pm8xxx-vibrator.c
index 7dd1c1fbe42a..740e59c11808 100644
--- a/drivers/input/misc/pm8xxx-vibrator.c
+++ b/drivers/input/misc/pm8xxx-vibrator.c
@@ -196,6 +196,8 @@ static int pm8xxx_vib_probe(struct platform_device *pdev)
vib->vib_input_dev = input_dev;
 
regs = of_device_get_match_data(>dev);
+   if (unlikely(!regs))
+   return -ENODEV;
 
/* operate in manual mode */
error = regmap_read(vib->regmap, regs->drv_addr, );
-- 
2.17.1

Re: [PATCH] infiniband: cxgb4: fix a potential NULL pointer dereference

2019-03-22 Thread Kangjie Lu




> On Mar 8, 2019, at 11:19 PM, Kangjie Lu  wrote:
> 
> get_skb may fail and return NULL. The fix returns "ENOMEM"
> when it fails to avoid NULL dereference.
> 
> Signed-off-by: Kangjie Lu 
> ---
> drivers/infiniband/hw/cxgb4/cm.c | 3 +++
> 1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/infiniband/hw/cxgb4/cm.c 
> b/drivers/infiniband/hw/cxgb4/cm.c
> index 8221813219e5..502a54d57e2c 100644
> --- a/drivers/infiniband/hw/cxgb4/cm.c
> +++ b/drivers/infiniband/hw/cxgb4/cm.c
> @@ -1919,6 +1919,9 @@ static int send_fw_act_open_req(struct c4iw_ep *ep, 
> unsigned int atid)
>   int win;
> 
>   skb = get_skb(NULL, sizeof(*req), GFP_KERNEL);
> + if (!skb)
> + return -ENOMEM;
> +

Can someone review this patch? Thanks.

>   req = __skb_put_zero(skb, sizeof(*req));
>   req->op_compl = htonl(WR_OP_V(FW_OFLD_CONNECTION_WR));
>   req->len16_pkd = htonl(FW_WR_LEN16_V(DIV_ROUND_UP(sizeof(*req), 16)));
> -- 
> 2.17.1
>

Re: [PATCH] firmware: arm_scmi: check return value of idr_find

2019-03-22 Thread Kangjie Lu




> On Mar 8, 2019, at 10:02 PM, Kangjie Lu  wrote:
> 
> idr_find may return NULL, so check its return value and return an
> error code.

Can someone review this patch? Thanks.

> 
> Signed-off-by: Kangjie Lu 
> ---
> drivers/firmware/arm_scmi/driver.c | 2 ++
> 1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/firmware/arm_scmi/driver.c 
> b/drivers/firmware/arm_scmi/driver.c
> index 8f952f2f1a29..35faa203d549 100644
> --- a/drivers/firmware/arm_scmi/driver.c
> +++ b/drivers/firmware/arm_scmi/driver.c
> @@ -709,6 +709,8 @@ scmi_mbox_chan_setup(struct scmi_info *info, struct 
> device *dev, int prot_id)
> 
>   if (scmi_mailbox_check(np)) {
>   cinfo = idr_find(>tx_idr, SCMI_PROTOCOL_BASE);
> + if (!cinfo)
> + return -EINVAL;
>   goto idr_alloc;
>   }
> 
> -- 
> 2.17.1
>

[tip:x86/urgent] x86/hyperv: Prevent potential NULL pointer dereference

2019-03-21 Thread tip-bot for Kangjie Lu

Commit-ID:  534c89c22e26b183d838294f0937ee092c82ad3a
Gitweb: https://git.kernel.org/tip/534c89c22e26b183d838294f0937ee092c82ad3a
Author: Kangjie Lu 
AuthorDate: Thu, 14 Mar 2019 00:46:51 -0500
Committer:  Thomas Gleixner 
CommitDate: Thu, 21 Mar 2019 12:24:39 +0100

x86/hyperv: Prevent potential NULL pointer dereference

The page allocation in hv_cpu_init() can fail, but the code does not
have a check for that.

Add a check and return -ENOMEM when the allocation fails.

[ tglx: Massaged changelog ]

Signed-off-by: Kangjie Lu 
Signed-off-by: Thomas Gleixner 
Reviewed-by: Mukesh Ojha 
Acked-by: "K. Y. Srinivasan" 
Cc: pakki...@umn.edu
Cc: Haiyang Zhang 
Cc: Stephen Hemminger 
Cc: Sasha Levin 
Cc: Borislav Petkov 
Cc: "H. Peter Anvin" 
Cc: linux-hyp...@vger.kernel.org
Link: https://lkml.kernel.org/r/20190314054651.1315-1-k...@umn.edu

---
 arch/x86/hyperv/hv_init.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c
index 6461a16b4559..e4ba467a9fc6 100644
--- a/arch/x86/hyperv/hv_init.c
+++ b/arch/x86/hyperv/hv_init.c
@@ -103,9 +103,13 @@ static int hv_cpu_init(unsigned int cpu)
u64 msr_vp_index;
struct hv_vp_assist_page **hvp = _vp_assist_page[smp_processor_id()];
void **input_arg;
+   struct page *pg;
 
input_arg = (void **)this_cpu_ptr(hyperv_pcpu_input_arg);
-   *input_arg = page_address(alloc_page(GFP_KERNEL));
+   pg = alloc_page(GFP_KERNEL);
+   if (unlikely(!pg))
+   return -ENOMEM;
+   *input_arg = page_address(pg);
 
hv_get_vp_index(msr_vp_index);

[PATCH] extcon: fix a missing check of regmap_read

2019-03-20 Thread Kangjie Lu

When regmap_read fails, it doesn't make sense to use the read
value "val" because it can be uninitialized.

The fix returns if regmap_read fails.

Signed-off-by: Kangjie Lu 
---
 drivers/extcon/extcon-axp288.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/drivers/extcon/extcon-axp288.c b/drivers/extcon/extcon-axp288.c
index a983708b77a6..b2ba5f073aa7 100644
--- a/drivers/extcon/extcon-axp288.c
+++ b/drivers/extcon/extcon-axp288.c
@@ -143,6 +143,10 @@ static void axp288_extcon_log_rsi(struct 
axp288_extcon_info *info)
int ret;
 
ret = regmap_read(info->regmap, AXP288_PS_BOOT_REASON_REG, );
+   if (ret) {
+   dev_err(info->dev, "failed to read BOOT_REASON_REG: %d\n", ret);
+   return;
+   }
for (i = 0, rsi = axp288_pwr_up_down_info; *rsi; rsi++, i++) {
if (val & BIT(i)) {
dev_dbg(info->dev, "%s\n", *rsi);
-- 
2.17.1

[PATCH] rapidio: fix a NULL pointer dereference when create_workqueue fails

2019-03-19 Thread Kangjie Lu

In case create_workqueue fails, the fix releases resources and
returns -ENOMEM to avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/rapidio/rio_cm.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/drivers/rapidio/rio_cm.c b/drivers/rapidio/rio_cm.c
index cf45829585cb..b29fc258eeba 100644
--- a/drivers/rapidio/rio_cm.c
+++ b/drivers/rapidio/rio_cm.c
@@ -2147,6 +2147,14 @@ static int riocm_add_mport(struct device *dev,
mutex_init(>rx_lock);
riocm_rx_fill(cm, RIOCM_RX_RING_SIZE);
cm->rx_wq = create_workqueue(DRV_NAME "/rxq");
+   if (!cm->rx_wq) {
+   riocm_error("failed to allocate IBMBOX_%d on %s",
+   cmbox, mport->name);
+   rio_release_outb_mbox(mport, cmbox);
+   kfree(cm);
+   return -ENOMEM;
+   }
+
INIT_WORK(>rx_work, rio_ibmsg_handler);
 
cm->tx_slot = 0;
-- 
2.17.1

[PATCH] extcon: fix a missing check of regmap_read

2019-03-18 Thread Kangjie Lu

When regmap_read fails, it doesn't make sense to use the read
value "val" because it can be uninitialized.

The fix returns if regmap_read fails.

Signed-off-by: Kangjie Lu 
---
 drivers/extcon/extcon-axp288.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/drivers/extcon/extcon-axp288.c b/drivers/extcon/extcon-axp288.c
index a983708b77a6..b2ba5f073aa7 100644
--- a/drivers/extcon/extcon-axp288.c
+++ b/drivers/extcon/extcon-axp288.c
@@ -143,6 +143,10 @@ static void axp288_extcon_log_rsi(struct 
axp288_extcon_info *info)
int ret;
 
ret = regmap_read(info->regmap, AXP288_PS_BOOT_REASON_REG, );
+   if (ret) {
+   dev_dbg(info->dev, "regmap_read error %d\n", ret);
+   return;
+   }
for (i = 0, rsi = axp288_pwr_up_down_info; *rsi; rsi++, i++) {
if (val & BIT(i)) {
dev_dbg(info->dev, "%s\n", *rsi);
-- 
2.17.1

[PATCH v2] iio: hmc5843: fix potential NULL pointer dereferences

2019-03-16 Thread Kangjie Lu

devm_regmap_init_i2c may fail and return NULL. The fix returns
the error when it fails.

Signed-off-by: Kangjie Lu 
---
V2: fix the two together
---
 drivers/iio/magnetometer/hmc5843_i2c.c | 7 ++-
 drivers/iio/magnetometer/hmc5843_spi.c | 7 ++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/drivers/iio/magnetometer/hmc5843_i2c.c 
b/drivers/iio/magnetometer/hmc5843_i2c.c
index 3de7f4426ac4..86abba5827a2 100644
--- a/drivers/iio/magnetometer/hmc5843_i2c.c
+++ b/drivers/iio/magnetometer/hmc5843_i2c.c
@@ -58,8 +58,13 @@ static const struct regmap_config hmc5843_i2c_regmap_config 
= {
 static int hmc5843_i2c_probe(struct i2c_client *cli,
 const struct i2c_device_id *id)
 {
+   struct regmap *regmap = devm_regmap_init_i2c(cli,
+   _i2c_regmap_config);
+   if (IS_ERR(regmap))
+   return PTR_ERR(regmap);
+
return hmc5843_common_probe(>dev,
-   devm_regmap_init_i2c(cli, _i2c_regmap_config),
+   regmap,
id->driver_data, id->name);
 }
 
diff --git a/drivers/iio/magnetometer/hmc5843_spi.c 
b/drivers/iio/magnetometer/hmc5843_spi.c
index 535f03a70d63..8355713651d4 100644
--- a/drivers/iio/magnetometer/hmc5843_spi.c
+++ b/drivers/iio/magnetometer/hmc5843_spi.c
@@ -58,6 +58,7 @@ static const struct regmap_config hmc5843_spi_regmap_config = 
{
 static int hmc5843_spi_probe(struct spi_device *spi)
 {
int ret;
+   struct regmap *regmap;
const struct spi_device_id *id = spi_get_device_id(spi);
 
spi->mode = SPI_MODE_3;
@@ -67,8 +68,12 @@ static int hmc5843_spi_probe(struct spi_device *spi)
if (ret)
return ret;
 
+   regmap = devm_regmap_init(spi, _spi_regmap_config);
+   if (IS_ERR(regmap))
+   return PTR_ERR(devm_regmap);
+
return hmc5843_common_probe(>dev,
-   devm_regmap_init_spi(spi, _spi_regmap_config),
+   regmap,
id->driver_data, id->name);
 }
 
-- 
2.17.1

[PATCH] security: inode: fix a missing check for securityfs_create_file

2019-03-15 Thread Kangjie Lu

securityfs_create_file  may fail. The fix checks its status and
returns the error code upstream if it fails.

Signed-off-by: Kangjie Lu 

---
Return the exact error code upstream.
---
 security/inode.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/security/inode.c b/security/inode.c
index b7772a9b315e..667f8b15027d 100644
--- a/security/inode.c
+++ b/security/inode.c
@@ -339,6 +339,11 @@ static int __init securityfs_init(void)
 #ifdef CONFIG_SECURITY
lsm_dentry = securityfs_create_file("lsm", 0444, NULL, NULL,
_ops);
+   if (IS_ERR(lsm_dentry)) {
+   unregister_filesystem(_type);
+   sysfs_remove_mount_point(kernel_kobj, "security");
+   return PTR_ERR(lsm_dentry);
+   }
 #endif
return 0;
 }
-- 
2.17.1

[PATCH] tty: atmel_serial: fix a NULL pointer dereference

2019-03-15 Thread Kangjie Lu

In case dmaengine_prep_dma_cyclic fails, the fix returns a proper
error code to avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu 
Fixes: 34df42f59a60 ("serial: at91: add rx dma support")

---
V2: simplified the patch as suggested by
Richard Genoud 
---
 drivers/tty/serial/atmel_serial.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/drivers/tty/serial/atmel_serial.c 
b/drivers/tty/serial/atmel_serial.c
index 05147fe24343..41b728d223d1 100644
--- a/drivers/tty/serial/atmel_serial.c
+++ b/drivers/tty/serial/atmel_serial.c
@@ -1288,6 +1288,10 @@ static int atmel_prepare_rx_dma(struct uart_port *port)
 sg_dma_len(_port->sg_rx)/2,
 DMA_DEV_TO_MEM,
 DMA_PREP_INTERRUPT);
+   if (!desc) {
+   dev_err(port->dev, "Preparing DMA cyclic failed\n");
+   goto chan_err;
+   }
desc->callback = atmel_complete_rx_dma;
desc->callback_param = port;
atmel_port->desc_rx = desc;
-- 
2.17.1

[PATCH] fs: affs: fix a NULL pointer dereference

2019-03-15 Thread Kangjie Lu

If affs_bread fails, do not use ext_bh to avoid NULL pointer
 dereference

Signed-off-by: Kangjie Lu 
---
 fs/affs/file.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/fs/affs/file.c b/fs/affs/file.c
index a85817f54483..29cbc8eda085 100644
--- a/fs/affs/file.c
+++ b/fs/affs/file.c
@@ -941,8 +941,10 @@ affs_truncate(struct inode *inode)
size = AFFS_SB(sb)->s_hashsize;
if (size > blkcnt - blk)
size = blkcnt - blk;
-   for (i = 0; i < size; i++, blk++)
-   affs_free_block(sb, be32_to_cpu(AFFS_BLOCK(sb, ext_bh, 
i)));
+   if (ext_bh) {
+   for (i = 0; i < size; i++, blk++)
+   affs_free_block(sb, be32_to_cpu(AFFS_BLOCK(sb, 
ext_bh, i)));
+   }
affs_free_block(sb, ext_key);
ext_key = be32_to_cpu(AFFS_TAIL(sb, ext_bh)->extension);
affs_brelse(ext_bh);
-- 
2.17.1

[PATCH v2] tty: atmel_serial: fix a NULL pointer dereference

2019-03-15 Thread Kangjie Lu

Fixes: 34df42f59a60 ("serial: at91: add rx dma support")

In case dmaengine_prep_dma_cyclic fails, the fix returns a proper
error code to avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu 

---
V2: simplified the patch as suggested by
Richard Genoud 
---
 drivers/tty/serial/atmel_serial.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/drivers/tty/serial/atmel_serial.c 
b/drivers/tty/serial/atmel_serial.c
index 05147fe24343..41b728d223d1 100644
--- a/drivers/tty/serial/atmel_serial.c
+++ b/drivers/tty/serial/atmel_serial.c
@@ -1288,6 +1288,10 @@ static int atmel_prepare_rx_dma(struct uart_port *port)
 sg_dma_len(_port->sg_rx)/2,
 DMA_DEV_TO_MEM,
 DMA_PREP_INTERRUPT);
+   if (!desc) {
+   dev_err(port->dev, "Preparing DMA cyclic failed\n");
+   goto chan_err;
+   }
desc->callback = atmel_complete_rx_dma;
desc->callback_param = port;
atmel_port->desc_rx = desc;
-- 
2.17.1

[PATCH v2] tty: atmel_serial: fix a NULL pointer dereference

2019-03-15 Thread Kangjie Lu

Fixes: 34df42f59a60 ("serial: at91: add rx dma support")

In case dmaengine_prep_dma_cyclic fails, the fix returns a proper
error code to avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu 

---
V2: simplified the patch as suggested by
Richard Genoud 
---
 drivers/tty/serial/atmel_serial.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/drivers/tty/serial/atmel_serial.c 
b/drivers/tty/serial/atmel_serial.c
index 05147fe24343..41b728d223d1 100644
--- a/drivers/tty/serial/atmel_serial.c
+++ b/drivers/tty/serial/atmel_serial.c
@@ -1288,6 +1288,10 @@ static int atmel_prepare_rx_dma(struct uart_port *port)
 sg_dma_len(_port->sg_rx)/2,
 DMA_DEV_TO_MEM,
 DMA_PREP_INTERRUPT);
+   if (!desc) {
+   dev_err(port->dev, "Preparing DMA cyclic failed\n");
+   goto chan_err;
+   }
desc->callback = atmel_complete_rx_dma;
desc->callback_param = port;
atmel_port->desc_rx = desc;
-- 
2.17.1

[PATCH v2] tty: ipwireless: fix missing checks for ioremap

2019-03-15 Thread Kangjie Lu

ipw->attr_memory and ipw->common_memory are assigned with the
return value of ioremap. ioremap may fail, but no checks
are enforced. The fix inserts the checks to avoid potential
NULL pointer dereferences.

Signed-off-by: Kangjie Lu 

Reviewed-by: David Sterba 

---
V2: fix typos
---
 drivers/tty/ipwireless/main.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/drivers/tty/ipwireless/main.c b/drivers/tty/ipwireless/main.c
index 3475e841ef5c..4c18bbfe1a92 100644
--- a/drivers/tty/ipwireless/main.c
+++ b/drivers/tty/ipwireless/main.c
@@ -114,6 +114,10 @@ static int ipwireless_probe(struct pcmcia_device *p_dev, 
void *priv_data)
 
ipw->common_memory = ioremap(p_dev->resource[2]->start,
resource_size(p_dev->resource[2]));
+   if (!ipw->common_memory) {
+   ret = -ENOMEM;
+   goto exit1;
+   }
if (!request_mem_region(p_dev->resource[2]->start,
resource_size(p_dev->resource[2]),
IPWIRELESS_PCCARD_NAME)) {
@@ -134,6 +138,10 @@ static int ipwireless_probe(struct pcmcia_device *p_dev, 
void *priv_data)
 
ipw->attr_memory = ioremap(p_dev->resource[3]->start,
resource_size(p_dev->resource[3]));
+   if (!ipw->attr_memory) {
+   ret = -ENOMEM;
+   goto exit3;
+   }
if (!request_mem_region(p_dev->resource[3]->start,
resource_size(p_dev->resource[3]),
IPWIRELESS_PCCARD_NAME)) {
-- 
2.17.1

[PATCH v2] infiniband: i40iw: fix potential NULL pointer dereferences

2019-03-15 Thread Kangjie Lu

alloc_ordered_workqueue may fail and return NULL.
The fix captures the failure and handles it properly to avoid
potential NULL pointer dereferences.

Signed-off-by: Kangjie Lu 
---
V2: add return value to capture the error code
---
 drivers/infiniband/hw/i40iw/i40iw.h  |  2 +-
 drivers/infiniband/hw/i40iw/i40iw_cm.c   | 19 ---
 drivers/infiniband/hw/i40iw/i40iw_main.c |  5 -
 3 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/drivers/infiniband/hw/i40iw/i40iw.h 
b/drivers/infiniband/hw/i40iw/i40iw.h
index 2f2b4426ded7..8feec35f95a7 100644
--- a/drivers/infiniband/hw/i40iw/i40iw.h
+++ b/drivers/infiniband/hw/i40iw/i40iw.h
@@ -552,7 +552,7 @@ enum i40iw_status_code i40iw_obj_aligned_mem(struct 
i40iw_device *iwdev,
 
 void i40iw_request_reset(struct i40iw_device *iwdev);
 void i40iw_destroy_rdma_device(struct i40iw_ib_device *iwibdev);
-void i40iw_setup_cm_core(struct i40iw_device *iwdev);
+int i40iw_setup_cm_core(struct i40iw_device *iwdev);
 void i40iw_cleanup_cm_core(struct i40iw_cm_core *cm_core);
 void i40iw_process_ceq(struct i40iw_device *, struct i40iw_ceq *iwceq);
 void i40iw_process_aeq(struct i40iw_device *);
diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c 
b/drivers/infiniband/hw/i40iw/i40iw_cm.c
index 206cfb0016f8..2e20786b9a57 100644
--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c
@@ -3237,7 +3237,7 @@ void i40iw_receive_ilq(struct i40iw_sc_vsi *vsi, struct 
i40iw_puda_buf *rbuf)
  * core
  * @iwdev: iwarp device structure
  */
-void i40iw_setup_cm_core(struct i40iw_device *iwdev)
+int i40iw_setup_cm_core(struct i40iw_device *iwdev)
 {
struct i40iw_cm_core *cm_core = >cm_core;
 
@@ -3256,9 +3256,20 @@ void i40iw_setup_cm_core(struct i40iw_device *iwdev)
 
cm_core->event_wq = alloc_ordered_workqueue("iwewq",
WQ_MEM_RECLAIM);
+   if (!cm_core->event_wq)
+   goto error;
 
cm_core->disconn_wq = alloc_ordered_workqueue("iwdwq",
  WQ_MEM_RECLAIM);
+   if (!cm_core->disconn_wq)
+   goto error;
+
+   return 0;
+error:
+   i40iw_cleanup_cm_core(>cm_core);
+   i40iw_pr_err("fail to setup CM core");
+
+   return -ENOMEM;
 }
 
 /**
@@ -3278,8 +3289,10 @@ void i40iw_cleanup_cm_core(struct i40iw_cm_core *cm_core)
del_timer_sync(_core->tcp_timer);
spin_unlock_irqrestore(_core->ht_lock, flags);
 
-   destroy_workqueue(cm_core->event_wq);
-   destroy_workqueue(cm_core->disconn_wq);
+   if (cm_core->event_wq)
+   destroy_workqueue(cm_core->event_wq);
+   if (cm_core->disconn_wq)
+   destroy_workqueue(cm_core->disconn_wq);
 }
 
 /**
diff --git a/drivers/infiniband/hw/i40iw/i40iw_main.c 
b/drivers/infiniband/hw/i40iw/i40iw_main.c
index 68095f00d08f..10932baee279 100644
--- a/drivers/infiniband/hw/i40iw/i40iw_main.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_main.c
@@ -1641,7 +1641,10 @@ static int i40iw_open(struct i40e_info *ldev, struct 
i40e_client *client)
iwdev = >device;
iwdev->hdl = hdl;
dev = >sc_dev;
-   i40iw_setup_cm_core(iwdev);
+   if (i40iw_setup_cm_core(iwdev)) {
+   kfree(iwdev->hdl);
+   return -ENOMEM;
+   }
 
dev->back_dev = (void *)iwdev;
iwdev->ldev = >ldev;
-- 
2.17.1

[PATCH] slimbus: fix a NULL pointer dereference in of_qcom_slim_ngd_register

2019-03-15 Thread Kangjie Lu

In case platform_device_alloc fails, the fix returns an error
code to avoid the NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/slimbus/qcom-ngd-ctrl.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/drivers/slimbus/qcom-ngd-ctrl.c b/drivers/slimbus/qcom-ngd-ctrl.c
index 71f094c9ec68..f3585777324c 100644
--- a/drivers/slimbus/qcom-ngd-ctrl.c
+++ b/drivers/slimbus/qcom-ngd-ctrl.c
@@ -1342,6 +1342,10 @@ static int of_qcom_slim_ngd_register(struct device 
*parent,
return -ENOMEM;
 
ngd->pdev = platform_device_alloc(QCOM_SLIM_NGD_DRV_NAME, id);
+   if (!ngd->pdev) {
+   kfree(ngd);
+   return -ENOMEM;
+   }
ngd->id = id;
ngd->pdev->dev.parent = parent;
ngd->pdev->driver_override = QCOM_SLIM_NGD_DRV_NAME;
-- 
2.17.1

[PATCH] pci: endpoint: fix a potential NULL pointer dereference

2019-03-14 Thread Kangjie Lu

In case alloc_workqueue, the fix returns -ENOMEM to avoid
potential NULL pointer dereferences.

Signed-off-by: Kangjie Lu 
---
 drivers/pci/endpoint/functions/pci-epf-test.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c 
b/drivers/pci/endpoint/functions/pci-epf-test.c
index 3e86fa3c7da3..dc610eb1543a 100644
--- a/drivers/pci/endpoint/functions/pci-epf-test.c
+++ b/drivers/pci/endpoint/functions/pci-epf-test.c
@@ -570,6 +570,10 @@ static int __init pci_epf_test_init(void)
 
kpcitest_workqueue = alloc_workqueue("kpcitest",
 WQ_MEM_RECLAIM | WQ_HIGHPRI, 0);
+   if (unlikely(!kpcitest_workqueue)) {
+   pr_err("Failed to allocate the kpcitest work queue\n");
+   return -ENOMEM;
+   }
ret = pci_epf_register_driver(_driver);
if (ret) {
pr_err("Failed to register pci epf test driver --> %d\n", ret);
-- 
2.17.1

[PATCH] tty: 8250: fix a missing check for pci_ioremap_bar

2019-03-14 Thread Kangjie Lu

pci_ioremap_bar could fail. The fix captures the failure and
pass an error code upstream. This can avoid potential NULL
pointer dereferences in the future.

Signed-off-by: Kangjie Lu 
---
 drivers/tty/serial/8250/8250_lpss.c | 13 -
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/drivers/tty/serial/8250/8250_lpss.c 
b/drivers/tty/serial/8250/8250_lpss.c
index 98dbc796353f..e95332d8b35e 100644
--- a/drivers/tty/serial/8250/8250_lpss.c
+++ b/drivers/tty/serial/8250/8250_lpss.c
@@ -162,7 +162,7 @@ static const struct dw_dma_platform_data 
qrk_serial_dma_pdata = {
.multi_block = {0},
 };
 
-static void qrk_serial_setup_dma(struct lpss8250 *lpss, struct uart_port *port)
+static int qrk_serial_setup_dma(struct lpss8250 *lpss, struct uart_port *port)
 {
struct uart_8250_dma *dma = >dma;
struct dw_dma_chip *chip = >dma_chip;
@@ -173,12 +173,14 @@ static void qrk_serial_setup_dma(struct lpss8250 *lpss, 
struct uart_port *port)
chip->dev = >dev;
chip->irq = pci_irq_vector(pdev, 0);
chip->regs = pci_ioremap_bar(pdev, 1);
+   if (!chip->regs)
+   return -EIO;
chip->pdata = _serial_dma_pdata;
 
/* Falling back to PIO mode if DMA probing fails */
ret = dw_dma_probe(chip);
if (ret)
-   return;
+   return ret;
 
pci_try_set_mwi(pdev);
 
@@ -192,6 +194,8 @@ static void qrk_serial_setup_dma(struct lpss8250 *lpss, 
struct uart_port *port)
param->hs_polarity = true;
 
lpss->dma_maxburst = 8;
+
+   return 0;
 }
 
 static void qrk_serial_exit_dma(struct lpss8250 *lpss)
@@ -203,7 +207,7 @@ static void qrk_serial_exit_dma(struct lpss8250 *lpss)
dw_dma_remove(>dma_chip);
 }
 #else  /* CONFIG_SERIAL_8250_DMA */
-static void qrk_serial_setup_dma(struct lpss8250 *lpss, struct uart_port 
*port) {}
+static int qrk_serial_setup_dma(struct lpss8250 *lpss, struct uart_port *port) 
{}
 static void qrk_serial_exit_dma(struct lpss8250 *lpss) {}
 #endif /* !CONFIG_SERIAL_8250_DMA */
 
@@ -220,8 +224,7 @@ static int qrk_serial_setup(struct lpss8250 *lpss, struct 
uart_port *port)
 
port->irq = pci_irq_vector(pdev, 0);
 
-   qrk_serial_setup_dma(lpss, port);
-   return 0;
+   return qrk_serial_setup_dma(lpss, port);
 }
 
 static void qrk_serial_exit(struct lpss8250 *lpss)
-- 
2.17.1

[PATCH] security: inode: fix a missing check for securityfs_create_file

2019-03-14 Thread Kangjie Lu

securityfs_create_file  may fail. The fix checks its status and
returns EFAULT upstream if it fails.

Signed-off-by: Kangjie Lu 
---
 security/inode.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/security/inode.c b/security/inode.c
index b7772a9b315e..11d9a6bc2161 100644
--- a/security/inode.c
+++ b/security/inode.c
@@ -339,6 +339,11 @@ static int __init securityfs_init(void)
 #ifdef CONFIG_SECURITY
lsm_dentry = securityfs_create_file("lsm", 0444, NULL, NULL,
_ops);
+   if (IS_ERR(lsm_dentry)) {
+   unregister_filesystem(_type);
+   sysfs_remove_mount_point(kernel_kobj, "security");
+   return -EFAULT;
+   }
 #endif
return 0;
 }
-- 
2.17.1

[PATCH] sound: sb8: add a check for request_region

2019-03-14 Thread Kangjie Lu

In case request_region fails, the fix returns an error code to
avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 sound/isa/sb/sb8.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/sound/isa/sb/sb8.c b/sound/isa/sb/sb8.c
index aa2a83eb81a9..dc27a480c2d9 100644
--- a/sound/isa/sb/sb8.c
+++ b/sound/isa/sb/sb8.c
@@ -111,6 +111,10 @@ static int snd_sb8_probe(struct device *pdev, unsigned int 
dev)
 
/* block the 0x388 port to avoid PnP conflicts */
acard->fm_res = request_region(0x388, 4, "SoundBlaster FM");
+   if (!acard->fm_res) {
+   err = -EBUSY;
+   goto _err;
+   }
 
if (port[dev] != SNDRV_AUTO_PORT) {
if ((err = snd_sbdsp_create(card, port[dev], irq[dev],
-- 
2.17.1

[PATCH] sound: echoaudio: add a check for ioremap_nocache

2019-03-14 Thread Kangjie Lu

In case ioremap_nocache fails, the fix releases chip and returns
an error code upstream to avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 sound/pci/echoaudio/echoaudio.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/sound/pci/echoaudio/echoaudio.c b/sound/pci/echoaudio/echoaudio.c
index ea876b0b02b9..dc0084dc8550 100644
--- a/sound/pci/echoaudio/echoaudio.c
+++ b/sound/pci/echoaudio/echoaudio.c
@@ -1952,6 +1952,11 @@ static int snd_echo_create(struct snd_card *card,
}
chip->dsp_registers = (volatile u32 __iomem *)
ioremap_nocache(chip->dsp_registers_phys, sz);
+   if (!chip->dsp_registers) {
+   dev_err(chip->card->dev, "ioremap failed\n");
+   snd_echo_free(chip);
+   return -ENOMEM;
+   }
 
if (request_irq(pci->irq, snd_echo_interrupt, IRQF_SHARED,
KBUILD_MODNAME, chip)) {
-- 
2.17.1

[PATCH] sound: cs43130: fix a NULL pointer dereference

2019-03-14 Thread Kangjie Lu

In case create_singlethread_workqueue fails, the fix returns
-ENOMEM to avoid potential NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 sound/soc/codecs/cs43130.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sound/soc/codecs/cs43130.c b/sound/soc/codecs/cs43130.c
index 3f7b255587e6..80d672710eae 100644
--- a/sound/soc/codecs/cs43130.c
+++ b/sound/soc/codecs/cs43130.c
@@ -2322,6 +2322,8 @@ static int cs43130_probe(struct snd_soc_component 
*component)
return ret;
 
cs43130->wq = create_singlethread_workqueue("cs43130_hp");
+   if (!cs43130->wq)
+   return -ENOMEM;
INIT_WORK(>work, cs43130_imp_meas);
}
 
-- 
2.17.1

[PATCH] sound: rt5645: fix a NULL pointer dereference

2019-03-14 Thread Kangjie Lu

devm_kcalloc() may fail and return NULL. The fix returns ENOMEM
in case it fails to avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 sound/soc/codecs/rt5645.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sound/soc/codecs/rt5645.c b/sound/soc/codecs/rt5645.c
index 9a0751978090..f842775dbf2c 100644
--- a/sound/soc/codecs/rt5645.c
+++ b/sound/soc/codecs/rt5645.c
@@ -3419,6 +3419,9 @@ static int rt5645_probe(struct snd_soc_component 
*component)
RT5645_HWEQ_NUM, sizeof(struct rt5645_eq_param_s),
GFP_KERNEL);
 
+   if (!rt5645->eq_param)
+   return -ENOMEM;
+
return 0;
 }
 
-- 
2.17.1

[PATCH] sound: soc-pcm: add a check to avoid NULL pointer dereference

2019-03-14 Thread Kangjie Lu

In case debugfs_create_u32 fails, the fix frees memory and returns
an error to notify callers.

Signed-off-by: Kangjie Lu 
---
 sound/soc/soc-pcm.c | 16 +++-
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
index 0d5ec68a1e50..a7d88ed8ebb5 100644
--- a/sound/soc/soc-pcm.c
+++ b/sound/soc/soc-pcm.c
@@ -1231,15 +1231,21 @@ static int dpcm_be_connect(struct snd_soc_pcm_runtime 
*fe,
list_add(>list_be, >dpcm[stream].be_clients);
list_add(>list_fe, >dpcm[stream].fe_clients);
 
-   dev_dbg(fe->dev, "connected new DPCM %s path %s %s %s\n",
-   stream ? "capture" : "playback",  fe->dai_link->name,
-   stream ? "<-" : "->", be->dai_link->name);
-
 #ifdef CONFIG_DEBUG_FS
-   if (fe->debugfs_dpcm_root)
+   if (fe->debugfs_dpcm_root) {
dpcm->debugfs_state = debugfs_create_u32(be->dai_link->name, 
0644,
fe->debugfs_dpcm_root, >state);
+   if (!dpcm->debugfs_state) {
+   kfree(dpcm);
+   return -ENOMEM;
+   }
+   }
 #endif
+
+   dev_dbg(fe->dev, "connected new DPCM %s path %s %s %s\n",
+   stream ? "capture" : "playback",  fe->dai_link->name,
+   stream ? "<-" : "->", be->dai_link->name);
+
return 1;
 }
 
-- 
2.17.1

[PATCH] fs: affs: fix a NULL pointer dereference

2019-03-14 Thread Kangjie Lu

If affs_bread fails, do not use ext_bh to avoid NULL pointer
 dereference

Signed-off-by: Kangjie Lu 
---
 fs/affs/file.c | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/fs/affs/file.c b/fs/affs/file.c
index a85817f54483..45b96faa40f1 100644
--- a/fs/affs/file.c
+++ b/fs/affs/file.c
@@ -835,7 +835,7 @@ void
 affs_truncate(struct inode *inode)
 {
struct super_block *sb = inode->i_sb;
-   u32 ext, ext_key;
+   u32 ext, ext_key, ext_bk;
u32 last_blk, blkcnt, blk;
u32 size;
struct buffer_head *ext_bh;
@@ -941,8 +941,12 @@ affs_truncate(struct inode *inode)
size = AFFS_SB(sb)->s_hashsize;
if (size > blkcnt - blk)
size = blkcnt - blk;
-   for (i = 0; i < size; i++, blk++)
-   affs_free_block(sb, be32_to_cpu(AFFS_BLOCK(sb, ext_bh, 
i)));
+   if (ext_bh) {
+   for (i = 0; i < size; i++, blk++) {
+   ext_bk = AFFS_BLOCK(sb, ext_bh, i);
+   affs_free_block(sb, be32_to_cpu(ext_bk));
+   }
+   }
affs_free_block(sb, ext_key);
ext_key = be32_to_cpu(AFFS_TAIL(sb, ext_bh)->extension);
affs_brelse(ext_bh);
-- 
2.17.1

[PATCH] tty: mxs-auart: fix a NULL pointer dereference

2019-03-14 Thread Kangjie Lu

In case ioremap fails, the fix returns -ENOMEM to avoid NULL
pointer dereferences.
Multiple places use port.membase.

Signed-off-by: Kangjie Lu 
---
 drivers/tty/serial/mxs-auart.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c
index 27235a526cce..4c188f4079b3 100644
--- a/drivers/tty/serial/mxs-auart.c
+++ b/drivers/tty/serial/mxs-auart.c
@@ -1686,6 +1686,10 @@ static int mxs_auart_probe(struct platform_device *pdev)
 
s->port.mapbase = r->start;
s->port.membase = ioremap(r->start, resource_size(r));
+   if (!s->port.membase) {
+   ret = -ENOMEM;
+   goto out_disable_clks;
+   }
s->port.ops = _auart_ops;
s->port.iotype = UPIO_MEM;
s->port.fifosize = MXS_AUART_FIFO_SIZE;
-- 
2.17.1

[PATCH] tty: atmel_serial: fix a NULL pointer dereference

2019-03-14 Thread Kangjie Lu

In case dmaengine_prep_dma_cyclic fails, the fix return a proper
error code to avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/tty/serial/atmel_serial.c | 12 ++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/tty/serial/atmel_serial.c 
b/drivers/tty/serial/atmel_serial.c
index 05147fe24343..cf560d05008c 100644
--- a/drivers/tty/serial/atmel_serial.c
+++ b/drivers/tty/serial/atmel_serial.c
@@ -1237,8 +1237,10 @@ static int atmel_prepare_rx_dma(struct uart_port *port)
dma_cap_set(DMA_CYCLIC, mask);
 
atmel_port->chan_rx = dma_request_slave_channel(mfd_dev, "rx");
-   if (atmel_port->chan_rx == NULL)
+   if (atmel_port->chan_rx == NULL) {
+   ret = -EINVAL;
goto chan_err;
+   }
dev_info(port->dev, "using %s for rx DMA transfers\n",
dma_chan_name(atmel_port->chan_rx));
 
@@ -1257,6 +1259,7 @@ static int atmel_prepare_rx_dma(struct uart_port *port)
 
if (!nent) {
dev_dbg(port->dev, "need to release resource of dma\n");
+   ret = -EINVAL;
goto chan_err;
} else {
dev_dbg(port->dev, "%s: mapped %d@%p to %pad\n", __func__,
@@ -1288,6 +1291,11 @@ static int atmel_prepare_rx_dma(struct uart_port *port)
 sg_dma_len(_port->sg_rx)/2,
 DMA_DEV_TO_MEM,
 DMA_PREP_INTERRUPT);
+   if (!desc) {
+   dev_err(port->dev, "Preparing DMA cyclic failed\n");
+   ret = -ENOMEM;
+   goto chan_err;
+   }
desc->callback = atmel_complete_rx_dma;
desc->callback_param = port;
atmel_port->desc_rx = desc;
@@ -1300,7 +1308,7 @@ static int atmel_prepare_rx_dma(struct uart_port *port)
atmel_port->use_dma_rx = 0;
if (atmel_port->chan_rx)
atmel_release_rx_dma(port);
-   return -EINVAL;
+   return ret;
 }
 
 static void atmel_uart_timer_callback(struct timer_list *t)
-- 
2.17.1

[PATCH] tty: ipwireless: fix missing checks for ioremap

2019-03-14 Thread Kangjie Lu

ipw->attr_memory and ipw->common_memory are assigned with the
 return value of ioremap. ioremap may fail, but not checks
are enforced. The fix insertss the checks.

Signed-off-by: Kangjie Lu 
---
 drivers/tty/ipwireless/main.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/drivers/tty/ipwireless/main.c b/drivers/tty/ipwireless/main.c
index 3475e841ef5c..4c18bbfe1a92 100644
--- a/drivers/tty/ipwireless/main.c
+++ b/drivers/tty/ipwireless/main.c
@@ -114,6 +114,10 @@ static int ipwireless_probe(struct pcmcia_device *p_dev, 
void *priv_data)
 
ipw->common_memory = ioremap(p_dev->resource[2]->start,
resource_size(p_dev->resource[2]));
+   if (!ipw->common_memory) {
+   ret = -ENOMEM;
+   goto exit1;
+   }
if (!request_mem_region(p_dev->resource[2]->start,
resource_size(p_dev->resource[2]),
IPWIRELESS_PCCARD_NAME)) {
@@ -134,6 +138,10 @@ static int ipwireless_probe(struct pcmcia_device *p_dev, 
void *priv_data)
 
ipw->attr_memory = ioremap(p_dev->resource[3]->start,
resource_size(p_dev->resource[3]));
+   if (!ipw->attr_memory) {
+   ret = -ENOMEM;
+   goto exit3;
+   }
if (!request_mem_region(p_dev->resource[3]->start,
resource_size(p_dev->resource[3]),
IPWIRELESS_PCCARD_NAME)) {
-- 
2.17.1

[PATCH] thunderbolt: fix a missing check of kmemdup

2019-03-14 Thread Kangjie Lu

kmemdup may fail and return NULL. The fix adds a check and returns
NULL in case it fails to avoid NULL pointer dereferecen.

Signed-off-by: Kangjie Lu 
---
 drivers/thunderbolt/property.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/drivers/thunderbolt/property.c b/drivers/thunderbolt/property.c
index ee76449524a3..841314deb446 100644
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -176,6 +176,10 @@ static struct tb_property_dir 
*__tb_property_parse_dir(const u32 *block,
} else {
dir->uuid = kmemdup([dir_offset], sizeof(*dir->uuid),
GFP_KERNEL);
+   if (!dir->uuid) {
+   tb_property_free_dir(dir);
+   return NULL;
+   }
content_offset = dir_offset + 4;
content_len = dir_len - 4; /* Length includes UUID */
}
-- 
2.17.1

[PATCH] greybus: audio_manager: fix a missing check of ida_simple_get

2019-03-14 Thread Kangjie Lu

ida_simple_get could fail. The fix inserts a check for its
return value.

Signed-off-by: Kangjie Lu 
---
 drivers/staging/greybus/audio_manager.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/staging/greybus/audio_manager.c 
b/drivers/staging/greybus/audio_manager.c
index d44b070d8862..c2a4af4c1d06 100644
--- a/drivers/staging/greybus/audio_manager.c
+++ b/drivers/staging/greybus/audio_manager.c
@@ -45,6 +45,9 @@ int gb_audio_manager_add(struct 
gb_audio_manager_module_descriptor *desc)
int err;
 
id = ida_simple_get(_id, 0, 0, GFP_KERNEL);
+   if (id < 0)
+   return id;
+
err = gb_audio_manager_module_create(, manager_kset,
 id, desc);
if (err) {
-- 
2.17.1

[PATCH] spi: fix NULL pointer dereferences by checking dmaengine_prep_slave_sg

2019-03-14 Thread Kangjie Lu

In case dmaengine_prep_slave_sg fails, the fix returns to avoid
NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/spi/spi-s3c64xx.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c
index 7b7151ec14c8..3a5f161ce558 100644
--- a/drivers/spi/spi-s3c64xx.c
+++ b/drivers/spi/spi-s3c64xx.c
@@ -293,6 +293,8 @@ static void prepare_dma(struct s3c64xx_spi_dma_data *dma,
 
desc = dmaengine_prep_slave_sg(dma->ch, sgt->sgl, sgt->nents,
   dma->direction, DMA_PREP_INTERRUPT);
+   if (!desc)
+   return;
 
desc->callback = s3c64xx_spi_dmacb;
desc->callback_param = dma;
-- 
2.17.1

[PATCH] rapidio: fix a NULL pointer derefenrece when create_workqueue fails

2019-03-14 Thread Kangjie Lu

In case create_workqueue fails, the fix releases resources and
returns -ENOMEM to avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/rapidio/rio_cm.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/drivers/rapidio/rio_cm.c b/drivers/rapidio/rio_cm.c
index cf45829585cb..b29fc258eeba 100644
--- a/drivers/rapidio/rio_cm.c
+++ b/drivers/rapidio/rio_cm.c
@@ -2147,6 +2147,14 @@ static int riocm_add_mport(struct device *dev,
mutex_init(>rx_lock);
riocm_rx_fill(cm, RIOCM_RX_RING_SIZE);
cm->rx_wq = create_workqueue(DRV_NAME "/rxq");
+   if (!cm->rx_wq) {
+   riocm_error("failed to allocate IBMBOX_%d on %s",
+   cmbox, mport->name);
+   rio_release_outb_mbox(mport, cmbox);
+   kfree(cm);
+   return -ENOMEM;
+   }
+
INIT_WORK(>rx_work, rio_ibmsg_handler);
 
cm->tx_slot = 0;
-- 
2.17.1

[PATCH] power: charger-manager: fix a potential NULL pointer dereference

2019-03-14 Thread Kangjie Lu

In case create_freezable_workqueue fails, the fix return -ENOMEM
to avoid a potential NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/power/supply/charger-manager.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/power/supply/charger-manager.c 
b/drivers/power/supply/charger-manager.c
index 38be91f21cc4..d29c4f338157 100644
--- a/drivers/power/supply/charger-manager.c
+++ b/drivers/power/supply/charger-manager.c
@@ -1987,6 +1987,9 @@ static struct platform_driver charger_manager_driver = {
 static int __init charger_manager_init(void)
 {
cm_wq = create_freezable_workqueue("charger_manager");
+   if (unlikely(!cm_wq))
+   return -ENOMEM;
+
INIT_DELAYED_WORK(_monitor_work, cm_monitor_poller);
 
return platform_driver_register(_manager_driver);
-- 
2.17.1

[PATCH] pci: pcie-xilinx: fix a missing-check bug for __get_free_pages

2019-03-13 Thread Kangjie Lu

In case __get_free_pages fail, the fix returns to avoid NULL
pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/pci/controller/pcie-xilinx.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/pci/controller/pcie-xilinx.c 
b/drivers/pci/controller/pcie-xilinx.c
index 9bd1a35cd5d8..b7083e995c45 100644
--- a/drivers/pci/controller/pcie-xilinx.c
+++ b/drivers/pci/controller/pcie-xilinx.c
@@ -341,6 +341,9 @@ static void xilinx_pcie_enable_msi(struct xilinx_pcie_port 
*port)
phys_addr_t msg_addr;
 
port->msi_pages = __get_free_pages(GFP_KERNEL, 0);
+   if (unlikely(!port->msi_pages))
+   return;
+
msg_addr = virt_to_phys((void *)port->msi_pages);
pcie_write(port, 0x0, XILINX_PCIE_REG_MSIBASE1);
pcie_write(port, msg_addr, XILINX_PCIE_REG_MSIBASE2);
-- 
2.17.1

[PATCH] pci: pci-tegra: fix a potential NULL pointer dereference

2019-03-13 Thread Kangjie Lu

In case __get_free_pages fails and returns NULL, the fix returns
-ENOMEM and releases resources to avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/pci/controller/pci-tegra.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/drivers/pci/controller/pci-tegra.c 
b/drivers/pci/controller/pci-tegra.c
index f4f53d092e00..0bdc6ee904f3 100644
--- a/drivers/pci/controller/pci-tegra.c
+++ b/drivers/pci/controller/pci-tegra.c
@@ -1550,6 +1550,12 @@ static int tegra_pcie_msi_setup(struct tegra_pcie *pcie)
 
/* setup AFI/FPCI range */
msi->pages = __get_free_pages(GFP_KERNEL, 0);
+   if (!msi->pages) {
+   dev_err(dev, "failed to get free pages\n");
+   err = -ENOMEM;
+   goto err;
+   }
+
msi->phys = virt_to_phys((void *)msi->pages);
host->msi = >chip;
 
-- 
2.17.1

[PATCH] hyperv: a potential NULL pointer dereference

2019-03-13 Thread Kangjie Lu

In case alloc_page, the fix returns -ENOMEM to avoid the potential
NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 arch/x86/hyperv/hv_init.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c
index 7abb09e2eeb8..dfdb4ce1ae9c 100644
--- a/arch/x86/hyperv/hv_init.c
+++ b/arch/x86/hyperv/hv_init.c
@@ -102,9 +102,13 @@ static int hv_cpu_init(unsigned int cpu)
u64 msr_vp_index;
struct hv_vp_assist_page **hvp = _vp_assist_page[smp_processor_id()];
void **input_arg;
+   struct page *pg;
 
input_arg = (void **)this_cpu_ptr(hyperv_pcpu_input_arg);
-   *input_arg = page_address(alloc_page(GFP_KERNEL));
+   pg = alloc_page(GFP_KERNEL);
+   if (unlikely(!pg))
+   return -ENOMEM;
+   *input_arg = page_address(pg);
 
hv_get_vp_index(msr_vp_index);
 
-- 
2.17.1

[PATCH] infiniband: i40iw: fix potential NULL pointer dereferences

2019-03-13 Thread Kangjie Lu

alloc_ordered_workqueue may fail and return NULL.
The fix captures the failure and handles it properly to avoid
potential NULL pointer dereferences.

Signed-off-by: Kangjie Lu 
---
V2: add return value to capture the error code

 drivers/infiniband/hw/i40iw/i40iw.h  |  2 +-
 drivers/infiniband/hw/i40iw/i40iw_cm.c   | 19 ---
 drivers/infiniband/hw/i40iw/i40iw_main.c |  5 -
 3 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/drivers/infiniband/hw/i40iw/i40iw.h 
b/drivers/infiniband/hw/i40iw/i40iw.h
index 2f2b4426ded7..8feec35f95a7 100644
--- a/drivers/infiniband/hw/i40iw/i40iw.h
+++ b/drivers/infiniband/hw/i40iw/i40iw.h
@@ -552,7 +552,7 @@ enum i40iw_status_code i40iw_obj_aligned_mem(struct 
i40iw_device *iwdev,
 
 void i40iw_request_reset(struct i40iw_device *iwdev);
 void i40iw_destroy_rdma_device(struct i40iw_ib_device *iwibdev);
-void i40iw_setup_cm_core(struct i40iw_device *iwdev);
+int i40iw_setup_cm_core(struct i40iw_device *iwdev);
 void i40iw_cleanup_cm_core(struct i40iw_cm_core *cm_core);
 void i40iw_process_ceq(struct i40iw_device *, struct i40iw_ceq *iwceq);
 void i40iw_process_aeq(struct i40iw_device *);
diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c 
b/drivers/infiniband/hw/i40iw/i40iw_cm.c
index 206cfb0016f8..dda24f44239b 100644
--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c
@@ -3237,7 +3237,7 @@ void i40iw_receive_ilq(struct i40iw_sc_vsi *vsi, struct 
i40iw_puda_buf *rbuf)
  * core
  * @iwdev: iwarp device structure
  */
-void i40iw_setup_cm_core(struct i40iw_device *iwdev)
+int i40iw_setup_cm_core(struct i40iw_device *iwdev)
 {
struct i40iw_cm_core *cm_core = >cm_core;
 
@@ -3256,9 +3256,20 @@ void i40iw_setup_cm_core(struct i40iw_device *iwdev)
 
cm_core->event_wq = alloc_ordered_workqueue("iwewq",
WQ_MEM_RECLAIM);
+   if (!cm_core->event_wq)
+   goto error;
 
cm_core->disconn_wq = alloc_ordered_workqueue("iwdwq",
  WQ_MEM_RECLAIM);
+   if (!cm_core->disconn_wq)
+   goto error;
+
+   return 0;
+error:
+   i40iw_cleanup_cm_core(>cm_core);
+   i40iw_pr_err("fail to setup CM core");
+
+   return return -ENOMEM;
 }
 
 /**
@@ -3278,8 +3289,10 @@ void i40iw_cleanup_cm_core(struct i40iw_cm_core *cm_core)
del_timer_sync(_core->tcp_timer);
spin_unlock_irqrestore(_core->ht_lock, flags);
 
-   destroy_workqueue(cm_core->event_wq);
-   destroy_workqueue(cm_core->disconn_wq);
+   if (cm_core->event_wq)
+   destroy_workqueue(cm_core->event_wq);
+   if (cm_core->disconn_wq)
+   destroy_workqueue(cm_core->disconn_wq);
 }
 
 /**
diff --git a/drivers/infiniband/hw/i40iw/i40iw_main.c 
b/drivers/infiniband/hw/i40iw/i40iw_main.c
index 68095f00d08f..10932baee279 100644
--- a/drivers/infiniband/hw/i40iw/i40iw_main.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_main.c
@@ -1641,7 +1641,10 @@ static int i40iw_open(struct i40e_info *ldev, struct 
i40e_client *client)
iwdev = >device;
iwdev->hdl = hdl;
dev = >sc_dev;
-   i40iw_setup_cm_core(iwdev);
+   if (i40iw_setup_cm_core(iwdev)) {
+   kfree(iwdev->hdl);
+   return -ENOMEM;
+   }
 
dev->back_dev = (void *)iwdev;
iwdev->ldev = >ldev;
-- 
2.17.1

[PATCH v3] hid: logitech: check the return value of create_singlethread_workqueue

2019-03-13 Thread Kangjie Lu

create_singlethread_workqueue may fail and return NULL. The fix
checks if it is NULL to avoid NULL pointer dereference.
Also, the fix moves the call of create_singlethread_workqueue
earlier to avoid resource-release issues.

--
V3: do not introduce memory leaks.

Signed-off-by: Kangjie Lu 
---
 drivers/hid/hid-logitech-hidpp.c | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index 15ed6177a7a3..0a243247b231 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -2111,6 +2111,13 @@ static int hidpp_ff_init(struct hidpp_device *hidpp, u8 
feature_index)
kfree(data);
return -ENOMEM;
}
+   data->wq = create_singlethread_workqueue("hidpp-ff-sendqueue");
+   if (!data->wq) {
+   kfree(data->effect_ids);
+   kfree(data);
+   return -ENOMEM;
+   }
+
data->hidpp = hidpp;
data->feature_index = feature_index;
data->version = version;
@@ -2155,7 +2162,6 @@ static int hidpp_ff_init(struct hidpp_device *hidpp, u8 
feature_index)
/* ignore boost value at response.fap.params[2] */
 
/* init the hardware command queue */
-   data->wq = create_singlethread_workqueue("hidpp-ff-sendqueue");
atomic_set(>workqueue_size, 0);
 
/* initialize with zero autocenter to get wheel in usable state */
-- 
2.17.1

[PATCH] thunderbolt: property: fix a NULL pointer dereference

2019-03-12 Thread Kangjie Lu

In case kzalloc fails, the fix releases resources and returns
-ENOMEM to avoid the NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/thunderbolt/property.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/drivers/thunderbolt/property.c b/drivers/thunderbolt/property.c
index b2f0d6386cee..ee76449524a3 100644
--- a/drivers/thunderbolt/property.c
+++ b/drivers/thunderbolt/property.c
@@ -548,6 +548,11 @@ int tb_property_add_data(struct tb_property_dir *parent, 
const char *key,
 
property->length = size / 4;
property->value.data = kzalloc(size, GFP_KERNEL);
+   if (!property->value.data) {
+   kfree(property);
+   return -ENOMEM;
+   }
+
memcpy(property->value.data, buf, buflen);
 
list_add_tail(>list, >properties);
-- 
2.17.1

[PATCH v2] media: rga: fix NULL pointer dereferences and a memory leak

2019-03-12 Thread Kangjie Lu

In case __get_free_pages fails, the fix releases resources and
return -ENOMEM to avoid NULL pointer dereferences.

Also, the fix frees pages when video_register_device fails to
avoid a memory leak.

Signed-off-by: Kangjie Lu 
---
 drivers/media/platform/rockchip/rga/rga.c | 15 ++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/drivers/media/platform/rockchip/rga/rga.c 
b/drivers/media/platform/rockchip/rga/rga.c
index 5c653287185f..307b7ab0ab64 100644
--- a/drivers/media/platform/rockchip/rga/rga.c
+++ b/drivers/media/platform/rockchip/rga/rga.c
@@ -892,8 +892,17 @@ static int rga_probe(struct platform_device *pdev)
 
rga->src_mmu_pages =
(unsigned int *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, 3);
+   if (!rga->src_mmu_pages) {
+   ret = -ENOMEM;
+   goto rel_vdev;
+   }
+
rga->dst_mmu_pages =
(unsigned int *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, 3);
+   if (!rga->dst_mmu_pages) {
+   ret = -ENOMEM;
+   goto free_dst_pages;
+   }
 
def_frame.stride = (def_frame.width * def_frame.fmt->depth) >> 3;
def_frame.size = def_frame.stride * def_frame.height;
@@ -901,7 +910,7 @@ static int rga_probe(struct platform_device *pdev)
ret = video_register_device(vfd, VFL_TYPE_GRABBER, -1);
if (ret) {
v4l2_err(>v4l2_dev, "Failed to register video device\n");
-   goto rel_vdev;
+   goto free_pages;
}
 
v4l2_info(>v4l2_dev, "Registered %s as /dev/%s\n",
@@ -909,6 +918,10 @@ static int rga_probe(struct platform_device *pdev)
 
return 0;
 
+free_pages:
+   free_pages((unsigned long)rga->src_mmu_pages, 3);
+free_dst_pages:
+   free_pages((unsigned long)rga->dst_mmu_pages, 3);
 rel_vdev:
video_device_release(vfd);
 unreg_video_dev:
-- 
2.17.1

[PATCH v2] hid: logitech: check the return value of create_singlethread_workqueue

2019-03-12 Thread Kangjie Lu

create_singlethread_workqueue may fail and return NULL. The fix
checks if it is NULL to avoid NULL pointer dereference.
Also, the fix moves the call of create_singlethread_workqueue
earlier to avoid resource-release issues.

Signed-off-by: Kangjie Lu 
---
 drivers/hid/hid-logitech-hidpp.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index 15ed6177a7a3..1b7c336cae6d 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -2106,6 +2106,12 @@ static int hidpp_ff_init(struct hidpp_device *hidpp, u8 
feature_index)
data = kzalloc(sizeof(*data), GFP_KERNEL);
if (!data)
return -ENOMEM;
+
+   /* init the hardware command queue */
+   data->wq = create_singlethread_workqueue("hidpp-ff-sendqueue");
+   if (!data->wq)
+   return -ENOMEM;
+
data->effect_ids = kcalloc(num_slots, sizeof(int), GFP_KERNEL);
if (!data->effect_ids) {
kfree(data);
@@ -2154,8 +2160,6 @@ static int hidpp_ff_init(struct hidpp_device *hidpp, u8 
feature_index)
data->gain = error ? 0x : 
get_unaligned_be16([0]);
/* ignore boost value at response.fap.params[2] */
 
-   /* init the hardware command queue */
-   data->wq = create_singlethread_workqueue("hidpp-ff-sendqueue");
atomic_set(>workqueue_size, 0);
 
/* initialize with zero autocenter to get wheel in usable state */
-- 
2.17.1

Re: [PATCH] net: fjes: fix potential NULL pointer dereferences

2019-03-11 Thread Kangjie Lu




> On Mar 11, 2019, at 6:19 PM, David Miller  wrote:
> 
> From: Kangjie Lu 
> Date: Mon, 11 Mar 2019 02:10:21 -0500
> 
>>  adapter->control_wq = alloc_workqueue(DRV_NAME "/control",
>>WQ_MEM_RECLAIM, 0);
>> +if (!adapter->control_wq) {
>> +err = -ENOMEM;
>> +goto err_free_netdev;
>> +}
> 
> This error path leaks adapter->txrx_wq.

The following code also has an error-handling case: goto err_free_netdev.
Shouldn’t the resource release be in err_free_netdev?

>

[PATCH v2] net: brcm80211: fix missing checks for kmemdup

2019-03-11 Thread Kangjie Lu

In case kmemdup fails, the fix sets conn_info->req_ie_len to zero
to avoid buffer overflows.

Signed-off-by: Kangjie Lu 
---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c 
b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index e92f6351bd22..5d9a3c35fef5 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -5464,6 +5464,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info 
*cfg,
conn_info->req_ie =
kmemdup(cfg->extra_buf, conn_info->req_ie_len,
GFP_KERNEL);
+   if (!conn_info->req_ie)
+   conn_info->req_ie_len = 0;
} else {
conn_info->req_ie_len = 0;
conn_info->req_ie = NULL;
@@ -5480,6 +5482,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info 
*cfg,
conn_info->resp_ie =
kmemdup(cfg->extra_buf, conn_info->resp_ie_len,
GFP_KERNEL);
+   if (!conn_info->resp_ie)
+   conn_info->req_ie_len = 0;
} else {
conn_info->resp_ie_len = 0;
conn_info->resp_ie = NULL;
-- 
2.17.1

[PATCH v2] mmc_spi: add a status check for spi_sync_locked

2019-03-10 Thread Kangjie Lu

In case spi_sync_locked fails, the fix reports the error and
returns the error code upstream.

Signed-off-by: Kangjie Lu 
---
 drivers/mmc/host/mmc_spi.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/drivers/mmc/host/mmc_spi.c b/drivers/mmc/host/mmc_spi.c
index 1b1498805972..a3533935e282 100644
--- a/drivers/mmc/host/mmc_spi.c
+++ b/drivers/mmc/host/mmc_spi.c
@@ -819,6 +819,10 @@ mmc_spi_readblock(struct mmc_spi_host *host, struct 
spi_transfer *t,
}
 
status = spi_sync_locked(spi, >m);
+   if (status < 0) {
+   dev_dbg(>dev, "read error %d\n", status);
+   return status;
+   }
 
if (host->dma_dev) {
dma_sync_single_for_cpu(host->dma_dev,
-- 
2.17.1

[PATCH] net: liquidio: fix a NULL pointer dereference

2019-03-10 Thread Kangjie Lu

In case octeon_alloc_soft_command fails, the fix reports the
error and returns to avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/net/ethernet/cavium/liquidio/lio_main.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c 
b/drivers/net/ethernet/cavium/liquidio/lio_main.c
index 9b7819fdc9de..a3781d7a7b5c 100644
--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c
+++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c
@@ -1192,6 +1192,11 @@ static void send_rx_ctrl_cmd(struct lio *lio, int 
start_stop)
sc = (struct octeon_soft_command *)
octeon_alloc_soft_command(oct, OCTNET_CMD_SIZE,
  16, 0);
+   if (!sc) {
+   netif_info(lio, rx_err, lio->netdev,
+   "Failed to allocate octeon_soft_command\n");
+   return;
+   }
 
ncmd = (union octnet_cmd *)sc->virtdptr;
 
-- 
2.17.1

[PATCH] net: 8390: fix potential NULL pointer dereferences

2019-03-10 Thread Kangjie Lu

In case ioremap fails, the fix returns to avoid NULL pointer
dereferences.

Signed-off-by: Kangjie Lu 
---
 drivers/net/ethernet/8390/pcnet_cs.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/drivers/net/ethernet/8390/pcnet_cs.c 
b/drivers/net/ethernet/8390/pcnet_cs.c
index 61e43802b9a5..d82ecedf7366 100644
--- a/drivers/net/ethernet/8390/pcnet_cs.c
+++ b/drivers/net/ethernet/8390/pcnet_cs.c
@@ -289,6 +289,9 @@ static struct hw_info *get_hwinfo(struct pcmcia_device 
*link)
 
 virt = ioremap(link->resource[2]->start,
resource_size(link->resource[2]));
+   if (unlikely(!virt))
+   return NULL;
+
 for (i = 0; i < NR_INFO; i++) {
pcmcia_map_mem_page(link, link->resource[2],
hw_info[i].offset & ~(resource_size(link->resource[2])-1));
@@ -1423,6 +1426,11 @@ static int setup_shmem_window(struct pcmcia_device 
*link, int start_pg,
 /* Try scribbling on the buffer */
 info->base = ioremap(link->resource[3]->start,
resource_size(link->resource[3]));
+   if (unlikely(!info->base)) {
+   ret = -ENOMEM;
+   goto failed;
+   }
+
 for (i = 0; i < (TX_PAGES<<8); i += 2)
__raw_writew((i>>1), info->base+offset+i);
 udelay(100);
-- 
2.17.1

[PATCH] net: lan9303: fix missing error handling

2019-03-10 Thread Kangjie Lu

Both lan9303_phy_write and regmap_write may fail. The fix adds
the error handling to print error messages upon failure.

Signed-off-by: Kangjie Lu 
---
 drivers/net/dsa/lan9303-core.c | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/drivers/net/dsa/lan9303-core.c b/drivers/net/dsa/lan9303-core.c
index 2ffab7ee3d80..3f5e89f431f9 100644
--- a/drivers/net/dsa/lan9303-core.c
+++ b/drivers/net/dsa/lan9303-core.c
@@ -1072,6 +1072,10 @@ static void lan9303_adjust_link(struct dsa_switch *ds, 
int port,
ctl &= ~BMCR_FULLDPLX;
 
res =  lan9303_phy_write(ds, port, MII_BMCR, ctl);
+   if (res) {
+   dev_err(ds->dev, "lan9303_phy_write failed: %d\n", res);
+   return;
+   }
 
if (port == chip->phy_addr_base) {
/* Virtual Phy: Remove Turbo 200Mbit mode */
@@ -1080,6 +1084,8 @@ static void lan9303_adjust_link(struct dsa_switch *ds, 
int port,
ctl &= ~LAN9303_VIRT_SPECIAL_TURBO;
res =  regmap_write(chip->regmap,
LAN9303_VIRT_SPECIAL_CTRL, ctl);
+   if (res)
+   dev_err(ds->dev, "regmap_write failed: %d\n", res);
}
 }
 
-- 
2.17.1

[PATCH] net: spi: fix a potential NULL pointer dereference

2019-03-09 Thread Kangjie Lu

In case alloc_workqueue fails to allocate the work queue and
returns NULL, the fix releases the resources and returns
-ENOMEM.

Signed-off-by: Kangjie Lu 
---
 drivers/net/can/spi/mcp251x.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/drivers/net/can/spi/mcp251x.c b/drivers/net/can/spi/mcp251x.c
index e90817608645..2737b9a20dfe 100644
--- a/drivers/net/can/spi/mcp251x.c
+++ b/drivers/net/can/spi/mcp251x.c
@@ -962,6 +962,14 @@ static int mcp251x_open(struct net_device *net)
 
priv->wq = alloc_workqueue("mcp251x_wq", WQ_FREEZABLE | WQ_MEM_RECLAIM,
   0);
+   if (unlikely(!priv->wq)) {
+   dev_err(>dev, "failed to allocate work queue\n");
+   mcp251x_power_enable(priv->transceiver, 0);
+   close_candev(net);
+   ret = -ENOMEM;
+   goto open_unlock;
+   }
+
INIT_WORK(>tx_work, mcp251x_tx_work_handler);
INIT_WORK(>restart_work, mcp251x_restart_work_handler);
 
-- 
2.17.1

[PATCH] mmc_spi: add a status check for spi_sync_locked

2019-03-09 Thread Kangjie Lu

In case spi_sync_locked fails, the fix reports the error and
returns the error code upstream.

Signed-off-by: Kangjie Lu 
---
 drivers/mmc/host/mmc_spi.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/drivers/mmc/host/mmc_spi.c b/drivers/mmc/host/mmc_spi.c
index 1b1498805972..32fea585262b 100644
--- a/drivers/mmc/host/mmc_spi.c
+++ b/drivers/mmc/host/mmc_spi.c
@@ -819,6 +819,10 @@ mmc_spi_readblock(struct mmc_spi_host *host, struct 
spi_transfer *t,
}
 
status = spi_sync_locked(spi, >m);
+   if (status < 0) {
+   dev_dbg(>dev, "read error %02x (%d)\n", status, status);
+   return status;
+   }
 
if (host->dma_dev) {
dma_sync_single_for_cpu(host->dma_dev,
-- 
2.17.1

[PATCH] iio: hmc5843_spi: fix a NULL pointer dereference

2019-03-09 Thread Kangjie Lu

In case devm_regmap_init_spi fails and returns NULL, the fix
returns an error to avoid NULL pointer dereference

Signed-off-by: Kangjie Lu 
---
 drivers/iio/magnetometer/hmc5843_spi.c | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/iio/magnetometer/hmc5843_spi.c 
b/drivers/iio/magnetometer/hmc5843_spi.c
index 535f03a70d63..15e2f7cbb3b5 100644
--- a/drivers/iio/magnetometer/hmc5843_spi.c
+++ b/drivers/iio/magnetometer/hmc5843_spi.c
@@ -59,6 +59,12 @@ static int hmc5843_spi_probe(struct spi_device *spi)
 {
int ret;
const struct spi_device_id *id = spi_get_device_id(spi);
+   struct regmap *devm_regmap = devm_regmap_init_spi(spi,
+   _spi_regmap_config);
+
+   if (IS_ERR(devm_regmap))
+   return PTR_ERR(devm_regmap);
+
 
spi->mode = SPI_MODE_3;
spi->max_speed_hz = 800;
@@ -68,7 +74,7 @@ static int hmc5843_spi_probe(struct spi_device *spi)
return ret;
 
return hmc5843_common_probe(>dev,
-   devm_regmap_init_spi(spi, _spi_regmap_config),
+   devm_regmap,
id->driver_data, id->name);
 }
 
-- 
2.17.1

[PATCH] mfd: fix a potential NULL pointer dereference

2019-03-09 Thread Kangjie Lu

In case devm_kzalloc fails, the fix does NULL check and returns
-ENOMEM upon failure so as to avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/mfd/sm501.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c
index a530972c5a7e..e0173bf4b0dc 100644
--- a/drivers/mfd/sm501.c
+++ b/drivers/mfd/sm501.c
@@ -1145,6 +1145,9 @@ static int sm501_register_gpio_i2c_instance(struct 
sm501_devdata *sm,
lookup = devm_kzalloc(>dev,
  sizeof(*lookup) + 3 * sizeof(struct gpiod_lookup),
  GFP_KERNEL);
+   if (!lookup)
+   return -ENOMEM;
+
lookup->dev_id = "i2c-gpio";
if (iic->pin_sda < 32)
lookup->table[0].chip_label = "SM501-LOW";
-- 
2.17.1

[PATCH] memstick: fix a potential NULL pointer dereference

2019-03-08 Thread Kangjie Lu

In case alloc_ordered_workqueue fails, the fix returns ENOMEM to
avoid potential NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/memstick/core/ms_block.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/drivers/memstick/core/ms_block.c b/drivers/memstick/core/ms_block.c
index 82daccc9ea62..8e00de414567 100644
--- a/drivers/memstick/core/ms_block.c
+++ b/drivers/memstick/core/ms_block.c
@@ -2149,6 +2149,11 @@ static int msb_init_disk(struct memstick_dev *card)
 
msb->usage_count = 1;
msb->io_queue = alloc_ordered_workqueue("ms_block", WQ_MEM_RECLAIM);
+   if (!msb->io_queue) {
+   rc = -ENOMEM;
+   goto out_put_disk;
+   }
+
INIT_WORK(>io_work, msb_io_work);
sg_init_table(msb->prealloc_sg, MS_BLOCK_MAX_SEGS+1);
 
-- 
2.17.1

[PATCH] media: usbvision: fix a potential NULL pointer dereference

2019-03-08 Thread Kangjie Lu

In case usb_alloc_coherent fails, the fix returns -ENOMEM to
avoid a potential NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/media/usb/usbvision/usbvision-core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/media/usb/usbvision/usbvision-core.c 
b/drivers/media/usb/usbvision/usbvision-core.c
index 31e0e98d6daf..1b0d0a0f0e87 100644
--- a/drivers/media/usb/usbvision/usbvision-core.c
+++ b/drivers/media/usb/usbvision/usbvision-core.c
@@ -2302,6 +2302,9 @@ int usbvision_init_isoc(struct usb_usbvision *usbvision)
   sb_size,
   GFP_KERNEL,
   >transfer_dma);
+   if (!usbvision->sbuf[buf_idx].data)
+   return -ENOMEM;
+
urb->dev = dev;
urb->context = usbvision;
urb->pipe = usb_rcvisocpipe(dev, usbvision->video_endp);
-- 
2.17.1

[PATCH] media: video-mux: fix null pointer dereferences

2019-03-08 Thread Kangjie Lu

devm_kcalloc may fail and return a null pointer. The fix returns
-ENOMEM upon failures to avoid null pointer dereferences.

Signed-off-by: Kangjie Lu 
---
 drivers/media/platform/video-mux.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/drivers/media/platform/video-mux.c 
b/drivers/media/platform/video-mux.c
index c33900e3c23e..4135165cdabe 100644
--- a/drivers/media/platform/video-mux.c
+++ b/drivers/media/platform/video-mux.c
@@ -399,9 +399,14 @@ static int video_mux_probe(struct platform_device *pdev)
vmux->active = -1;
vmux->pads = devm_kcalloc(dev, num_pads, sizeof(*vmux->pads),
  GFP_KERNEL);
+   if (!vmux->pads)
+   return -ENOMEM;
+
vmux->format_mbus = devm_kcalloc(dev, num_pads,
 sizeof(*vmux->format_mbus),
 GFP_KERNEL);
+   if (!vmux->format_mbus)
+   return -ENOMEM;
 
for (i = 0; i < num_pads; i++) {
vmux->pads[i].flags = (i < num_pads - 1) ? MEDIA_PAD_FL_SINK
-- 
2.17.1

[PATCH] media: renesas-ceu: fix a potential NULL pointer dereference

2019-03-08 Thread Kangjie Lu

In case of_match_device cannot find a match, the check returns
-EINVAL to avoid a potential NULL pointer dereference

Signed-off-by: Kangjie Lu 
---
 drivers/media/platform/renesas-ceu.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/media/platform/renesas-ceu.c 
b/drivers/media/platform/renesas-ceu.c
index 150196f7cf96..4aa807c0b6c7 100644
--- a/drivers/media/platform/renesas-ceu.c
+++ b/drivers/media/platform/renesas-ceu.c
@@ -1682,7 +1682,10 @@ static int ceu_probe(struct platform_device *pdev)
 
if (IS_ENABLED(CONFIG_OF) && dev->of_node) {
ceu_data = of_match_device(ceu_of_match, dev)->data;
-   num_subdevs = ceu_parse_dt(ceudev);
+   if (unlikely(!ceu_data))
+   num_subdevs = -EINVAL;
+   else
+   num_subdevs = ceu_parse_dt(ceudev);
} else if (dev->platform_data) {
/* Assume SH4 if booting with platform data. */
ceu_data = _data_sh4;
-- 
2.17.1

[PATCH] media: rcar-vin: fix a potential NULL pointer dereference

2019-03-08 Thread Kangjie Lu

In case of_match_node cannot find a match, the fix returns
-EINVAL to avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/media/platform/rcar-vin/rcar-core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/media/platform/rcar-vin/rcar-core.c 
b/drivers/media/platform/rcar-vin/rcar-core.c
index f0719ce24b97..a058e2023ca8 100644
--- a/drivers/media/platform/rcar-vin/rcar-core.c
+++ b/drivers/media/platform/rcar-vin/rcar-core.c
@@ -266,6 +266,8 @@ static int rvin_group_init(struct rvin_group *group, struct 
rvin_dev *vin)
 
match = of_match_node(vin->dev->driver->of_match_table,
  vin->dev->of_node);
+   if (unlikely(!match))
+   return -EINVAL;
 
strscpy(mdev->driver_name, KBUILD_MODNAME, sizeof(mdev->driver_name));
strscpy(mdev->model, match->compatible, sizeof(mdev->model));
-- 
2.17.1

[PATCH] media: vpss: fix a potential NULL pointer dereference

2019-03-08 Thread Kangjie Lu

In case ioremap fails, the fix returns -ENOMEM to avoid NULL
pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/media/platform/davinci/vpss.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/media/platform/davinci/vpss.c 
b/drivers/media/platform/davinci/vpss.c
index 19cf6853411e..f7beed2de9cb 100644
--- a/drivers/media/platform/davinci/vpss.c
+++ b/drivers/media/platform/davinci/vpss.c
@@ -518,6 +518,9 @@ static int __init vpss_init(void)
return -EBUSY;
 
oper_cfg.vpss_regs_base2 = ioremap(VPSS_CLK_CTRL, 4);
+   if (unlikely(!oper_cfg.vpss_regs_base2))
+   return -ENOMEM;
+
writel(VPSS_CLK_CTRL_VENCCLKEN |
 VPSS_CLK_CTRL_DACCLKEN, oper_cfg.vpss_regs_base2);
 
-- 
2.17.1

[PATCH] media: rga: fix NULL pointer dereferences

2019-03-08 Thread Kangjie Lu

In case __get_free_pages fails, return -ENOMEM to avoid NULL
pointer dereferences.

Signed-off-by: Kangjie Lu 
---
 drivers/media/platform/rockchip/rga/rga.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/drivers/media/platform/rockchip/rga/rga.c 
b/drivers/media/platform/rockchip/rga/rga.c
index 5c653287185f..d42b214977a9 100644
--- a/drivers/media/platform/rockchip/rga/rga.c
+++ b/drivers/media/platform/rockchip/rga/rga.c
@@ -892,8 +892,13 @@ static int rga_probe(struct platform_device *pdev)
 
rga->src_mmu_pages =
(unsigned int *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, 3);
+   if (!rga->src_mmu_pages)
+   return -ENOMEM;
+
rga->dst_mmu_pages =
(unsigned int *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, 3);
+   if (!rga->dst_mmu_pages)
+   return -ENOMEM;
 
def_frame.stride = (def_frame.width * def_frame.fmt->depth) >> 3;
def_frame.size = def_frame.stride * def_frame.height;
-- 
2.17.1

[PATCH] media: stv090x: add missed checks for STV090x_WRITE_DEMOD

2019-03-08 Thread Kangjie Lu

Conservatively check return value of STV090x_WRITE_DEMOD in case
it fails.

Signed-off-by: Kangjie Lu 
---
 drivers/media/dvb-frontends/stv090x.c | 19 +--
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/drivers/media/dvb-frontends/stv090x.c 
b/drivers/media/dvb-frontends/stv090x.c
index a0622bb71803..3e2af3969e16 100644
--- a/drivers/media/dvb-frontends/stv090x.c
+++ b/drivers/media/dvb-frontends/stv090x.c
@@ -1446,14 +1446,17 @@ static int stv090x_start_search(struct stv090x_state 
*state)
/* >= Cut 3 */
if (state->srate <= 500) {
/* enlarge the timing bandwidth for Low SR */
-   STV090x_WRITE_DEMOD(state, RTCS2, 0x68);
+   if (STV090x_WRITE_DEMOD(state, RTCS2, 0x68) < 0)
+   goto err;
} else {
/* reduce timing bandwidth for high SR */
-   STV090x_WRITE_DEMOD(state, RTCS2, 0x44);
+   if (STV090x_WRITE_DEMOD(state, RTCS2, 0x44) < 0)
+   goto err;
}
 
/* Set CFR min and max to manual mode */
-   STV090x_WRITE_DEMOD(state, CARCFG, 0x46);
+   if (STV090x_WRITE_DEMOD(state, CARCFG, 0x46) < 0)
+   goto err;
 
if (state->algo == STV090x_WARM_SEARCH) {
/* WARM Start
@@ -2604,7 +2607,8 @@ static enum stv090x_signal_state 
stv090x_get_sig_params(struct stv090x_state *st
 
if (state->algo == STV090x_BLIND_SEARCH) {
tmg = STV090x_READ_DEMOD(state, TMGREG2);
-   STV090x_WRITE_DEMOD(state, SFRSTEP, 0x5c);
+   if (STV090x_WRITE_DEMOD(state, SFRSTEP, 0x5c) < 0)
+   goto err;
while ((i <= 50) && (tmg != 0) && (tmg != 0xff)) {
tmg = STV090x_READ_DEMOD(state, TMGREG2);
msleep(5);
@@ -2910,7 +2914,9 @@ static int stv090x_optimize_track(struct stv090x_state 
*state)
pilots = STV090x_GETFIELD_Px(reg, DEMOD_TYPE_FIELD) & 
0x01;
aclc = stv090x_optimize_carloop(state, modcod, pilots);
if (modcod <= STV090x_QPSK_910) {
-   STV090x_WRITE_DEMOD(state, ACLC2S2Q, aclc);
+   if (STV090x_WRITE_DEMOD(state, ACLC2S2Q, aclc)
+   < 0)
+   goto err;
} else if (modcod <= STV090x_8PSK_910) {
if (STV090x_WRITE_DEMOD(state, ACLC2S2Q, 0x2a) 
< 0)
goto err;
@@ -2972,7 +2978,8 @@ static int stv090x_optimize_track(struct stv090x_state 
*state)
reg = STV090x_READ_DEMOD(state, TMGOBS);
 
if (state->algo == STV090x_BLIND_SEARCH) {
-   STV090x_WRITE_DEMOD(state, SFRSTEP, 0x00);
+   if (STV090x_WRITE_DEMOD(state, SFRSTEP, 0x00) < 0)
+   goto err;
reg = STV090x_READ_DEMOD(state, DMDCFGMD);
STV090x_SETFIELD_Px(reg, SCAN_ENABLE_FIELD, 0x00);
STV090x_SETFIELD_Px(reg, CFR_AUTOSCAN_FIELD, 0x00);
-- 
2.17.1

[PATCH] leds: fix a potential NULL pointer dereference

2019-03-08 Thread Kangjie Lu

In case of_match_device cannot find a match, the fixes returns
-EINVAL to avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/leds/leds-pca9532.c | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/leds/leds-pca9532.c b/drivers/leds/leds-pca9532.c
index 7fea18b0c15d..4b0335591728 100644
--- a/drivers/leds/leds-pca9532.c
+++ b/drivers/leds/leds-pca9532.c
@@ -513,6 +513,7 @@ static int pca9532_probe(struct i2c_client *client,
const struct i2c_device_id *id)
 {
int devid;
+   const struct of_device_id *of_id;
struct pca9532_data *data = i2c_get_clientdata(client);
struct pca9532_platform_data *pca9532_pdata =
dev_get_platdata(>dev);
@@ -528,8 +529,11 @@ static int pca9532_probe(struct i2c_client *client,
dev_err(>dev, "no platform data\n");
return -EINVAL;
}
-   devid = (int)(uintptr_t)of_match_device(
-   of_pca9532_leds_match, >dev)->data;
+   of_id = of_match_device(of_pca9532_leds_match,
+   >dev);
+   if (unlikely(!of_id))
+   return -EINVAL;
+   devid = (int)of_id->data;
} else {
devid = id->driver_data;
}
-- 
2.17.1

[PATCH] isdn: mISDNinfineon: fix potential NULL pointer dereference

2019-03-08 Thread Kangjie Lu

In case ioremap fails, the fix returns -ENOMEM to avoid NULL
pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/isdn/hardware/mISDN/mISDNinfineon.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/isdn/hardware/mISDN/mISDNinfineon.c 
b/drivers/isdn/hardware/mISDN/mISDNinfineon.c
index 3e01012be4ab..0fe6ddcb3fdc 100644
--- a/drivers/isdn/hardware/mISDN/mISDNinfineon.c
+++ b/drivers/isdn/hardware/mISDN/mISDNinfineon.c
@@ -712,8 +712,11 @@ setup_io(struct inf_hw *hw)
(ulong)hw->addr.start, (ulong)hw->addr.size);
return err;
}
-   if (hw->ci->addr_mode == AM_MEMIO)
+   if (hw->ci->addr_mode == AM_MEMIO) {
hw->addr.p = ioremap(hw->addr.start, hw->addr.size);
+   if (unlikely(!hw->addr.p))
+   return -ENOMEM;
+   }
hw->addr.mode = hw->ci->addr_mode;
if (debug & DEBUG_HW)
pr_notice("%s: IO addr %lx (%lu bytes) mode%d\n",
-- 
2.17.1

[PATCH] isdn: hfcpci: fix potential NULL pointer dereference

2019-03-08 Thread Kangjie Lu

In case ioremap fails, the fix reports an error and returns.

Signed-off-by: Kangjie Lu 
---
 drivers/isdn/hardware/mISDN/hfcpci.c | 5 +
 1 file changed, 5 insertions(+)

diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c 
b/drivers/isdn/hardware/mISDN/hfcpci.c
index ebb3fa2e1d00..b400d6528a56 100644
--- a/drivers/isdn/hardware/mISDN/hfcpci.c
+++ b/drivers/isdn/hardware/mISDN/hfcpci.c
@@ -2036,6 +2036,11 @@ setup_hw(struct hfc_pci *hc)
   "HFC-PCI: defined at mem %#lx fifo %#lx(%#lx) IRQ %d HZ %d\n",
   (u_long) hc->hw.pci_io, (u_long) hc->hw.fifos,
   (u_long) hc->hw.dmahandle, hc->irq, HZ);
+   if (unlikely(!hc->hw.pci_io)) {
+   printk(KERN_WARNING
+  "HFC-PCI: ioremap failed!\n");
+   return 1;
+   }
/* enable memory mapped ports, disable busmaster */
pci_write_config_word(hc->pdev, PCI_COMMAND, PCI_ENA_MEMIO);
hc->hw.int_m2 = 0;
-- 
2.17.1

[PATCH] input: pm8xxx-vibrator: fix a potential NULL pointer dereference

2019-03-08 Thread Kangjie Lu

In case of_device_get_match_data fails to find the matched data,
returns -ENODEV

Signed-off-by: Kangjie Lu 
---
 drivers/input/misc/pm8xxx-vibrator.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/input/misc/pm8xxx-vibrator.c 
b/drivers/input/misc/pm8xxx-vibrator.c
index 7dd1c1fbe42a..740e59c11808 100644
--- a/drivers/input/misc/pm8xxx-vibrator.c
+++ b/drivers/input/misc/pm8xxx-vibrator.c
@@ -196,6 +196,8 @@ static int pm8xxx_vib_probe(struct platform_device *pdev)
vib->vib_input_dev = input_dev;
 
regs = of_device_get_match_data(>dev);
+   if (unlikely(!regs))
+   return -ENODEV;
 
/* operate in manual mode */
error = regmap_read(vib->regmap, regs->drv_addr, );
-- 
2.17.1

[PATCH] infiniband: i40iw: fix potential NULL pointer dereferences

2019-03-08 Thread Kangjie Lu

alloc_ordered_workqueue may fail and return NULL. Let's check
its return value to ensure it is not NULL so as to avoid
potential NULL pointer dereferences.

Signed-off-by: Kangjie Lu 
---
 drivers/infiniband/hw/i40iw/i40iw_cm.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c 
b/drivers/infiniband/hw/i40iw/i40iw_cm.c
index 206cfb0016f8..ad9b4f235e30 100644
--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c
@@ -3256,9 +3256,21 @@ void i40iw_setup_cm_core(struct i40iw_device *iwdev)
 
cm_core->event_wq = alloc_ordered_workqueue("iwewq",
WQ_MEM_RECLAIM);
+   if (!cm_core->event_wq) {
+   i40iw_debug(cm_core->dev,
+   I40IW_DEBUG_CM,
+   "%s allocate event work queue failed\n",
+   __func__);
+   }
 
cm_core->disconn_wq = alloc_ordered_workqueue("iwdwq",
  WQ_MEM_RECLAIM);
+   if (!cm_core->disconn_wq) {
+   i40iw_debug(cm_core->dev,
+   I40IW_DEBUG_CM,
+   "%s allocate disconnect work queue failed\n",
+   __func__);
+   }
 }
 
 /**
-- 
2.17.1

[PATCH] infiniband: cxgb4: fix a potential NULL pointer dereference

2019-03-08 Thread Kangjie Lu

get_skb may fail and return NULL. The fix returns "ENOMEM"
when it fails to avoid NULL dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/infiniband/hw/cxgb4/cm.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
index 8221813219e5..502a54d57e2c 100644
--- a/drivers/infiniband/hw/cxgb4/cm.c
+++ b/drivers/infiniband/hw/cxgb4/cm.c
@@ -1919,6 +1919,9 @@ static int send_fw_act_open_req(struct c4iw_ep *ep, 
unsigned int atid)
int win;
 
skb = get_skb(NULL, sizeof(*req), GFP_KERNEL);
+   if (!skb)
+   return -ENOMEM;
+
req = __skb_put_zero(skb, sizeof(*req));
req->op_compl = htonl(WR_OP_V(FW_OFLD_CONNECTION_WR));
req->len16_pkd = htonl(FW_WR_LEN16_V(DIV_ROUND_UP(sizeof(*req), 16)));
-- 
2.17.1

[PATCH] iio: hmc: fix a potential NULL pointer dereference

2019-03-08 Thread Kangjie Lu

devm_regmap_init_i2c may fail and return NULL. The fix returns
the error when it fails.

Signed-off-by: Kangjie Lu 
---
 drivers/iio/magnetometer/hmc5843_i2c.c | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/iio/magnetometer/hmc5843_i2c.c 
b/drivers/iio/magnetometer/hmc5843_i2c.c
index 3de7f4426ac4..c0cd0823f8d5 100644
--- a/drivers/iio/magnetometer/hmc5843_i2c.c
+++ b/drivers/iio/magnetometer/hmc5843_i2c.c
@@ -58,8 +58,13 @@ static const struct regmap_config hmc5843_i2c_regmap_config 
= {
 static int hmc5843_i2c_probe(struct i2c_client *cli,
 const struct i2c_device_id *id)
 {
+   struct regmap *devm_regmap = devm_regmap_init_i2c(cli,
+   _i2c_regmap_config);
+   if (IS_ERR(devm_regmap))
+   return PTR_ERR(devm_regmap);
+
return hmc5843_common_probe(>dev,
-   devm_regmap_init_i2c(cli, _i2c_regmap_config),
+   devm_regmap,
id->driver_data, id->name);
 }
 
-- 
2.17.1

[PATCH] iio: adc: fix a potential NULL pointer dereference

2019-03-08 Thread Kangjie Lu

devm_iio_trigger_alloc may fail and return NULL. The fix returns
ENOMEM when it fails.

Signed-off-by: Kangjie Lu 
---
 drivers/iio/adc/mxs-lradc-adc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/iio/adc/mxs-lradc-adc.c b/drivers/iio/adc/mxs-lradc-adc.c
index c627513d9f0f..5384472b6c4d 100644
--- a/drivers/iio/adc/mxs-lradc-adc.c
+++ b/drivers/iio/adc/mxs-lradc-adc.c
@@ -465,6 +465,8 @@ static int mxs_lradc_adc_trigger_init(struct iio_dev *iio)
 
trig = devm_iio_trigger_alloc(>dev, "%s-dev%i", iio->name,
  iio->id);
+   if (!trig)
+   return -ENOMEM;
 
trig->dev.parent = adc->dev;
iio_trigger_set_drvdata(trig, iio);
-- 
2.17.1

[PATCH] iio: max9611: fix a NULL pointer dereference

2019-03-08 Thread Kangjie Lu

of_match_device may return NULL when it fails, and in this case,
there will be a NULL pointer dereference. The fix returns
EINVAL when of_match_device returns NULL.

Signed-off-by: Kangjie Lu 
---
 drivers/iio/adc/max9611.c | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/iio/adc/max9611.c b/drivers/iio/adc/max9611.c
index 917223d5ff5b..531b6614ea29 100644
--- a/drivers/iio/adc/max9611.c
+++ b/drivers/iio/adc/max9611.c
@@ -524,13 +524,16 @@ static int max9611_probe(struct i2c_client *client,
 {
const char * const shunt_res_prop = "shunt-resistor-micro-ohms";
const struct device_node *of_node = client->dev.of_node;
-   const struct of_device_id *of_id =
-   of_match_device(max9611_of_table, >dev);
+   const struct of_device_id *of_id;
struct max9611_dev *max9611;
struct iio_dev *indio_dev;
unsigned int of_shunt;
int ret;
 
+   of_id = of_match_device(max9611_of_table, >dev);
+   if (!of_id)
+   return -EINVAL;
+
indio_dev = devm_iio_device_alloc(>dev, sizeof(*max9611));
if (!indio_dev)
return -ENOMEM;
-- 
2.17.1

[PATCH] hid: logitech: check the return value of create_singlethread_workqueue

2019-03-08 Thread Kangjie Lu

create_singlethread_workqueue may fail and return NULL. The fix
checks if it is NULL to avoid NULL pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/hid/hid-logitech-hidpp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index 15ed6177a7a3..efbc39b92aa2 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -2156,6 +2156,9 @@ static int hidpp_ff_init(struct hidpp_device *hidpp, u8 
feature_index)
 
/* init the hardware command queue */
data->wq = create_singlethread_workqueue("hidpp-ff-sendqueue");
+   if (!data->wq)
+   return -ENOMEM;
+
atomic_set(>workqueue_size, 0);
 
/* initialize with zero autocenter to get wheel in usable state */
-- 
2.17.1

[PATCH] drm: vkms: check status of alloc_ordered_workqueue

2019-03-08 Thread Kangjie Lu

alloc_ordered_workqueue may fail and return NULL.
The fix returns ENOMEM when it fails to avoid potential NULL
pointer dereference.

Signed-off-by: Kangjie Lu 
---
 drivers/gpu/drm/vkms/vkms_crtc.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/gpu/drm/vkms/vkms_crtc.c b/drivers/gpu/drm/vkms/vkms_crtc.c
index 8a9aeb0a9ea8..bb66dbcd5e3f 100644
--- a/drivers/gpu/drm/vkms/vkms_crtc.c
+++ b/drivers/gpu/drm/vkms/vkms_crtc.c
@@ -219,6 +219,8 @@ int vkms_crtc_init(struct drm_device *dev, struct drm_crtc 
*crtc,
spin_lock_init(_out->state_lock);
 
vkms_out->crc_workq = alloc_ordered_workqueue("vkms_crc_workq", 0);
+   if (!vkms_out->crc_workq)
+   return -ENOMEM;
 
return ret;
 }
-- 
2.17.1

[PATCH] drm: check if alloc_workqueue fails

2019-03-08 Thread Kangjie Lu

alloc_workqueue may fail. The fix checks its status. We probably
need to add a return value for radeon_crtc_init, so that we can
pass an error code upstream.

Signed-off-by: Kangjie Lu 
---
 drivers/gpu/drm/radeon/radeon_display.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/gpu/drm/radeon/radeon_display.c 
b/drivers/gpu/drm/radeon/radeon_display.c
index aa898c699101..16f95bde8c2e 100644
--- a/drivers/gpu/drm/radeon/radeon_display.c
+++ b/drivers/gpu/drm/radeon/radeon_display.c
@@ -678,6 +678,8 @@ static void radeon_crtc_init(struct drm_device *dev, int 
index)
drm_mode_crtc_set_gamma_size(_crtc->base, 256);
radeon_crtc->crtc_id = index;
radeon_crtc->flip_queue = alloc_workqueue("radeon-crtc", WQ_HIGHPRI, 0);
+   if (!radeon_crtc->flip_queue)
+   DRM_ERROR("failed to allocate the flip queue\n");
rdev->mode_info.crtcs[index] = radeon_crtc;
 
if (rdev->family >= CHIP_BONAIRE) {
-- 
2.17.1

[PATCH] gpu: i915: fix a missing check of get_free_page

2019-03-08 Thread Kangjie Lu

If the allocation fails, return false to avoid potential
NULL pointer dereference

Signed-off-by: Kangjie Lu 
---
 drivers/gpu/drm/i915/i915_gpu_error.c | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/i915_gpu_error.c 
b/drivers/gpu/drm/i915/i915_gpu_error.c
index 9a65341fec09..ad54fc3551df 100644
--- a/drivers/gpu/drm/i915/i915_gpu_error.c
+++ b/drivers/gpu/drm/i915/i915_gpu_error.c
@@ -227,8 +227,11 @@ static bool compress_init(struct compress *c)
}
 
c->tmp = NULL;
-   if (i915_has_memcpy_from_wc())
+   if (i915_has_memcpy_from_wc()) {
c->tmp = (void *)__get_free_page(GFP_ATOMIC | __GFP_NOWARN);
+   if (!c->tmp)
+   return false;
+   }
 
return true;
 }
-- 
2.17.1

[PATCH] gpu: amdkfd: fix a missing check of kmemdup

2019-03-08 Thread Kangjie Lu

kmemdup could fail and return NULL. To avoid null pointer
dereference, the fix checkes its return value and returns
ENOMEM upon failures.

Signed-off-by: Kangjie Lu 
---
 drivers/gpu/drm/amd/amdkfd/kfd_crat.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c 
b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
index 2e7c44955f43..7ef62d4e7598 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_crat.c
@@ -404,6 +404,9 @@ static int kfd_parse_subtype_iolink(struct 
crat_subtype_iolink *iolink,
return -ENODEV;
/* same everything but the other direction */
props2 = kmemdup(props, sizeof(*props2), GFP_KERNEL);
+   if (!props2)
+   return -ENOMEM;
+
props2->node_from = id_to;
props2->node_to = id_from;
props2->kobj = NULL;
-- 
2.17.1

[PATCH] gpio: add a check for the return value of ida_simple_get fails

2019-03-08 Thread Kangjie Lu

ida_simple_get may fail and return a negative error number.
The fix checks its return value; if it fails, go to err_destroy.

Signed-off-by: Kangjie Lu 
---
 drivers/gpio/gpio-exar.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/gpio/gpio-exar.c b/drivers/gpio/gpio-exar.c
index 0ecd2369c2ca..a09d2f9ebacc 100644
--- a/drivers/gpio/gpio-exar.c
+++ b/drivers/gpio/gpio-exar.c
@@ -148,6 +148,8 @@ static int gpio_exar_probe(struct platform_device *pdev)
mutex_init(_gpio->lock);
 
index = ida_simple_get(_index, 0, 0, GFP_KERNEL);
+   if (index < 0)
+   goto err_destroy;
 
sprintf(exar_gpio->name, "exar_gpio%d", index);
exar_gpio->gpio_chip.label = exar_gpio->name;
-- 
2.17.1

[PATCH] firmware: arm_scmi: check return value of idr_find

2019-03-08 Thread Kangjie Lu

idr_find may return NULL, so check its return value and return an
error code.

Signed-off-by: Kangjie Lu 
---
 drivers/firmware/arm_scmi/driver.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/firmware/arm_scmi/driver.c 
b/drivers/firmware/arm_scmi/driver.c
index 8f952f2f1a29..35faa203d549 100644
--- a/drivers/firmware/arm_scmi/driver.c
+++ b/drivers/firmware/arm_scmi/driver.c
@@ -709,6 +709,8 @@ scmi_mbox_chan_setup(struct scmi_info *info, struct device 
*dev, int prot_id)
 
if (scmi_mailbox_check(np)) {
cinfo = idr_find(>tx_idr, SCMI_PROTOCOL_BASE);
+   if (!cinfo)
+   return -EINVAL;
goto idr_alloc;
}
 
-- 
2.17.1

[PATCH] char: hpet: fix a missing check of ioremap

2019-03-08 Thread Kangjie Lu

Check if ioremap fails, and if so, return AE_ERROR.

Signed-off-by: Kangjie Lu 
---
 drivers/char/hpet.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/char/hpet.c b/drivers/char/hpet.c
index d0ad85900b79..3a1e6b3ccd10 100644
--- a/drivers/char/hpet.c
+++ b/drivers/char/hpet.c
@@ -973,6 +973,8 @@ static acpi_status hpet_resources(struct acpi_resource 
*res, void *data)
if (ACPI_SUCCESS(status)) {
hdp->hd_phys_address = addr.address.minimum;
hdp->hd_address = ioremap(addr.address.minimum, 
addr.address.address_length);
+   if (!hdp->hd_address)
+   return AE_ERROR;
 
if (hpet_is_known(hdp)) {
iounmap(hdp->hd_address);
-- 
2.17.1

[PATCH] net: ixgbevf: fix a missing check of ixgbevf_write_msg_read_ack

2019-03-08 Thread Kangjie Lu

If ixgbevf_write_msg_read_ack fails, return its error code upstream

Signed-off-by: Kangjie Lu 
---
 drivers/net/ethernet/intel/ixgbevf/vf.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/intel/ixgbevf/vf.c 
b/drivers/net/ethernet/intel/ixgbevf/vf.c
index cd3b81300cc7..d5ce49636548 100644
--- a/drivers/net/ethernet/intel/ixgbevf/vf.c
+++ b/drivers/net/ethernet/intel/ixgbevf/vf.c
@@ -508,9 +508,8 @@ static s32 ixgbevf_update_mc_addr_list_vf(struct ixgbe_hw 
*hw,
vector_list[i++] = ixgbevf_mta_vector(hw, ha->addr);
}
 
-   ixgbevf_write_msg_read_ack(hw, msgbuf, msgbuf, IXGBE_VFMAILBOX_SIZE);
-
-   return 0;
+   return ixgbevf_write_msg_read_ack(hw, msgbuf, msgbuf,
+   IXGBE_VFMAILBOX_SIZE);
 }
 
 /**
-- 
2.17.1

Re: [PATCH] isdn: mISDN: Fix potential NULL pointer dereference of kzalloc

2019-03-02 Thread Kangjie Lu




On 3/2/19 3:26 PM, Gustavo A. R. Silva wrote:


On 3/2/19 3:20 PM, Aditya Pakki wrote:

Allocating memory via kzalloc for phi may fail and causes a
NULL pointer dereference. This patch avoids such a scenario.


Was this detected by Coccinelle?



It was detected by an LLVM-based static analyzer we recently developed.




If so, please mention it in the commit log.

Thanks
--
Gustavo


Signed-off-by: Aditya Pakki 
---
  drivers/isdn/hardware/mISDN/hfcsusb.c | 3 +++
  1 file changed, 3 insertions(+)

diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c 
b/drivers/isdn/hardware/mISDN/hfcsusb.c
index 124ff530da82..26e3182bbca8 100644
--- a/drivers/isdn/hardware/mISDN/hfcsusb.c
+++ b/drivers/isdn/hardware/mISDN/hfcsusb.c
@@ -263,6 +263,9 @@ hfcsusb_ph_info(struct hfcsusb *hw)
int i;
  
  	phi = kzalloc(struct_size(phi, bch, dch->dev.nrbchan), GFP_ATOMIC);

+   if (!phi)
+   return;
+
phi->dch.ch.protocol = hw->protocol;
phi->dch.ch.Flags = dch->Flags;
phi->dch.state = dch->state;

[tip:sched/core] sched/core: Fix a potential double-fetch bug in sched_copy_attr()

2019-01-21 Thread tip-bot for Kangjie Lu

Commit-ID:  120e4e76857ddbc9268e1aa3f9de61a498e84618
Gitweb: https://git.kernel.org/tip/120e4e76857ddbc9268e1aa3f9de61a498e84618
Author: Kangjie Lu 
AuthorDate: Wed, 9 Jan 2019 01:45:24 -0600
Committer:  Ingo Molnar 
CommitDate: Mon, 21 Jan 2019 11:26:17 +0100

sched/core: Fix a potential double-fetch bug in sched_copy_attr()

"uattr->size" is copied in from user space and checked. However, it is
copied in again after the security check. A malicious user may race to
change it. The fix sets uattr->size to be the checked size.

Signed-off-by: Kangjie Lu 
Signed-off-by: Peter Zijlstra (Intel) 
Cc: Linus Torvalds 
Cc: Peter Zijlstra 
Cc: Thomas Gleixner 
Cc: pakki...@umn.edu
Cc: 
Link: https://lkml.kernel.org/r/20190109074524.10176-1-k...@umn.edu
Signed-off-by: Ingo Molnar 
---
 kernel/sched/core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index a674c7db2f29..d4d3514c4fe9 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -4499,6 +4499,9 @@ static int sched_copy_attr(struct sched_attr __user 
*uattr, struct sched_attr *a
if (ret)
return -EFAULT;
 
+   /* In case attr->size was changed by user-space: */
+   attr->size = size;
+
/*
 * XXX: Do we want to be lenient like existing syscalls; or do we want
 * to be strict and return an error on out-of-bounds values?

[PATCH v2] target: fix a missing check of match_int

2019-01-11 Thread Kangjie Lu

When match_int fails, "arg" is left uninitialized and may contain random
value, thus should not be used.
The fix checks if match_int fails, and if so, returns its error code.

Signed-off-by: Kangjie Lu 
---
 drivers/target/target_core_rd.c | 15 +--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/drivers/target/target_core_rd.c b/drivers/target/target_core_rd.c
index a6e8106abd6f..3b7657b2f2f1 100644
--- a/drivers/target/target_core_rd.c
+++ b/drivers/target/target_core_rd.c
@@ -559,6 +559,7 @@ static ssize_t rd_set_configfs_dev_params(struct se_device 
*dev,
char *orig, *ptr, *opts;
substring_t args[MAX_OPT_ARGS];
int arg, token;
+   int ret;
 
opts = kstrdup(page, GFP_KERNEL);
if (!opts)
@@ -573,14 +574,24 @@ static ssize_t rd_set_configfs_dev_params(struct 
se_device *dev,
token = match_token(ptr, tokens, args);
switch (token) {
case Opt_rd_pages:
-   match_int(args, );
+   ret = match_int(args, );
+   if (ret) {
+   kfree(orig);
+   return ret;
+   }
+
rd_dev->rd_page_count = arg;
pr_debug("RAMDISK: Referencing Page"
" Count: %u\n", rd_dev->rd_page_count);
rd_dev->rd_flags |= RDF_HAS_PAGE_COUNT;
break;
case Opt_rd_nullio:
-   match_int(args, );
+   ret = match_int(args, );
+   if (ret) {
+   kfree(orig);
+   return ret;
+   }
+
if (arg != 1)
break;
 
-- 
2.17.2 (Apple Git-113)

1 2 3 >

1 - 100 of 242 matches

Mail list logo