Re: [PATCH v2] staging: vt6655: check for memory allocation failures

[ji-hun Kim]

2018-03-29 17:00 GMT+09:00 Jia-Ju Bai :
>
>
>
> On 2018/3/29 15:22, Ji-Hun Kim wrote:
>>
>> There are no null pointer checking on rd_info and td_info values which
>> are allocated by kzalloc. It has potential null pointer dereferencing
>> issues. Add return when allocation is failed.
>>
>> Signed-off-by: Ji-Hun Kim 
>> ---
>>
>> Change: since v1:
>>
>> - Delete WARN_ON which can makes crashes on some machines.
>> - Instead of return directly, goto freeing function for freeing previously
>>allocated memory in the for loop after kzalloc() failed.
>> - In the freeing function, if td_info and rd_info are not allocated, no
>>needs to free.
>>
>>   drivers/staging/vt6655/device_main.c | 64 
>> +---
>>   1 file changed, 44 insertions(+), 20 deletions(-)
>>
>> diff --git a/drivers/staging/vt6655/device_main.c 
>> b/drivers/staging/vt6655/device_main.c
>> index fbc4bc6..ecbba43 100644
>> --- a/drivers/staging/vt6655/device_main.c
>> +++ b/drivers/staging/vt6655/device_main.c
>> @@ -539,7 +539,8 @@ static void device_init_rd0_ring(struct vnt_private 
>> *priv)
>>  i ++, curr += sizeof(struct vnt_rx_desc)) {
>> desc = >aRD0Ring[i];
>> desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL);
>> -
>> +   if (!desc->rd_info)
>> +   goto error;
>> if (!device_alloc_rx_buf(priv, desc))
>> dev_err(>pcid->dev, "can not alloc rx bufs\n");
>>   @@ -550,6 +551,10 @@ static void device_init_rd0_ring(struct vnt_private 
>> *priv)
>> if (i > 0)
>> priv->aRD0Ring[i-1].next_desc = 
>> cpu_to_le32(priv->rd0_pool_dma);
>> priv->pCurrRD[0] = >aRD0Ring[0];
>> +
>> +   return;
>> +error:
>> +   device_free_rd0_ring(priv);
>>   }
>>
>
>
> I think you should return an error number here, because 
> device_init_rd0_ring() is called by vnt_start().
> You should also implement error handling code in vnt_start(), and let 
> vnt_start() returns an error number too.
> The same for device_init_rd1_ring(), device_init_td0_ring() and 
> device_init_td1_ring().
>

Hi Jia-Ju, Thanks for the feedback. All right, those function looks
that needs returns
an error number. I will implement error handling code and send a patch
v3 tomorrow

Best regards,
Ji-Hun

Re: [PATCH v2] staging: vt6655: check for memory allocation failures

[ji-hun Kim]

2018-03-29 17:00 GMT+09:00 Jia-Ju Bai :
>
>
>
> On 2018/3/29 15:22, Ji-Hun Kim wrote:
>>
>> There are no null pointer checking on rd_info and td_info values which
>> are allocated by kzalloc. It has potential null pointer dereferencing
>> issues. Add return when allocation is failed.
>>
>> Signed-off-by: Ji-Hun Kim 
>> ---
>>
>> Change: since v1:
>>
>> - Delete WARN_ON which can makes crashes on some machines.
>> - Instead of return directly, goto freeing function for freeing previously
>>allocated memory in the for loop after kzalloc() failed.
>> - In the freeing function, if td_info and rd_info are not allocated, no
>>needs to free.
>>
>>   drivers/staging/vt6655/device_main.c | 64 
>> +---
>>   1 file changed, 44 insertions(+), 20 deletions(-)
>>
>> diff --git a/drivers/staging/vt6655/device_main.c 
>> b/drivers/staging/vt6655/device_main.c
>> index fbc4bc6..ecbba43 100644
>> --- a/drivers/staging/vt6655/device_main.c
>> +++ b/drivers/staging/vt6655/device_main.c
>> @@ -539,7 +539,8 @@ static void device_init_rd0_ring(struct vnt_private 
>> *priv)
>>  i ++, curr += sizeof(struct vnt_rx_desc)) {
>> desc = >aRD0Ring[i];
>> desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL);
>> -
>> +   if (!desc->rd_info)
>> +   goto error;
>> if (!device_alloc_rx_buf(priv, desc))
>> dev_err(>pcid->dev, "can not alloc rx bufs\n");
>>   @@ -550,6 +551,10 @@ static void device_init_rd0_ring(struct vnt_private 
>> *priv)
>> if (i > 0)
>> priv->aRD0Ring[i-1].next_desc = 
>> cpu_to_le32(priv->rd0_pool_dma);
>> priv->pCurrRD[0] = >aRD0Ring[0];
>> +
>> +   return;
>> +error:
>> +   device_free_rd0_ring(priv);
>>   }
>>
>
>
> I think you should return an error number here, because 
> device_init_rd0_ring() is called by vnt_start().
> You should also implement error handling code in vnt_start(), and let 
> vnt_start() returns an error number too.
> The same for device_init_rd1_ring(), device_init_td0_ring() and 
> device_init_td1_ring().
>

Hi Jia-Ju, Thanks for the feedback. All right, those function looks
that needs returns
an error number. I will implement error handling code and send a patch
v3 tomorrow

Best regards,
Ji-Hun

Re: [PATCH v2] staging: vt6655: check for memory allocation failures

[Jia-Ju Bai]

On 2018/3/29 15:22, Ji-Hun Kim wrote:

There are no null pointer checking on rd_info and td_info values which
are allocated by kzalloc. It has potential null pointer dereferencing
issues. Add return when allocation is failed.

Signed-off-by: Ji-Hun Kim 
---

Change: since v1:

- Delete WARN_ON which can makes crashes on some machines.
- Instead of return directly, goto freeing function for freeing previously
   allocated memory in the for loop after kzalloc() failed.
- In the freeing function, if td_info and rd_info are not allocated, no
   needs to free.

  drivers/staging/vt6655/device_main.c | 64 +---
  1 file changed, 44 insertions(+), 20 deletions(-)

diff --git a/drivers/staging/vt6655/device_main.c 
b/drivers/staging/vt6655/device_main.c
index fbc4bc6..ecbba43 100644
--- a/drivers/staging/vt6655/device_main.c
+++ b/drivers/staging/vt6655/device_main.c
@@ -539,7 +539,8 @@ static void device_init_rd0_ring(struct vnt_private *priv)
 i ++, curr += sizeof(struct vnt_rx_desc)) {
desc = >aRD0Ring[i];
desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL);
-
+   if (!desc->rd_info)
+   goto error;
if (!device_alloc_rx_buf(priv, desc))
dev_err(>pcid->dev, "can not alloc rx bufs\n");
  
@@ -550,6 +551,10 @@ static void device_init_rd0_ring(struct vnt_private *priv)

if (i > 0)
priv->aRD0Ring[i-1].next_desc = cpu_to_le32(priv->rd0_pool_dma);
priv->pCurrRD[0] = >aRD0Ring[0];
+
+   return;
+error:
+   device_free_rd0_ring(priv);
  }
  


I think you should return an error number here, because 
device_init_rd0_ring() is called by vnt_start().
You should also implement error handling code in vnt_start(), and let 
vnt_start() returns an error number too.
The same for device_init_rd1_ring(), device_init_td0_ring() and 
device_init_td1_ring().



Best wishes,
Jia-Ju Bai

Re: [PATCH v2] staging: vt6655: check for memory allocation failures

[Jia-Ju Bai]

On 2018/3/29 15:22, Ji-Hun Kim wrote:

There are no null pointer checking on rd_info and td_info values which
are allocated by kzalloc. It has potential null pointer dereferencing
issues. Add return when allocation is failed.

Signed-off-by: Ji-Hun Kim 
---

Change: since v1:

- Delete WARN_ON which can makes crashes on some machines.
- Instead of return directly, goto freeing function for freeing previously
   allocated memory in the for loop after kzalloc() failed.
- In the freeing function, if td_info and rd_info are not allocated, no
   needs to free.

  drivers/staging/vt6655/device_main.c | 64 +---
  1 file changed, 44 insertions(+), 20 deletions(-)

diff --git a/drivers/staging/vt6655/device_main.c 
b/drivers/staging/vt6655/device_main.c
index fbc4bc6..ecbba43 100644
--- a/drivers/staging/vt6655/device_main.c
+++ b/drivers/staging/vt6655/device_main.c
@@ -539,7 +539,8 @@ static void device_init_rd0_ring(struct vnt_private *priv)
 i ++, curr += sizeof(struct vnt_rx_desc)) {
desc = >aRD0Ring[i];
desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL);
-
+   if (!desc->rd_info)
+   goto error;
if (!device_alloc_rx_buf(priv, desc))
dev_err(>pcid->dev, "can not alloc rx bufs\n");
  
@@ -550,6 +551,10 @@ static void device_init_rd0_ring(struct vnt_private *priv)

if (i > 0)
priv->aRD0Ring[i-1].next_desc = cpu_to_le32(priv->rd0_pool_dma);
priv->pCurrRD[0] = >aRD0Ring[0];
+
+   return;
+error:
+   device_free_rd0_ring(priv);
  }
  


I think you should return an error number here, because 
device_init_rd0_ring() is called by vnt_start().
You should also implement error handling code in vnt_start(), and let 
vnt_start() returns an error number too.
The same for device_init_rd1_ring(), device_init_td0_ring() and 
device_init_td1_ring().



Best wishes,
Jia-Ju Bai

[PATCH v2] staging: vt6655: check for memory allocation failures

[Ji-Hun Kim]

There are no null pointer checking on rd_info and td_info values which
are allocated by kzalloc. It has potential null pointer dereferencing
issues. Add return when allocation is failed.

Signed-off-by: Ji-Hun Kim 
---

Change: since v1:

- Delete WARN_ON which can makes crashes on some machines.
- Instead of return directly, goto freeing function for freeing previously
  allocated memory in the for loop after kzalloc() failed.
- In the freeing function, if td_info and rd_info are not allocated, no
  needs to free.

 drivers/staging/vt6655/device_main.c | 64 +---
 1 file changed, 44 insertions(+), 20 deletions(-)

diff --git a/drivers/staging/vt6655/device_main.c 
b/drivers/staging/vt6655/device_main.c
index fbc4bc6..ecbba43 100644
--- a/drivers/staging/vt6655/device_main.c
+++ b/drivers/staging/vt6655/device_main.c
@@ -539,7 +539,8 @@ static void device_init_rd0_ring(struct vnt_private *priv)
 i ++, curr += sizeof(struct vnt_rx_desc)) {
desc = >aRD0Ring[i];
desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL);
-
+   if (!desc->rd_info)
+   goto error;
if (!device_alloc_rx_buf(priv, desc))
dev_err(>pcid->dev, "can not alloc rx bufs\n");
 
@@ -550,6 +551,10 @@ static void device_init_rd0_ring(struct vnt_private *priv)
if (i > 0)
priv->aRD0Ring[i-1].next_desc = cpu_to_le32(priv->rd0_pool_dma);
priv->pCurrRD[0] = >aRD0Ring[0];
+
+   return;
+error:
+   device_free_rd0_ring(priv);
 }
 
 static void device_init_rd1_ring(struct vnt_private *priv)
@@ -563,7 +568,8 @@ static void device_init_rd1_ring(struct vnt_private *priv)
 i ++, curr += sizeof(struct vnt_rx_desc)) {
desc = >aRD1Ring[i];
desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL);
-
+   if (!desc->rd_info)
+   goto error;
if (!device_alloc_rx_buf(priv, desc))
dev_err(>pcid->dev, "can not alloc rx bufs\n");
 
@@ -574,6 +580,10 @@ static void device_init_rd1_ring(struct vnt_private *priv)
if (i > 0)
priv->aRD1Ring[i-1].next_desc = cpu_to_le32(priv->rd1_pool_dma);
priv->pCurrRD[1] = >aRD1Ring[0];
+
+   return;
+error:
+   device_free_rd1_ring(priv);
 }
 
 static void device_free_rd0_ring(struct vnt_private *priv)
@@ -584,12 +594,12 @@ static void device_free_rd0_ring(struct vnt_private *priv)
struct vnt_rx_desc *desc = >aRD0Ring[i];
struct vnt_rd_info *rd_info = desc->rd_info;
 
-   dma_unmap_single(>pcid->dev, rd_info->skb_dma,
-priv->rx_buf_sz, DMA_FROM_DEVICE);
-
-   dev_kfree_skb(rd_info->skb);
-
-   kfree(desc->rd_info);
+   if (rd_info) {
+   dma_unmap_single(>pcid->dev, rd_info->skb_dma,
+   priv->rx_buf_sz, DMA_FROM_DEVICE);
+   dev_kfree_skb(rd_info->skb);
+   kfree(desc->rd_info);
+   }
}
 }
 
@@ -601,12 +611,12 @@ static void device_free_rd1_ring(struct vnt_private *priv)
struct vnt_rx_desc *desc = >aRD1Ring[i];
struct vnt_rd_info *rd_info = desc->rd_info;
 
-   dma_unmap_single(>pcid->dev, rd_info->skb_dma,
-priv->rx_buf_sz, DMA_FROM_DEVICE);
-
-   dev_kfree_skb(rd_info->skb);
-
-   kfree(desc->rd_info);
+   if (rd_info) {
+   dma_unmap_single(>pcid->dev, rd_info->skb_dma,
+   priv->rx_buf_sz, DMA_FROM_DEVICE);
+   dev_kfree_skb(rd_info->skb);
+   kfree(desc->rd_info);
+   }
}
 }
 
@@ -621,7 +631,8 @@ static void device_init_td0_ring(struct vnt_private *priv)
 i++, curr += sizeof(struct vnt_tx_desc)) {
desc = >apTD0Rings[i];
desc->td_info = kzalloc(sizeof(*desc->td_info), GFP_KERNEL);
-
+   if (!desc->td_info)
+   goto error;
desc->td_info->buf = priv->tx0_bufs + i * PKT_BUF_SZ;
desc->td_info->buf_dma = priv->tx_bufs_dma0 + i * PKT_BUF_SZ;
 
@@ -632,6 +643,10 @@ static void device_init_td0_ring(struct vnt_private *priv)
if (i > 0)
priv->apTD0Rings[i-1].next_desc = 
cpu_to_le32(priv->td0_pool_dma);
priv->apTailTD[0] = priv->apCurrTD[0] = >apTD0Rings[0];
+
+   return;
+error:
+   device_free_td0_ring(priv);
 }
 
 static void device_init_td1_ring(struct vnt_private *priv)
@@ -646,7 +661,8 @@ static void device_init_td1_ring(struct vnt_private *priv)
 i++, curr += sizeof(struct vnt_tx_desc)) {
desc = >apTD1Rings[i];
desc->td_info = 

[PATCH v2] staging: vt6655: check for memory allocation failures

[Ji-Hun Kim]

There are no null pointer checking on rd_info and td_info values which
are allocated by kzalloc. It has potential null pointer dereferencing
issues. Add return when allocation is failed.

Signed-off-by: Ji-Hun Kim 
---

Change: since v1:

- Delete WARN_ON which can makes crashes on some machines.
- Instead of return directly, goto freeing function for freeing previously
  allocated memory in the for loop after kzalloc() failed.
- In the freeing function, if td_info and rd_info are not allocated, no
  needs to free.

 drivers/staging/vt6655/device_main.c | 64 +---
 1 file changed, 44 insertions(+), 20 deletions(-)

diff --git a/drivers/staging/vt6655/device_main.c 
b/drivers/staging/vt6655/device_main.c
index fbc4bc6..ecbba43 100644
--- a/drivers/staging/vt6655/device_main.c
+++ b/drivers/staging/vt6655/device_main.c
@@ -539,7 +539,8 @@ static void device_init_rd0_ring(struct vnt_private *priv)
 i ++, curr += sizeof(struct vnt_rx_desc)) {
desc = >aRD0Ring[i];
desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL);
-
+   if (!desc->rd_info)
+   goto error;
if (!device_alloc_rx_buf(priv, desc))
dev_err(>pcid->dev, "can not alloc rx bufs\n");
 
@@ -550,6 +551,10 @@ static void device_init_rd0_ring(struct vnt_private *priv)
if (i > 0)
priv->aRD0Ring[i-1].next_desc = cpu_to_le32(priv->rd0_pool_dma);
priv->pCurrRD[0] = >aRD0Ring[0];
+
+   return;
+error:
+   device_free_rd0_ring(priv);
 }
 
 static void device_init_rd1_ring(struct vnt_private *priv)
@@ -563,7 +568,8 @@ static void device_init_rd1_ring(struct vnt_private *priv)
 i ++, curr += sizeof(struct vnt_rx_desc)) {
desc = >aRD1Ring[i];
desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL);
-
+   if (!desc->rd_info)
+   goto error;
if (!device_alloc_rx_buf(priv, desc))
dev_err(>pcid->dev, "can not alloc rx bufs\n");
 
@@ -574,6 +580,10 @@ static void device_init_rd1_ring(struct vnt_private *priv)
if (i > 0)
priv->aRD1Ring[i-1].next_desc = cpu_to_le32(priv->rd1_pool_dma);
priv->pCurrRD[1] = >aRD1Ring[0];
+
+   return;
+error:
+   device_free_rd1_ring(priv);
 }
 
 static void device_free_rd0_ring(struct vnt_private *priv)
@@ -584,12 +594,12 @@ static void device_free_rd0_ring(struct vnt_private *priv)
struct vnt_rx_desc *desc = >aRD0Ring[i];
struct vnt_rd_info *rd_info = desc->rd_info;
 
-   dma_unmap_single(>pcid->dev, rd_info->skb_dma,
-priv->rx_buf_sz, DMA_FROM_DEVICE);
-
-   dev_kfree_skb(rd_info->skb);
-
-   kfree(desc->rd_info);
+   if (rd_info) {
+   dma_unmap_single(>pcid->dev, rd_info->skb_dma,
+   priv->rx_buf_sz, DMA_FROM_DEVICE);
+   dev_kfree_skb(rd_info->skb);
+   kfree(desc->rd_info);
+   }
}
 }
 
@@ -601,12 +611,12 @@ static void device_free_rd1_ring(struct vnt_private *priv)
struct vnt_rx_desc *desc = >aRD1Ring[i];
struct vnt_rd_info *rd_info = desc->rd_info;
 
-   dma_unmap_single(>pcid->dev, rd_info->skb_dma,
-priv->rx_buf_sz, DMA_FROM_DEVICE);
-
-   dev_kfree_skb(rd_info->skb);
-
-   kfree(desc->rd_info);
+   if (rd_info) {
+   dma_unmap_single(>pcid->dev, rd_info->skb_dma,
+   priv->rx_buf_sz, DMA_FROM_DEVICE);
+   dev_kfree_skb(rd_info->skb);
+   kfree(desc->rd_info);
+   }
}
 }
 
@@ -621,7 +631,8 @@ static void device_init_td0_ring(struct vnt_private *priv)
 i++, curr += sizeof(struct vnt_tx_desc)) {
desc = >apTD0Rings[i];
desc->td_info = kzalloc(sizeof(*desc->td_info), GFP_KERNEL);
-
+   if (!desc->td_info)
+   goto error;
desc->td_info->buf = priv->tx0_bufs + i * PKT_BUF_SZ;
desc->td_info->buf_dma = priv->tx_bufs_dma0 + i * PKT_BUF_SZ;
 
@@ -632,6 +643,10 @@ static void device_init_td0_ring(struct vnt_private *priv)
if (i > 0)
priv->apTD0Rings[i-1].next_desc = 
cpu_to_le32(priv->td0_pool_dma);
priv->apTailTD[0] = priv->apCurrTD[0] = >apTD0Rings[0];
+
+   return;
+error:
+   device_free_td0_ring(priv);
 }
 
 static void device_init_td1_ring(struct vnt_private *priv)
@@ -646,7 +661,8 @@ static void device_init_td1_ring(struct vnt_private *priv)
 i++, curr += sizeof(struct vnt_tx_desc)) {
desc = >apTD1Rings[i];
desc->td_info =