Re: [PATCH v2] staging: vt6655: check for memory allocation failures
2018-03-29 17:00 GMT+09:00 Jia-Ju Bai: > > > > On 2018/3/29 15:22, Ji-Hun Kim wrote: >> >> There are no null pointer checking on rd_info and td_info values which >> are allocated by kzalloc. It has potential null pointer dereferencing >> issues. Add return when allocation is failed. >> >> Signed-off-by: Ji-Hun Kim >> --- >> >> Change: since v1: >> >> - Delete WARN_ON which can makes crashes on some machines. >> - Instead of return directly, goto freeing function for freeing previously >>allocated memory in the for loop after kzalloc() failed. >> - In the freeing function, if td_info and rd_info are not allocated, no >>needs to free. >> >> drivers/staging/vt6655/device_main.c | 64 >> +--- >> 1 file changed, 44 insertions(+), 20 deletions(-) >> >> diff --git a/drivers/staging/vt6655/device_main.c >> b/drivers/staging/vt6655/device_main.c >> index fbc4bc6..ecbba43 100644 >> --- a/drivers/staging/vt6655/device_main.c >> +++ b/drivers/staging/vt6655/device_main.c >> @@ -539,7 +539,8 @@ static void device_init_rd0_ring(struct vnt_private >> *priv) >> i ++, curr += sizeof(struct vnt_rx_desc)) { >> desc = >aRD0Ring[i]; >> desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL); >> - >> + if (!desc->rd_info) >> + goto error; >> if (!device_alloc_rx_buf(priv, desc)) >> dev_err(>pcid->dev, "can not alloc rx bufs\n"); >> @@ -550,6 +551,10 @@ static void device_init_rd0_ring(struct vnt_private >> *priv) >> if (i > 0) >> priv->aRD0Ring[i-1].next_desc = >> cpu_to_le32(priv->rd0_pool_dma); >> priv->pCurrRD[0] = >aRD0Ring[0]; >> + >> + return; >> +error: >> + device_free_rd0_ring(priv); >> } >> > > > I think you should return an error number here, because > device_init_rd0_ring() is called by vnt_start(). > You should also implement error handling code in vnt_start(), and let > vnt_start() returns an error number too. > The same for device_init_rd1_ring(), device_init_td0_ring() and > device_init_td1_ring(). > Hi Jia-Ju, Thanks for the feedback. All right, those function looks that needs returns an error number. I will implement error handling code and send a patch v3 tomorrow Best regards, Ji-Hun
Re: [PATCH v2] staging: vt6655: check for memory allocation failures
2018-03-29 17:00 GMT+09:00 Jia-Ju Bai : > > > > On 2018/3/29 15:22, Ji-Hun Kim wrote: >> >> There are no null pointer checking on rd_info and td_info values which >> are allocated by kzalloc. It has potential null pointer dereferencing >> issues. Add return when allocation is failed. >> >> Signed-off-by: Ji-Hun Kim >> --- >> >> Change: since v1: >> >> - Delete WARN_ON which can makes crashes on some machines. >> - Instead of return directly, goto freeing function for freeing previously >>allocated memory in the for loop after kzalloc() failed. >> - In the freeing function, if td_info and rd_info are not allocated, no >>needs to free. >> >> drivers/staging/vt6655/device_main.c | 64 >> +--- >> 1 file changed, 44 insertions(+), 20 deletions(-) >> >> diff --git a/drivers/staging/vt6655/device_main.c >> b/drivers/staging/vt6655/device_main.c >> index fbc4bc6..ecbba43 100644 >> --- a/drivers/staging/vt6655/device_main.c >> +++ b/drivers/staging/vt6655/device_main.c >> @@ -539,7 +539,8 @@ static void device_init_rd0_ring(struct vnt_private >> *priv) >> i ++, curr += sizeof(struct vnt_rx_desc)) { >> desc = >aRD0Ring[i]; >> desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL); >> - >> + if (!desc->rd_info) >> + goto error; >> if (!device_alloc_rx_buf(priv, desc)) >> dev_err(>pcid->dev, "can not alloc rx bufs\n"); >> @@ -550,6 +551,10 @@ static void device_init_rd0_ring(struct vnt_private >> *priv) >> if (i > 0) >> priv->aRD0Ring[i-1].next_desc = >> cpu_to_le32(priv->rd0_pool_dma); >> priv->pCurrRD[0] = >aRD0Ring[0]; >> + >> + return; >> +error: >> + device_free_rd0_ring(priv); >> } >> > > > I think you should return an error number here, because > device_init_rd0_ring() is called by vnt_start(). > You should also implement error handling code in vnt_start(), and let > vnt_start() returns an error number too. > The same for device_init_rd1_ring(), device_init_td0_ring() and > device_init_td1_ring(). > Hi Jia-Ju, Thanks for the feedback. All right, those function looks that needs returns an error number. I will implement error handling code and send a patch v3 tomorrow Best regards, Ji-Hun
Re: [PATCH v2] staging: vt6655: check for memory allocation failures
On 2018/3/29 15:22, Ji-Hun Kim wrote: There are no null pointer checking on rd_info and td_info values which are allocated by kzalloc. It has potential null pointer dereferencing issues. Add return when allocation is failed. Signed-off-by: Ji-Hun Kim--- Change: since v1: - Delete WARN_ON which can makes crashes on some machines. - Instead of return directly, goto freeing function for freeing previously allocated memory in the for loop after kzalloc() failed. - In the freeing function, if td_info and rd_info are not allocated, no needs to free. drivers/staging/vt6655/device_main.c | 64 +--- 1 file changed, 44 insertions(+), 20 deletions(-) diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c index fbc4bc6..ecbba43 100644 --- a/drivers/staging/vt6655/device_main.c +++ b/drivers/staging/vt6655/device_main.c @@ -539,7 +539,8 @@ static void device_init_rd0_ring(struct vnt_private *priv) i ++, curr += sizeof(struct vnt_rx_desc)) { desc = >aRD0Ring[i]; desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL); - + if (!desc->rd_info) + goto error; if (!device_alloc_rx_buf(priv, desc)) dev_err(>pcid->dev, "can not alloc rx bufs\n"); @@ -550,6 +551,10 @@ static void device_init_rd0_ring(struct vnt_private *priv) if (i > 0) priv->aRD0Ring[i-1].next_desc = cpu_to_le32(priv->rd0_pool_dma); priv->pCurrRD[0] = >aRD0Ring[0]; + + return; +error: + device_free_rd0_ring(priv); } I think you should return an error number here, because device_init_rd0_ring() is called by vnt_start(). You should also implement error handling code in vnt_start(), and let vnt_start() returns an error number too. The same for device_init_rd1_ring(), device_init_td0_ring() and device_init_td1_ring(). Best wishes, Jia-Ju Bai
Re: [PATCH v2] staging: vt6655: check for memory allocation failures
On 2018/3/29 15:22, Ji-Hun Kim wrote: There are no null pointer checking on rd_info and td_info values which are allocated by kzalloc. It has potential null pointer dereferencing issues. Add return when allocation is failed. Signed-off-by: Ji-Hun Kim --- Change: since v1: - Delete WARN_ON which can makes crashes on some machines. - Instead of return directly, goto freeing function for freeing previously allocated memory in the for loop after kzalloc() failed. - In the freeing function, if td_info and rd_info are not allocated, no needs to free. drivers/staging/vt6655/device_main.c | 64 +--- 1 file changed, 44 insertions(+), 20 deletions(-) diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c index fbc4bc6..ecbba43 100644 --- a/drivers/staging/vt6655/device_main.c +++ b/drivers/staging/vt6655/device_main.c @@ -539,7 +539,8 @@ static void device_init_rd0_ring(struct vnt_private *priv) i ++, curr += sizeof(struct vnt_rx_desc)) { desc = >aRD0Ring[i]; desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL); - + if (!desc->rd_info) + goto error; if (!device_alloc_rx_buf(priv, desc)) dev_err(>pcid->dev, "can not alloc rx bufs\n"); @@ -550,6 +551,10 @@ static void device_init_rd0_ring(struct vnt_private *priv) if (i > 0) priv->aRD0Ring[i-1].next_desc = cpu_to_le32(priv->rd0_pool_dma); priv->pCurrRD[0] = >aRD0Ring[0]; + + return; +error: + device_free_rd0_ring(priv); } I think you should return an error number here, because device_init_rd0_ring() is called by vnt_start(). You should also implement error handling code in vnt_start(), and let vnt_start() returns an error number too. The same for device_init_rd1_ring(), device_init_td0_ring() and device_init_td1_ring(). Best wishes, Jia-Ju Bai
[PATCH v2] staging: vt6655: check for memory allocation failures
There are no null pointer checking on rd_info and td_info values which are allocated by kzalloc. It has potential null pointer dereferencing issues. Add return when allocation is failed. Signed-off-by: Ji-Hun Kim--- Change: since v1: - Delete WARN_ON which can makes crashes on some machines. - Instead of return directly, goto freeing function for freeing previously allocated memory in the for loop after kzalloc() failed. - In the freeing function, if td_info and rd_info are not allocated, no needs to free. drivers/staging/vt6655/device_main.c | 64 +--- 1 file changed, 44 insertions(+), 20 deletions(-) diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c index fbc4bc6..ecbba43 100644 --- a/drivers/staging/vt6655/device_main.c +++ b/drivers/staging/vt6655/device_main.c @@ -539,7 +539,8 @@ static void device_init_rd0_ring(struct vnt_private *priv) i ++, curr += sizeof(struct vnt_rx_desc)) { desc = >aRD0Ring[i]; desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL); - + if (!desc->rd_info) + goto error; if (!device_alloc_rx_buf(priv, desc)) dev_err(>pcid->dev, "can not alloc rx bufs\n"); @@ -550,6 +551,10 @@ static void device_init_rd0_ring(struct vnt_private *priv) if (i > 0) priv->aRD0Ring[i-1].next_desc = cpu_to_le32(priv->rd0_pool_dma); priv->pCurrRD[0] = >aRD0Ring[0]; + + return; +error: + device_free_rd0_ring(priv); } static void device_init_rd1_ring(struct vnt_private *priv) @@ -563,7 +568,8 @@ static void device_init_rd1_ring(struct vnt_private *priv) i ++, curr += sizeof(struct vnt_rx_desc)) { desc = >aRD1Ring[i]; desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL); - + if (!desc->rd_info) + goto error; if (!device_alloc_rx_buf(priv, desc)) dev_err(>pcid->dev, "can not alloc rx bufs\n"); @@ -574,6 +580,10 @@ static void device_init_rd1_ring(struct vnt_private *priv) if (i > 0) priv->aRD1Ring[i-1].next_desc = cpu_to_le32(priv->rd1_pool_dma); priv->pCurrRD[1] = >aRD1Ring[0]; + + return; +error: + device_free_rd1_ring(priv); } static void device_free_rd0_ring(struct vnt_private *priv) @@ -584,12 +594,12 @@ static void device_free_rd0_ring(struct vnt_private *priv) struct vnt_rx_desc *desc = >aRD0Ring[i]; struct vnt_rd_info *rd_info = desc->rd_info; - dma_unmap_single(>pcid->dev, rd_info->skb_dma, -priv->rx_buf_sz, DMA_FROM_DEVICE); - - dev_kfree_skb(rd_info->skb); - - kfree(desc->rd_info); + if (rd_info) { + dma_unmap_single(>pcid->dev, rd_info->skb_dma, + priv->rx_buf_sz, DMA_FROM_DEVICE); + dev_kfree_skb(rd_info->skb); + kfree(desc->rd_info); + } } } @@ -601,12 +611,12 @@ static void device_free_rd1_ring(struct vnt_private *priv) struct vnt_rx_desc *desc = >aRD1Ring[i]; struct vnt_rd_info *rd_info = desc->rd_info; - dma_unmap_single(>pcid->dev, rd_info->skb_dma, -priv->rx_buf_sz, DMA_FROM_DEVICE); - - dev_kfree_skb(rd_info->skb); - - kfree(desc->rd_info); + if (rd_info) { + dma_unmap_single(>pcid->dev, rd_info->skb_dma, + priv->rx_buf_sz, DMA_FROM_DEVICE); + dev_kfree_skb(rd_info->skb); + kfree(desc->rd_info); + } } } @@ -621,7 +631,8 @@ static void device_init_td0_ring(struct vnt_private *priv) i++, curr += sizeof(struct vnt_tx_desc)) { desc = >apTD0Rings[i]; desc->td_info = kzalloc(sizeof(*desc->td_info), GFP_KERNEL); - + if (!desc->td_info) + goto error; desc->td_info->buf = priv->tx0_bufs + i * PKT_BUF_SZ; desc->td_info->buf_dma = priv->tx_bufs_dma0 + i * PKT_BUF_SZ; @@ -632,6 +643,10 @@ static void device_init_td0_ring(struct vnt_private *priv) if (i > 0) priv->apTD0Rings[i-1].next_desc = cpu_to_le32(priv->td0_pool_dma); priv->apTailTD[0] = priv->apCurrTD[0] = >apTD0Rings[0]; + + return; +error: + device_free_td0_ring(priv); } static void device_init_td1_ring(struct vnt_private *priv) @@ -646,7 +661,8 @@ static void device_init_td1_ring(struct vnt_private *priv) i++, curr += sizeof(struct vnt_tx_desc)) { desc = >apTD1Rings[i]; desc->td_info =
[PATCH v2] staging: vt6655: check for memory allocation failures
There are no null pointer checking on rd_info and td_info values which are allocated by kzalloc. It has potential null pointer dereferencing issues. Add return when allocation is failed. Signed-off-by: Ji-Hun Kim --- Change: since v1: - Delete WARN_ON which can makes crashes on some machines. - Instead of return directly, goto freeing function for freeing previously allocated memory in the for loop after kzalloc() failed. - In the freeing function, if td_info and rd_info are not allocated, no needs to free. drivers/staging/vt6655/device_main.c | 64 +--- 1 file changed, 44 insertions(+), 20 deletions(-) diff --git a/drivers/staging/vt6655/device_main.c b/drivers/staging/vt6655/device_main.c index fbc4bc6..ecbba43 100644 --- a/drivers/staging/vt6655/device_main.c +++ b/drivers/staging/vt6655/device_main.c @@ -539,7 +539,8 @@ static void device_init_rd0_ring(struct vnt_private *priv) i ++, curr += sizeof(struct vnt_rx_desc)) { desc = >aRD0Ring[i]; desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL); - + if (!desc->rd_info) + goto error; if (!device_alloc_rx_buf(priv, desc)) dev_err(>pcid->dev, "can not alloc rx bufs\n"); @@ -550,6 +551,10 @@ static void device_init_rd0_ring(struct vnt_private *priv) if (i > 0) priv->aRD0Ring[i-1].next_desc = cpu_to_le32(priv->rd0_pool_dma); priv->pCurrRD[0] = >aRD0Ring[0]; + + return; +error: + device_free_rd0_ring(priv); } static void device_init_rd1_ring(struct vnt_private *priv) @@ -563,7 +568,8 @@ static void device_init_rd1_ring(struct vnt_private *priv) i ++, curr += sizeof(struct vnt_rx_desc)) { desc = >aRD1Ring[i]; desc->rd_info = kzalloc(sizeof(*desc->rd_info), GFP_KERNEL); - + if (!desc->rd_info) + goto error; if (!device_alloc_rx_buf(priv, desc)) dev_err(>pcid->dev, "can not alloc rx bufs\n"); @@ -574,6 +580,10 @@ static void device_init_rd1_ring(struct vnt_private *priv) if (i > 0) priv->aRD1Ring[i-1].next_desc = cpu_to_le32(priv->rd1_pool_dma); priv->pCurrRD[1] = >aRD1Ring[0]; + + return; +error: + device_free_rd1_ring(priv); } static void device_free_rd0_ring(struct vnt_private *priv) @@ -584,12 +594,12 @@ static void device_free_rd0_ring(struct vnt_private *priv) struct vnt_rx_desc *desc = >aRD0Ring[i]; struct vnt_rd_info *rd_info = desc->rd_info; - dma_unmap_single(>pcid->dev, rd_info->skb_dma, -priv->rx_buf_sz, DMA_FROM_DEVICE); - - dev_kfree_skb(rd_info->skb); - - kfree(desc->rd_info); + if (rd_info) { + dma_unmap_single(>pcid->dev, rd_info->skb_dma, + priv->rx_buf_sz, DMA_FROM_DEVICE); + dev_kfree_skb(rd_info->skb); + kfree(desc->rd_info); + } } } @@ -601,12 +611,12 @@ static void device_free_rd1_ring(struct vnt_private *priv) struct vnt_rx_desc *desc = >aRD1Ring[i]; struct vnt_rd_info *rd_info = desc->rd_info; - dma_unmap_single(>pcid->dev, rd_info->skb_dma, -priv->rx_buf_sz, DMA_FROM_DEVICE); - - dev_kfree_skb(rd_info->skb); - - kfree(desc->rd_info); + if (rd_info) { + dma_unmap_single(>pcid->dev, rd_info->skb_dma, + priv->rx_buf_sz, DMA_FROM_DEVICE); + dev_kfree_skb(rd_info->skb); + kfree(desc->rd_info); + } } } @@ -621,7 +631,8 @@ static void device_init_td0_ring(struct vnt_private *priv) i++, curr += sizeof(struct vnt_tx_desc)) { desc = >apTD0Rings[i]; desc->td_info = kzalloc(sizeof(*desc->td_info), GFP_KERNEL); - + if (!desc->td_info) + goto error; desc->td_info->buf = priv->tx0_bufs + i * PKT_BUF_SZ; desc->td_info->buf_dma = priv->tx_bufs_dma0 + i * PKT_BUF_SZ; @@ -632,6 +643,10 @@ static void device_init_td0_ring(struct vnt_private *priv) if (i > 0) priv->apTD0Rings[i-1].next_desc = cpu_to_le32(priv->td0_pool_dma); priv->apTailTD[0] = priv->apCurrTD[0] = >apTD0Rings[0]; + + return; +error: + device_free_td0_ring(priv); } static void device_init_td1_ring(struct vnt_private *priv) @@ -646,7 +661,8 @@ static void device_init_td1_ring(struct vnt_private *priv) i++, curr += sizeof(struct vnt_tx_desc)) { desc = >apTD1Rings[i]; desc->td_info =