| Message ID | 20190323214125.10233-1-pakki001@umn.edu (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v2] nvdimm: btt_devs: fix a NULL pointer dereference | expand |
On 23/03/2019 22:41, Aditya Pakki wrote: > In case kmemdup fails, the fix releases resources and returns to > avoid the NULL pointer dereference. > > Signed-off-by: Aditya Pakki <pakki001@umn.edu> > > --- > v1: Free nd_btt->id in case of failure and avoid double free, suggested > by Dan Williams > --- > drivers/nvdimm/btt_devs.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/drivers/nvdimm/btt_devs.c b/drivers/nvdimm/btt_devs.c > index b72a303176c7..119a4ead2e46 100644 > --- a/drivers/nvdimm/btt_devs.c > +++ b/drivers/nvdimm/btt_devs.c > @@ -204,8 +204,14 @@ static struct device *__nd_btt_create(struct nd_region *nd_region, > } > > nd_btt->lbasize = lbasize; > - if (uuid) > + if (uuid) { > uuid = kmemdup(uuid, 16, GFP_KERNEL); > + if (!uuid) { > + kfree(nd_btt->id); > + kfree(nd_btt); > + return NULL; > + } > + } nd_btt->id is an ida and thus must be freed using: ida_simple_remove(&nd_region->btt_ida, nd_btt->id); that being I'd prefer a 'out_put_id' label at the end of the function and to the cleanups there. Something like this: if (uuid) { uuid = kmemdup(uuid, 16, GFP_KERNEL); if (!uuid) goto out_put_id; [...] return dev; out_put_id: ida_simple_remove(&nd_region->btt_ida, nd_btt->id); kfree(nd_btt); return NULL; }
diff --git a/drivers/nvdimm/btt_devs.c b/drivers/nvdimm/btt_devs.c index b72a303176c7..119a4ead2e46 100644 --- a/drivers/nvdimm/btt_devs.c +++ b/drivers/nvdimm/btt_devs.c @@ -204,8 +204,14 @@ static struct device *__nd_btt_create(struct nd_region *nd_region, } nd_btt->lbasize = lbasize; - if (uuid) + if (uuid) { uuid = kmemdup(uuid, 16, GFP_KERNEL); + if (!uuid) { + kfree(nd_btt->id); + kfree(nd_btt); + return NULL; + } + } nd_btt->uuid = uuid; dev = &nd_btt->dev; dev_set_name(dev, "btt%d.%d", nd_region->id, nd_btt->id);
In case kmemdup fails, the fix releases resources and returns to avoid the NULL pointer dereference. Signed-off-by: Aditya Pakki <pakki001@umn.edu> --- v1: Free nd_btt->id in case of failure and avoid double free, suggested by Dan Williams --- drivers/nvdimm/btt_devs.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)