| Message ID | 20190325213618.12139-1-pakki001@umn.edu (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v3] nvdimm: btt_devs: fix a NULL pointer dereference | expand |
On Mon, Mar 25, 2019 at 2:36 PM Aditya Pakki <pakki001@umn.edu> wrote: > > In case kmemdup fails, the fix releases resources and returns to > avoid the NULL pointer dereference. > > Signed-off-by: Aditya Pakki <pakki001@umn.edu> > > --- > v2: Replace incorrect kfree with ida_simple_remove, suggested by > Johannes Thumshirn > v1: Free nd_btt->id in case of failure and avoid double free, suggested > by Dan Williams > --- > drivers/nvdimm/btt_devs.c | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/drivers/nvdimm/btt_devs.c b/drivers/nvdimm/btt_devs.c > index b72a303176c7..f73fb5fdc93f 100644 > --- a/drivers/nvdimm/btt_devs.c > +++ b/drivers/nvdimm/btt_devs.c > @@ -204,8 +204,11 @@ static struct device *__nd_btt_create(struct nd_region *nd_region, > } > > nd_btt->lbasize = lbasize; > - if (uuid) > + if (uuid) { > uuid = kmemdup(uuid, 16, GFP_KERNEL); > + if (!uuid) > + goto out_put_id; > + } > nd_btt->uuid = uuid; > dev = &nd_btt->dev; > dev_set_name(dev, "btt%d.%d", nd_region->id, nd_btt->id); > @@ -220,6 +223,11 @@ static struct device *__nd_btt_create(struct nd_region *nd_region, > return NULL; > } > return dev; > + > +out_put_id: > + ida_simple_remove(&nd_region->btt_ida, nd_btt->id); > + kfree(nd_btt); There's still 2 calls to "kfree(nd_btt)" when only one is needed. Please route them both to the same call.
diff --git a/drivers/nvdimm/btt_devs.c b/drivers/nvdimm/btt_devs.c index b72a303176c7..f73fb5fdc93f 100644 --- a/drivers/nvdimm/btt_devs.c +++ b/drivers/nvdimm/btt_devs.c @@ -204,8 +204,11 @@ static struct device *__nd_btt_create(struct nd_region *nd_region, } nd_btt->lbasize = lbasize; - if (uuid) + if (uuid) { uuid = kmemdup(uuid, 16, GFP_KERNEL); + if (!uuid) + goto out_put_id; + } nd_btt->uuid = uuid; dev = &nd_btt->dev; dev_set_name(dev, "btt%d.%d", nd_region->id, nd_btt->id); @@ -220,6 +223,11 @@ static struct device *__nd_btt_create(struct nd_region *nd_region, return NULL; } return dev; + +out_put_id: + ida_simple_remove(&nd_region->btt_ida, nd_btt->id); + kfree(nd_btt); + return NULL; } struct device *nd_btt_create(struct nd_region *nd_region)
In case kmemdup fails, the fix releases resources and returns to avoid the NULL pointer dereference. Signed-off-by: Aditya Pakki <pakki001@umn.edu> --- v2: Replace incorrect kfree with ida_simple_remove, suggested by Johannes Thumshirn v1: Free nd_btt->id in case of failure and avoid double free, suggested by Dan Williams --- drivers/nvdimm/btt_devs.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)