From patchwork Wed Jun 1 18:06:36 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Colin King X-Patchwork-Id: 9147935 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id D869560777 for ; Wed, 1 Jun 2016 18:07:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CEA8726E04 for ; Wed, 1 Jun 2016 18:07:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C2FA726FA5; Wed, 1 Jun 2016 18:07:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4E63526E04 for ; Wed, 1 Jun 2016 18:07:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755151AbcFASGv (ORCPT ); Wed, 1 Jun 2016 14:06:51 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:55551 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932718AbcFASGu (ORCPT ); Wed, 1 Jun 2016 14:06:50 -0400 Received: from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1b8AXM-0002wf-TU; Wed, 01 Jun 2016 18:06:37 +0000 From: Colin King To: Doug Ledford , Sean Hefty , Hal Rosenstock , Ira Weiny , Christoph Lameter , Matan Barak , Jason Gunthorpe , linux-rdma@vger.kernel.org Cc: linux-kernel@vger.kernel.org Subject: [PATCH] IB/core: fix null pointer dereference and memory leak in error handling Date: Wed, 1 Jun 2016 19:06:36 +0100 Message-Id: <1464804396-13936-1-git-send-email-colin.king@canonical.com> X-Mailer: git-send-email 2.8.1 Sender: linux-rdma-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-rdma@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Colin Ian King The current error handling in setup_hw_stats has a couple of issues. It is possible to generate a null pointer deference on the kfree of hsag->attrs[i] because two of the early error exit paths jump to the kfree when hsags NULL and not allocated. Fix this by moving the kfree on stats and jumping to that, avoiding the hsag freeing. Secondly, there is a memory leak of stats if the hsag allocation fails; instead of returning, jump to the kfree on stats. Signed-off-by: Colin Ian King --- drivers/infiniband/core/sysfs.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/infiniband/core/sysfs.c b/drivers/infiniband/core/sysfs.c index 5e573bb..ed04a7b 100644 --- a/drivers/infiniband/core/sysfs.c +++ b/drivers/infiniband/core/sysfs.c @@ -899,14 +899,14 @@ static void setup_hw_stats(struct ib_device *device, struct ib_port *port, return; if (!stats->names || stats->num_counters <= 0) - goto err; + goto err_free_stats; hsag = kzalloc(sizeof(*hsag) + // 1 extra for the lifespan config entry sizeof(void *) * (stats->num_counters + 1), GFP_KERNEL); if (!hsag) - return; + goto err_free_stats; ret = device->get_hw_stats(device, stats, port_num, stats->num_counters); @@ -946,10 +946,11 @@ static void setup_hw_stats(struct ib_device *device, struct ib_port *port, return; err: - kfree(stats); for (; i >= 0; i--) kfree(hsag->attrs[i]); kfree(hsag); +err_free_stats: + kfree(stats); return; }