linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: Sinan Kaya <okaya@codeaurora.org>,
	devel@driverdev.osuosl.org, ldv-project@linuxtesting.org,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Johannes Thumshirn <jthumshirn@suse.de>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Hannes Reinecke <hare@suse.de>,
	Gaurav Pathak <gauravpathak129@gmail.com>,
	Anton Vasilyev <vasilyev@ispras.ru>
Subject: Re: [PATCH] staging: rts5208: add check on NULL before dereference
Date: Tue, 12 Jun 2018 16:06:40 +0300	[thread overview]
Message-ID: <20180612130640.6lcnn4cj7cval7aw@mwanda> (raw)
In-Reply-To: <CAHp75VdkDCCJCqBTGsPCzaCKfT_bqYNGDQekvr56U3fhR+uthA@mail.gmail.com>

On Sat, Jun 09, 2018 at 10:34:43PM +0300, Andy Shevchenko wrote:
> On Sat, Jun 9, 2018 at 7:58 PM,  <okaya@codeaurora.org> wrote:
> > On 2018-06-09 12:38, Anton Vasilyev wrote:
> >>
> >> If rtsx_probe fails to allocate dev->chip, then NULL pointer
> >> dereference occurs at rtsx_release_resources().
> >>
> >> Patch adds checks chip on NULL before its dereference at
> >> rtsx_release_resources and passing with dereference inside
> >> rtsx_release_chip.
> >>
> >> Found by Linux Driver Verification project (linuxtesting.org).
> 
> > I think you should bail out if dev->chip is null rather than adding
> > conditiinals.
> 
> I'm wondering if it's false positive. At which circumstances that may happen?
> 


Here's how the code looks like in rtsx_probe().

   972          /* We come here if there are any problems */
   973  errout:
   974          dev_err(&pci->dev, "%s failed\n", __func__);
   975          release_everything(dev);
   976  
   977          return err;
   978  }

Do everything error handling is error prone because you're trying to
free some things which haven't been allocated.  It's also more
complicated so it leads to leaks.

The correct way to do error handling is to have a series of labels which
undo one thing at a time.  The labels should be named properly so that
you can tell what the goto does such as "goto err_release_foo;".  That
way you never have to worry about freeing things which haven't been
allocated.  As you read the code, you just have to track the most
recently allocated resource and verify that the goto does what is
expected so you avoid leaks.

In this example:

   857          dev->chip = kzalloc(sizeof(*dev->chip), GFP_KERNEL);
   858          if (!dev->chip) {
   859                  err = -ENOMEM;
   860                  goto errout;
   861          }
   862  
   863          spin_lock_init(&dev->reg_lock);
   864          mutex_init(&dev->dev_mutex);
   865          init_completion(&dev->cmnd_ready);
   866          init_completion(&dev->control_exit);
   867          init_completion(&dev->polling_exit);
   868          init_completion(&dev->notify);
   869          init_completion(&dev->scanning_done);
   870          init_waitqueue_head(&dev->delay_wait);

If the kzalloc() fails, then we call release_everything() with
"dev->chip" NULL.  But we'll actually crash before we hit the NULL
dereference because we didn't do the init_completion(&dev->cmnd_ready);

So this patch doesn't really fix anything because do everything error
handling is a hopeless approach.

regards,
dan carpenter

  parent reply	other threads:[~2018-06-12 13:07 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-06-09 16:38 [PATCH] staging: rts5208: add check on NULL before dereference Anton Vasilyev
2018-06-09 16:58 ` okaya
2018-06-09 19:34   ` Andy Shevchenko
2018-06-09 22:22     ` okaya
2018-06-12 13:06     ` Dan Carpenter [this message]
2018-06-13 16:55       ` [PATCH v2] " Anton Vasilyev
2018-06-13 17:00         ` Andy Shevchenko
2018-06-13 17:34           ` [PATCH v3] staging: rts5208: add error handling into rtsx_probe Anton Vasilyev
     [not found]           ` <20180613173128.32384-1-vasilyev@ispras.ru>
2018-06-19  7:42             ` your mail Dan Carpenter
2018-06-19 15:25               ` [PATCH v4] staging: rts5208: add error handling into rtsx_probe Anton Vasilyev
2018-06-19 17:13                 ` Andy Shevchenko
2018-08-01 11:55                   ` [PATCH v5] " Anton Vasilyev
2018-08-01 12:18                     ` Andy Shevchenko
2018-08-01 14:08                       ` Anton Vasilyev
2018-08-01 14:52                         ` Dan Carpenter
2018-08-01 15:37                         ` Andy Shevchenko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180612130640.6lcnn4cj7cval7aw@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=andy.shevchenko@gmail.com \
    --cc=devel@driverdev.osuosl.org \
    --cc=gauravpathak129@gmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=hare@suse.de \
    --cc=jthumshirn@suse.de \
    --cc=ldv-project@linuxtesting.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=okaya@codeaurora.org \
    --cc=vasilyev@ispras.ru \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).