From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1762560AbcINOBw (ORCPT <rfc822;w@1wt.eu>);
        Wed, 14 Sep 2016 10:01:52 -0400
Received: from mout.web.de ([212.227.15.3]:50130 "EHLO mout.web.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1756072AbcINOBt (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 14 Sep 2016 10:01:49 -0400
Subject: [PATCH 02/11] virtio_console: Less function calls in init_vqs() after
 error detection
To: virtualization@lists.linux-foundation.org,
        Amit Shah <amit.shah@redhat.com>, Arnd Bergmann <arnd@arndb.de>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        "Michael S. Tsirkin" <mst@redhat.com>,
        Rusty Russell <rusty@rustcorp.com.au>
References: <566ABCD9.1060404@users.sourceforge.net>
 <020438b9-a7f8-0050-04c1-43382ba60b75@users.sourceforge.net>
Cc: LKML <linux-kernel@vger.kernel.org>, kernel-janitors@vger.kernel.org,
        Julia Lawall <julia.lawall@lip6.fr>
From: SF Markus Elfring <elfring@users.sourceforge.net>
Message-ID: <490b98e1-6129-f11f-55ff-94219ebce6d6@users.sourceforge.net>
Date: Wed, 14 Sep 2016 16:01:28 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <020438b9-a7f8-0050-04c1-43382ba60b75@users.sourceforge.net>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:oWmhj23K4DmAvtyGSSasE7bH9xXOVlxCyggumBEeN/AYcyp3nrL
 XNmKvmPoRrHW5v0OIHC+fVPp5gC5eF0WAb+EstsZaaT09kQBsd0zUgBrBtu/ft8xG0cMKyP
 BA8H0TcxmRigFaa7NadPNPtLSHh8Ygh4wQJXKDmfJXP+qMo/lS0TT9hahboD3s73Q58wdgJ
 m/leDbRF8/H0WOqu3Owsw==
X-UI-Out-Filterresults: notjunk:1;V01:K0:QdGu9cIu7+g=:w1y4XJ1/sPlgtaqjlTaxUq
 v454cdapdmlypiHIsP/hAm3BcsDjUyNHnG8lrKXrUVQZGcrmezT//r6uPchY3UkhRr9WSOMOi
 7eaQfvYTXpmg63sE+zFf2/v1jzQALyMKRLgRaZop0GMrjN2mAQkxUfSmazD4MQUodxaBX14Jq
 MhNRj1bZd2+Mp565dcIr4VKMFATA5jpXfVT+l9+ft2TOHeGRpTQN3QJL36hLOiLvsN6fmcgVw
 IBiaZyuQJYxCi8mRjaLUCSiTUHeguJ9tdbLesVRySOpBjQrB3V1/0qcY38jgOnFJHQuqzab42
 bTkYzrX5kUiVVZYL3glvsu2m7v1oBIIu5/IgVPcTFiBODVVVN1hMOXrJ1GfodvkgQ8HsK7RZL
 vJfpUSeYIdyBI4y+Bx03vkYCdSjXOnEzLudrUHGVS8eGhwHNBWel7o9QUjVjC0sMPqSXTQyXt
 EcWygfgjhwY6sh1JOoHC+1mOA7bAyHy2Cg/wTvl/zTdiCzPbT08I4Q2YUcd24lnmZ5a/g/P/+
 a1s7AswPN/CqCWJVoeOB6HZn3qdpbNRnWwgk73rUuPb+9FvVeSCMB37nmjlesIvEIDHUnGjeJ
 f8fBGbLiqq1I6Y2loP6XkkOeLgIGAntzVGDWpeurrKKBXsKsd4ZKQ/YYJC+3P5kjnH5Di9YaZ
 wgUHIL0uQBt98yoPihFQC0kCZ7nOXhY61cPFML9RKd4m5Pm51uEX0reX2S/vuHvSUGv2iWCBQ
 sEd0t67ioQzh7JDazqdY9APsxOAwDDQBP1TIA9sV+DpcYf95OdnxS1+b6NxlKPCvMriVqAUkB
 LHHi5k6
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Markus Elfring <elfring@users.sourceforge.net>
Date: Wed, 14 Sep 2016 14:00:35 +0200

The kfree() function was called in up to five cases
by the init_vqs() function during error handling even if
the passed variable contained a null pointer.

* Return directly after a call of the function "kmalloc_array" failed
  at the beginning.

* Split a condition check for memory allocation failures so that
  each pointer from these function calls will be checked immediately.

  See also background information:
  Topic "CWE-754: Improper check for unusual or exceptional conditions"
  Link: https://cwe.mitre.org/data/definitions/754.html

* Adjust jump targets according to the Linux coding style convention.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
---
 drivers/char/virtio_console.c | 32 ++++++++++++++++++++++++++------
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index 325ebc6..bf0ad57 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -1882,20 +1882,37 @@ static int init_vqs(struct ports_device *portdev)
 	nr_queues = use_multiport(portdev) ? (nr_ports + 1) * 2 : 2;
 
 	vqs = kmalloc_array(nr_queues, sizeof(*vqs), GFP_KERNEL);
+	if (!vqs)
+		return -ENOMEM;
+
 	io_callbacks = kmalloc_array(nr_queues,
 				     sizeof(*io_callbacks),
 				     GFP_KERNEL);
+	if (!io_callbacks) {
+		err = -ENOMEM;
+		goto free_vqs;
+	}
+
 	io_names = kmalloc_array(nr_queues, sizeof(*io_names), GFP_KERNEL);
+	if (!io_names) {
+		err = -ENOMEM;
+		goto free_callbacks;
+	}
+
 	portdev->in_vqs = kmalloc_array(nr_ports,
 					sizeof(*portdev->in_vqs),
 					GFP_KERNEL);
+	if (!portdev->in_vqs) {
+		err = -ENOMEM;
+		goto free_names;
+	}
+
 	portdev->out_vqs = kmalloc_array(nr_ports,
 					 sizeof(*portdev->out_vqs),
 					 GFP_KERNEL);
-	if (!vqs || !io_callbacks || !io_names || !portdev->in_vqs ||
-	    !portdev->out_vqs) {
+	if (!portdev->out_vqs) {
 		err = -ENOMEM;
-		goto free;
+		goto free_in_vqs;
 	}
 
 	/*
@@ -1929,7 +1946,7 @@ static int init_vqs(struct ports_device *portdev)
 					      io_callbacks,
 					      (const char **)io_names);
 	if (err)
-		goto free;
+		goto free_out_vqs;
 
 	j = 0;
 	portdev->in_vqs[0] = vqs[0];
@@ -1950,12 +1967,15 @@ static int init_vqs(struct ports_device *portdev)
 	kfree(vqs);
 
 	return 0;
-
-free:
+ free_out_vqs:
 	kfree(portdev->out_vqs);
+ free_in_vqs:
 	kfree(portdev->in_vqs);
+ free_names:
 	kfree(io_names);
+ free_callbacks:
 	kfree(io_callbacks);
+ free_vqs:
 	kfree(vqs);
 
 	return err;
-- 
2.10.0