* [patch -next] caif: add error handling for allocation
@ 2011-09-02 8:07 Dan Carpenter
2011-09-02 9:40 ` Sjur Brændeland
0 siblings, 1 reply; 9+ messages in thread
From: Dan Carpenter @ 2011-09-02 8:07 UTC (permalink / raw)
To: Sjur Braendeland
Cc: David S. Miller, open list:CAIF NETWORK LAYER, kernel-janitors
The allocation could fail so we should check, or other errors could
happen and we should free the "phyinfo" variable.
Signed-off-by: Dan Carpenter <error27@gmail.com>
diff --git a/net/caif/cfcnfg.c b/net/caif/cfcnfg.c
index f07ab8c..b213b53 100644
--- a/net/caif/cfcnfg.c
+++ b/net/caif/cfcnfg.c
@@ -467,7 +467,7 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg, enum cfcnfg_phy_type phy_type,
{
struct cflayer *frml;
struct cflayer *phy_driver = NULL;
- struct cfcnfg_phyinfo *phyinfo;
+ struct cfcnfg_phyinfo *phyinfo = NULL;
int i;
u8 phyid;
@@ -482,23 +482,25 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg, enum cfcnfg_phy_type phy_type,
goto got_phyid;
}
pr_warn("Too many CAIF Link Layers (max 6)\n");
- goto out;
+ goto out_err;
got_phyid:
phyinfo = kzalloc(sizeof(struct cfcnfg_phyinfo), GFP_ATOMIC);
+ if (!phyinfo)
+ goto out_err;
switch (phy_type) {
case CFPHYTYPE_FRAG:
phy_driver =
cfserl_create(CFPHYTYPE_FRAG, phyid, stx);
if (!phy_driver)
- goto out;
+ goto out_err;
break;
case CFPHYTYPE_CAIF:
phy_driver = NULL;
break;
default:
- goto out;
+ goto out_err;
}
phy_layer->id = phyid;
phyinfo->pref = pref;
@@ -512,10 +514,8 @@ got_phyid:
frml = cffrml_create(phyid, fcs);
- if (!frml) {
- kfree(phyinfo);
- goto out;
- }
+ if (!frml)
+ goto out_err;
phyinfo->frm_layer = frml;
layer_set_up(frml, cnfg->mux);
@@ -531,7 +531,11 @@ got_phyid:
}
list_add_rcu(&phyinfo->node, &cnfg->phys);
-out:
+ mutex_unlock(&cnfg->lock);
+ return;
+
+out_err:
+ kfree(phyinfo);
mutex_unlock(&cnfg->lock);
}
EXPORT_SYMBOL(cfcnfg_add_phy_layer);
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [patch -next] caif: add error handling for allocation
2011-09-02 8:07 [patch -next] caif: add error handling for allocation Dan Carpenter
@ 2011-09-02 9:40 ` Sjur Brændeland
2011-09-02 12:19 ` [PATCH] caif: fix a potential NULL dereference Eric Dumazet
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Sjur Brændeland @ 2011-09-02 9:40 UTC (permalink / raw)
To: Dan Carpenter
Cc: David S. Miller, open list:CAIF NETWORK LAYER, kernel-janitors
Hi Dan,
...
> switch (phy_type) {
> case CFPHYTYPE_FRAG:
> phy_driver =
> cfserl_create(CFPHYTYPE_FRAG, phyid, stx);
> if (!phy_driver)
> - goto out;
> + goto out_err;
> break;
...
> -out:
> + mutex_unlock(&cnfg->lock);
> + return;
> +
> +out_err:
> + kfree(phyinfo);
> mutex_unlock(&cnfg->lock);
Thank you for your patch.
When reviewing this I found another potential memory leak as well.
If cffrml_create fails, we might be leaking the phy_driver.
So perhaps you could do kfree(phy_driver) in out_err: as well, while
you are at it?
Regards,
Sjur
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] caif: fix a potential NULL dereference
2011-09-02 9:40 ` Sjur Brændeland
@ 2011-09-02 12:19 ` Eric Dumazet
2011-09-02 13:13 ` Sjur Brændeland
2011-09-16 22:56 ` David Miller
2011-09-02 15:51 ` [patch -next] caif: add error handling for allocation Dan Carpenter
2011-09-21 7:21 ` [patch v2] " Dan Carpenter
2 siblings, 2 replies; 9+ messages in thread
From: Eric Dumazet @ 2011-09-02 12:19 UTC (permalink / raw)
To: Sjur Brændeland, David Miller; +Cc: netdev
Commit bd30ce4bc0b7 (caif: Use RCU instead of spin-lock in caif_dev.c)
added a potential NULL dereference in case alloc_percpu() fails.
caif_device_alloc() can also use GFP_KERNEL instead of GFP_ATOMIC.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Sjur Brændeland <sjur.brandeland@stericsson.com>
---
net/caif/caif_dev.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/caif/caif_dev.c b/net/caif/caif_dev.c
index 7c2fa0a..7f9ac07 100644
--- a/net/caif/caif_dev.c
+++ b/net/caif/caif_dev.c
@@ -93,10 +93,14 @@ static struct caif_device_entry *caif_device_alloc(struct net_device *dev)
caifdevs = caif_device_list(dev_net(dev));
BUG_ON(!caifdevs);
- caifd = kzalloc(sizeof(*caifd), GFP_ATOMIC);
+ caifd = kzalloc(sizeof(*caifd), GFP_KERNEL);
if (!caifd)
return NULL;
caifd->pcpu_refcnt = alloc_percpu(int);
+ if (!caifd->pcpu_refcnt) {
+ kfree(caifd);
+ return NULL;
+ }
caifd->netdev = dev;
dev_hold(dev);
return caifd;
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [patch -next] caif: add error handling for allocation
2011-09-02 9:40 ` Sjur Brændeland
2011-09-02 12:19 ` [PATCH] caif: fix a potential NULL dereference Eric Dumazet
@ 2011-09-02 15:51 ` Dan Carpenter
2011-09-21 7:21 ` [patch v2] " Dan Carpenter
2 siblings, 0 replies; 9+ messages in thread
From: Dan Carpenter @ 2011-09-02 15:51 UTC (permalink / raw)
To: Sjur Brændeland
Cc: David S. Miller, open list:CAIF NETWORK LAYER, kernel-janitors
On Fri, Sep 02, 2011 at 11:40:23AM +0200, Sjur Brændeland wrote:
> Thank you for your patch.
> When reviewing this I found another potential memory leak as well.
> If cffrml_create fails, we might be leaking the phy_driver.
> So perhaps you could do kfree(phy_driver) in out_err: as well, while
> you are at it?
>
Good point. A kfree(phy_driver) would fix the leak. But why does
cfserl_create() return &this->layer; instead of just "return this;"
Their equivalent now, but if you change the cfserl struct it will
break the kfree().
I'll be travelling for a while, so I may be out of reach until
Wednessday.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 9+ messages in thread
* [patch v2] caif: add error handling for allocation
2011-09-02 9:40 ` Sjur Brændeland
2011-09-02 12:19 ` [PATCH] caif: fix a potential NULL dereference Eric Dumazet
2011-09-02 15:51 ` [patch -next] caif: add error handling for allocation Dan Carpenter
@ 2011-09-21 7:21 ` Dan Carpenter
2011-09-23 10:38 ` Sjur BRENDELAND
2 siblings, 1 reply; 9+ messages in thread
From: Dan Carpenter @ 2011-09-21 7:21 UTC (permalink / raw)
To: Sjur Braendeland; +Cc: David S. Miller, netdev, kernel-janitors
The allocation of "phyinfo" wasn't checked, and also the allocation
wasn't freed on error paths. Sjur Brændeland pointed out as well
that "phy_driver" should be freed on the error path too.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
V2: Add a kfree(phy_driver).
diff --git a/net/caif/cfcnfg.c b/net/caif/cfcnfg.c
index f07ab8c..00523ec 100644
--- a/net/caif/cfcnfg.c
+++ b/net/caif/cfcnfg.c
@@ -467,7 +467,7 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg, enum cfcnfg_phy_type phy_type,
{
struct cflayer *frml;
struct cflayer *phy_driver = NULL;
- struct cfcnfg_phyinfo *phyinfo;
+ struct cfcnfg_phyinfo *phyinfo = NULL;
int i;
u8 phyid;
@@ -482,23 +482,25 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg, enum cfcnfg_phy_type phy_type,
goto got_phyid;
}
pr_warn("Too many CAIF Link Layers (max 6)\n");
- goto out;
+ goto out_err;
got_phyid:
phyinfo = kzalloc(sizeof(struct cfcnfg_phyinfo), GFP_ATOMIC);
+ if (!phyinfo)
+ goto out_err;
switch (phy_type) {
case CFPHYTYPE_FRAG:
phy_driver =
cfserl_create(CFPHYTYPE_FRAG, phyid, stx);
if (!phy_driver)
- goto out;
+ goto out_err;
break;
case CFPHYTYPE_CAIF:
phy_driver = NULL;
break;
default:
- goto out;
+ goto out_err;
}
phy_layer->id = phyid;
phyinfo->pref = pref;
@@ -512,10 +514,8 @@ got_phyid:
frml = cffrml_create(phyid, fcs);
- if (!frml) {
- kfree(phyinfo);
- goto out;
- }
+ if (!frml)
+ goto out_err;
phyinfo->frm_layer = frml;
layer_set_up(frml, cnfg->mux);
@@ -531,7 +531,12 @@ got_phyid:
}
list_add_rcu(&phyinfo->node, &cnfg->phys);
-out:
+ mutex_unlock(&cnfg->lock);
+ return;
+
+out_err:
+ kfree(phy_driver);
+ kfree(phyinfo);
mutex_unlock(&cnfg->lock);
}
EXPORT_SYMBOL(cfcnfg_add_phy_layer);
^ permalink raw reply related [flat|nested] 9+ messages in thread
* RE: [patch v2] caif: add error handling for allocation
2011-09-21 7:21 ` [patch v2] " Dan Carpenter
@ 2011-09-23 10:38 ` Sjur BRENDELAND
2011-10-03 17:46 ` David Miller
0 siblings, 1 reply; 9+ messages in thread
From: Sjur BRENDELAND @ 2011-09-23 10:38 UTC (permalink / raw)
To: Dan Carpenter; +Cc: David S. Miller, netdev, kernel-janitors
[Dan]:
> The allocation of "phyinfo" wasn't checked, and also the allocation
> wasn't freed on error paths. Sjur Brændeland pointed out as well
> that "phy_driver" should be freed on the error path too.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Looks good, thank you Dan.
Acked-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [patch v2] caif: add error handling for allocation
2011-09-23 10:38 ` Sjur BRENDELAND
@ 2011-10-03 17:46 ` David Miller
0 siblings, 0 replies; 9+ messages in thread
From: David Miller @ 2011-10-03 17:46 UTC (permalink / raw)
To: sjur.brandeland; +Cc: dan.carpenter, netdev, kernel-janitors
From: Sjur BRENDELAND <sjur.brandeland@stericsson.com>
Date: Fri, 23 Sep 2011 12:38:45 +0200
> [Dan]:
>> The allocation of "phyinfo" wasn't checked, and also the allocation
>> wasn't freed on error paths. Sjur Brændeland pointed out as well
>> that "phy_driver" should be freed on the error path too.
>>
>> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> Looks good, thank you Dan.
> Acked-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
Applied, thanks.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2011-10-03 17:46 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-09-02 8:07 [patch -next] caif: add error handling for allocation Dan Carpenter
2011-09-02 9:40 ` Sjur Brændeland
2011-09-02 12:19 ` [PATCH] caif: fix a potential NULL dereference Eric Dumazet
2011-09-02 13:13 ` Sjur Brændeland
2011-09-16 22:56 ` David Miller
2011-09-02 15:51 ` [patch -next] caif: add error handling for allocation Dan Carpenter
2011-09-21 7:21 ` [patch v2] " Dan Carpenter
2011-09-23 10:38 ` Sjur BRENDELAND
2011-10-03 17:46 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).