nvdimm.lists.linux.dev archive mirror
 help / color / mirror / Atom feed
* [ndctl PATCH 0/2] fix two issues reported by Coverity
@ 2021-06-15 12:37 Zhiqiang Liu
  2021-06-15 12:38 ` [ndctl PATCH 1/2] libndctl: check return value of ndctl_pfn_get_namespace Zhiqiang Liu
                   ` (2 more replies)
  0 siblings, 3 replies; 9+ messages in thread
From: Zhiqiang Liu @ 2021-06-15 12:37 UTC (permalink / raw)
  To: vishal.l.verma; +Cc: nvdimm, linfeilong, lixiaokeng, liuzhiqiang26

Recently, we use Coverity to analysis the ndctl package, again.
Two issues should be resolved to make Coverity happy.

Zhiqiang Liu (2):
  libndctl: check return value of ndctl_pfn_get_namespace
  namespace: fix potentail fd leak problem in do_xaction_namespace()

 ndctl/namespace.c | 35 +++++++++++++++++++++++------------
 test/libndctl.c   |  4 ++--
 util/json.c       |  2 ++
 3 files changed, 27 insertions(+), 14 deletions(-)

-- 
2.23.0



.


^ permalink raw reply	[flat|nested] 9+ messages in thread

* [ndctl PATCH 1/2] libndctl: check return value of ndctl_pfn_get_namespace
  2021-06-15 12:37 [ndctl PATCH 0/2] fix two issues reported by Coverity Zhiqiang Liu
@ 2021-06-15 12:38 ` Zhiqiang Liu
  2021-06-30 17:41   ` Alison Schofield
  2021-06-15 12:39 ` [ndctl PATCH 2/2] namespace: fix potentail fd leak problem in do_xaction_namespace() Zhiqiang Liu
  2021-06-30  2:55 ` [ndctl PATCH 0/2] fix two issues reported by Coverity Zhiqiang Liu
  2 siblings, 1 reply; 9+ messages in thread
From: Zhiqiang Liu @ 2021-06-15 12:38 UTC (permalink / raw)
  To: vishal.l.verma; +Cc: nvdimm, linfeilong, lixiaokeng, liuzhiqiang26


ndctl_pfn_get_namespace() may return NULL, so callers
should check return value of it. Otherwise, it may
cause access NULL pointer problem.

Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
---
 ndctl/namespace.c | 18 ++++++++++++++----
 test/libndctl.c   |  4 ++--
 util/json.c       |  2 ++
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/ndctl/namespace.c b/ndctl/namespace.c
index 0c8df9f..21089d7 100644
--- a/ndctl/namespace.c
+++ b/ndctl/namespace.c
@@ -1417,11 +1417,16 @@ static int nstype_clear_badblocks(struct ndctl_namespace *ndns,

 static int dax_clear_badblocks(struct ndctl_dax *dax)
 {
-	struct ndctl_namespace *ndns = ndctl_dax_get_namespace(dax);
-	const char *devname = ndctl_dax_get_devname(dax);
+	struct ndctl_namespace *ndns;
+	const char *devname;
 	unsigned long long begin, size;
 	int rc;

+	ndns = ndctl_dax_get_namespace(dax);
+	if (!ndns)
+		return -ENXIO;
+
+	devname = ndctl_dax_get_devname(dax);
 	begin = ndctl_dax_get_resource(dax);
 	if (begin == ULLONG_MAX)
 		return -ENXIO;
@@ -1441,11 +1446,16 @@ static int dax_clear_badblocks(struct ndctl_dax *dax)

 static int pfn_clear_badblocks(struct ndctl_pfn *pfn)
 {
-	struct ndctl_namespace *ndns = ndctl_pfn_get_namespace(pfn);
-	const char *devname = ndctl_pfn_get_devname(pfn);
+	struct ndctl_namespace *ndns;
+	const char *devname;
 	unsigned long long begin, size;
 	int rc;

+	ndns = ndctl_pfn_get_namespace(pfn);
+	if (!ndns)
+		return -ENXIO;
+
+	devname = ndctl_pfn_get_devname(pfn);
 	begin = ndctl_pfn_get_resource(pfn);
 	if (begin == ULLONG_MAX)
 		return -ENXIO;
diff --git a/test/libndctl.c b/test/libndctl.c
index 24d72b3..05e5ff2 100644
--- a/test/libndctl.c
+++ b/test/libndctl.c
@@ -1275,7 +1275,7 @@ static int check_pfn_autodetect(struct ndctl_bus *bus,
 		if (!ndctl_pfn_is_enabled(pfn))
 			continue;
 		pfn_ndns = ndctl_pfn_get_namespace(pfn);
-		if (strcmp(ndctl_namespace_get_devname(pfn_ndns), devname) != 0)
+		if (!pfn_ndns || strcmp(ndctl_namespace_get_devname(pfn_ndns), devname) != 0)
 			continue;
 		fprintf(stderr, "%s: pfn_ndns: %p ndns: %p\n", __func__,
 				pfn_ndns, ndns);
@@ -1372,7 +1372,7 @@ static int check_dax_autodetect(struct ndctl_bus *bus,
 		if (!ndctl_dax_is_enabled(dax))
 			continue;
 		dax_ndns = ndctl_dax_get_namespace(dax);
-		if (strcmp(ndctl_namespace_get_devname(dax_ndns), devname) != 0)
+		if (!dax_ndns || strcmp(ndctl_namespace_get_devname(dax_ndns), devname) != 0)
 			continue;
 		fprintf(stderr, "%s: dax_ndns: %p ndns: %p\n", __func__,
 				dax_ndns, ndns);
diff --git a/util/json.c b/util/json.c
index ca0167b..249f021 100644
--- a/util/json.c
+++ b/util/json.c
@@ -1002,6 +1002,8 @@ static struct json_object *util_pfn_badblocks_to_json(struct ndctl_pfn *pfn,
 	pfn_begin = ndctl_pfn_get_resource(pfn);
 	if (pfn_begin == ULLONG_MAX) {
 		struct ndctl_namespace *ndns = ndctl_pfn_get_namespace(pfn);
+		if (!ndns)
+			return NULL;

 		return util_namespace_badblocks_to_json(ndns, bb_count, flags);
 	}
-- 
2.23.0




.




^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [ndctl PATCH 2/2] namespace: fix potentail fd leak problem in do_xaction_namespace()
  2021-06-15 12:37 [ndctl PATCH 0/2] fix two issues reported by Coverity Zhiqiang Liu
  2021-06-15 12:38 ` [ndctl PATCH 1/2] libndctl: check return value of ndctl_pfn_get_namespace Zhiqiang Liu
@ 2021-06-15 12:39 ` Zhiqiang Liu
  2021-06-30 17:47   ` Alison Schofield
  2021-06-30  2:55 ` [ndctl PATCH 0/2] fix two issues reported by Coverity Zhiqiang Liu
  2 siblings, 1 reply; 9+ messages in thread
From: Zhiqiang Liu @ 2021-06-15 12:39 UTC (permalink / raw)
  To: vishal.l.verma; +Cc: nvdimm, linfeilong, lixiaokeng, liuzhiqiang26


In do_xaction_namespace(), ri_ctx.f_out should be closed after
being opened.

Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
---
 ndctl/namespace.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/ndctl/namespace.c b/ndctl/namespace.c
index 21089d7..55364ac 100644
--- a/ndctl/namespace.c
+++ b/ndctl/namespace.c
@@ -2141,7 +2141,7 @@ static int do_xaction_namespace(const char *namespace,
 				util_display_json_array(ri_ctx.f_out, ri_ctx.jblocks, 0);
 			if (rc >= 0)
 				(*processed)++;
-			return rc;
+			goto out;
 		}
 	}

@@ -2152,11 +2152,11 @@ static int do_xaction_namespace(const char *namespace,
 		rc = file_write_infoblock(param.outfile);
 		if (rc >= 0)
 			(*processed)++;
-		return rc;
+		goto out;
 	}

 	if (!namespace && action != ACTION_CREATE)
-		return rc;
+		goto out;

 	if (verbose)
 		ndctl_set_log_priority(ctx, LOG_DEBUG);
@@ -2212,7 +2212,7 @@ static int do_xaction_namespace(const char *namespace,
 						saved_rc = rc;
 						continue;
 				}
-				return rc;
+				goto out;
 			}
 			ndctl_namespace_foreach_safe(region, ndns, _n) {
 				ndns_name = ndctl_namespace_get_devname(ndns);
@@ -2259,7 +2259,7 @@ static int do_xaction_namespace(const char *namespace,
 					rc = namespace_reconfig(region, ndns);
 					if (rc == 0)
 						*processed = 1;
-					return rc;
+					goto out;
 				case ACTION_READ_INFOBLOCK:
 					rc = namespace_rw_infoblock(ndns, &ri_ctx, READ);
 					if (rc == 0)
@@ -2281,9 +2281,6 @@ static int do_xaction_namespace(const char *namespace,
 	if (ri_ctx.jblocks)
 		util_display_json_array(ri_ctx.f_out, ri_ctx.jblocks, 0);

-	if (ri_ctx.f_out && ri_ctx.f_out != stdout)
-		fclose(ri_ctx.f_out);
-
 	if (action == ACTION_CREATE && rc == -EAGAIN) {
 		/*
 		 * Namespace creation searched through all candidate
@@ -2301,6 +2298,10 @@ static int do_xaction_namespace(const char *namespace,
 	if (saved_rc)
 		rc = saved_rc;

+out:
+	if (ri_ctx.f_out && ri_ctx.f_out != stdout)
+		fclose(ri_ctx.f_out);
+
 	return rc;
 }

-- 
2.23.0




.




^ permalink raw reply related	[flat|nested] 9+ messages in thread

* Re: [ndctl PATCH 0/2] fix two issues reported by Coverity
  2021-06-15 12:37 [ndctl PATCH 0/2] fix two issues reported by Coverity Zhiqiang Liu
  2021-06-15 12:38 ` [ndctl PATCH 1/2] libndctl: check return value of ndctl_pfn_get_namespace Zhiqiang Liu
  2021-06-15 12:39 ` [ndctl PATCH 2/2] namespace: fix potentail fd leak problem in do_xaction_namespace() Zhiqiang Liu
@ 2021-06-30  2:55 ` Zhiqiang Liu
  2 siblings, 0 replies; 9+ messages in thread
From: Zhiqiang Liu @ 2021-06-30  2:55 UTC (permalink / raw)
  To: vishal.l.verma; +Cc: nvdimm, linfeilong, lixiaokeng, liuzhiqiang26

friendly ping..

On 2021/6/15 20:37, Zhiqiang Liu wrote:
> Recently, we use Coverity to analysis the ndctl package, again.
> Two issues should be resolved to make Coverity happy.
>
> Zhiqiang Liu (2):
>   libndctl: check return value of ndctl_pfn_get_namespace
>   namespace: fix potentail fd leak problem in do_xaction_namespace()
>
>  ndctl/namespace.c | 35 +++++++++++++++++++++++------------
>  test/libndctl.c   |  4 ++--
>  util/json.c       |  2 ++
>  3 files changed, 27 insertions(+), 14 deletions(-)
>


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [ndctl PATCH 1/2] libndctl: check return value of ndctl_pfn_get_namespace
  2021-06-15 12:38 ` [ndctl PATCH 1/2] libndctl: check return value of ndctl_pfn_get_namespace Zhiqiang Liu
@ 2021-06-30 17:41   ` Alison Schofield
  2021-07-01  3:23     ` Zhiqiang Liu
  0 siblings, 1 reply; 9+ messages in thread
From: Alison Schofield @ 2021-06-30 17:41 UTC (permalink / raw)
  To: Zhiqiang Liu; +Cc: vishal.l.verma, nvdimm, linfeilong, lixiaokeng

On Tue, Jun 15, 2021 at 08:38:33PM +0800, Zhiqiang Liu wrote:
> 
> ndctl_pfn_get_namespace() may return NULL, so callers
> should check return value of it. Otherwise, it may
> cause access NULL pointer problem.
> 

Hi Zhiqiang,

I see you mentioned this was found by Coverity in the cover letter.
Please repeat that in the commit log here.

What about the call path:
ndctl_dax_get_namespace() --> ndctl_pfn_get_namespace()

Seems like another place where ndctl_pfn_get_namespace() could
eventually lead to a NULL ptr dereference.

Alison

> Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
> ---
>  ndctl/namespace.c | 18 ++++++++++++++----
>  test/libndctl.c   |  4 ++--
>  util/json.c       |  2 ++
>  3 files changed, 18 insertions(+), 6 deletions(-)
> 
> diff --git a/ndctl/namespace.c b/ndctl/namespace.c
> index 0c8df9f..21089d7 100644
> --- a/ndctl/namespace.c
> +++ b/ndctl/namespace.c
> @@ -1417,11 +1417,16 @@ static int nstype_clear_badblocks(struct ndctl_namespace *ndns,
> 
>  static int dax_clear_badblocks(struct ndctl_dax *dax)
>  {
> -	struct ndctl_namespace *ndns = ndctl_dax_get_namespace(dax);
> -	const char *devname = ndctl_dax_get_devname(dax);
> +	struct ndctl_namespace *ndns;
> +	const char *devname;
>  	unsigned long long begin, size;
>  	int rc;
> 
> +	ndns = ndctl_dax_get_namespace(dax);
> +	if (!ndns)
> +		return -ENXIO;
> +
> +	devname = ndctl_dax_get_devname(dax);
>  	begin = ndctl_dax_get_resource(dax);
>  	if (begin == ULLONG_MAX)
>  		return -ENXIO;
> @@ -1441,11 +1446,16 @@ static int dax_clear_badblocks(struct ndctl_dax *dax)
> 
>  static int pfn_clear_badblocks(struct ndctl_pfn *pfn)
>  {
> -	struct ndctl_namespace *ndns = ndctl_pfn_get_namespace(pfn);
> -	const char *devname = ndctl_pfn_get_devname(pfn);
> +	struct ndctl_namespace *ndns;
> +	const char *devname;
>  	unsigned long long begin, size;
>  	int rc;
> 
> +	ndns = ndctl_pfn_get_namespace(pfn);
> +	if (!ndns)
> +		return -ENXIO;
> +
> +	devname = ndctl_pfn_get_devname(pfn);
>  	begin = ndctl_pfn_get_resource(pfn);
>  	if (begin == ULLONG_MAX)
>  		return -ENXIO;
> diff --git a/test/libndctl.c b/test/libndctl.c
> index 24d72b3..05e5ff2 100644
> --- a/test/libndctl.c
> +++ b/test/libndctl.c
> @@ -1275,7 +1275,7 @@ static int check_pfn_autodetect(struct ndctl_bus *bus,
>  		if (!ndctl_pfn_is_enabled(pfn))
>  			continue;
>  		pfn_ndns = ndctl_pfn_get_namespace(pfn);
> -		if (strcmp(ndctl_namespace_get_devname(pfn_ndns), devname) != 0)
> +		if (!pfn_ndns || strcmp(ndctl_namespace_get_devname(pfn_ndns), devname) != 0)
>  			continue;
>  		fprintf(stderr, "%s: pfn_ndns: %p ndns: %p\n", __func__,
>  				pfn_ndns, ndns);
> @@ -1372,7 +1372,7 @@ static int check_dax_autodetect(struct ndctl_bus *bus,
>  		if (!ndctl_dax_is_enabled(dax))
>  			continue;
>  		dax_ndns = ndctl_dax_get_namespace(dax);
> -		if (strcmp(ndctl_namespace_get_devname(dax_ndns), devname) != 0)
> +		if (!dax_ndns || strcmp(ndctl_namespace_get_devname(dax_ndns), devname) != 0)
>  			continue;
>  		fprintf(stderr, "%s: dax_ndns: %p ndns: %p\n", __func__,
>  				dax_ndns, ndns);
> diff --git a/util/json.c b/util/json.c
> index ca0167b..249f021 100644
> --- a/util/json.c
> +++ b/util/json.c
> @@ -1002,6 +1002,8 @@ static struct json_object *util_pfn_badblocks_to_json(struct ndctl_pfn *pfn,
>  	pfn_begin = ndctl_pfn_get_resource(pfn);
>  	if (pfn_begin == ULLONG_MAX) {
>  		struct ndctl_namespace *ndns = ndctl_pfn_get_namespace(pfn);
> +		if (!ndns)
> +			return NULL;
> 
>  		return util_namespace_badblocks_to_json(ndns, bb_count, flags);
>  	}
> -- 
> 2.23.0
> 
> 
> 
> 
> .
> 
> 
> 

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [ndctl PATCH 2/2] namespace: fix potentail fd leak problem in do_xaction_namespace()
  2021-06-15 12:39 ` [ndctl PATCH 2/2] namespace: fix potentail fd leak problem in do_xaction_namespace() Zhiqiang Liu
@ 2021-06-30 17:47   ` Alison Schofield
  2021-07-01  1:42     ` Zhiqiang Liu
  0 siblings, 1 reply; 9+ messages in thread
From: Alison Schofield @ 2021-06-30 17:47 UTC (permalink / raw)
  To: Zhiqiang Liu; +Cc: vishal.l.verma, nvdimm, linfeilong, lixiaokeng

On Tue, Jun 15, 2021 at 08:39:20PM +0800, Zhiqiang Liu wrote:
> 
> In do_xaction_namespace(), ri_ctx.f_out should be closed after
> being opened.
> 

Hi Zhiqiang,

The commit message and commit log need to be swapped.

Something like:

Commit message says what the patch does:
[ndctl PATCH 2/2] namespace: Close fd before return in do_xaction_namespace()

Commit log says why it needs to be done:
This prevents a potential file descriptor leak in do_xaction_namespace()

And, same as in Patch 1 - mention it was found by Coverity.

Alison

> Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
> ---
>  ndctl/namespace.c | 17 +++++++++--------
>  1 file changed, 9 insertions(+), 8 deletions(-)
> 
> diff --git a/ndctl/namespace.c b/ndctl/namespace.c
> index 21089d7..55364ac 100644
> --- a/ndctl/namespace.c
> +++ b/ndctl/namespace.c
> @@ -2141,7 +2141,7 @@ static int do_xaction_namespace(const char *namespace,
>  				util_display_json_array(ri_ctx.f_out, ri_ctx.jblocks, 0);
>  			if (rc >= 0)
>  				(*processed)++;
> -			return rc;
> +			goto out;
>  		}
>  	}
> 
> @@ -2152,11 +2152,11 @@ static int do_xaction_namespace(const char *namespace,
>  		rc = file_write_infoblock(param.outfile);
>  		if (rc >= 0)
>  			(*processed)++;
> -		return rc;
> +		goto out;
>  	}
> 
>  	if (!namespace && action != ACTION_CREATE)
> -		return rc;
> +		goto out;
> 
>  	if (verbose)
>  		ndctl_set_log_priority(ctx, LOG_DEBUG);
> @@ -2212,7 +2212,7 @@ static int do_xaction_namespace(const char *namespace,
>  						saved_rc = rc;
>  						continue;
>  				}
> -				return rc;
> +				goto out;
>  			}
>  			ndctl_namespace_foreach_safe(region, ndns, _n) {
>  				ndns_name = ndctl_namespace_get_devname(ndns);
> @@ -2259,7 +2259,7 @@ static int do_xaction_namespace(const char *namespace,
>  					rc = namespace_reconfig(region, ndns);
>  					if (rc == 0)
>  						*processed = 1;
> -					return rc;
> +					goto out;
>  				case ACTION_READ_INFOBLOCK:
>  					rc = namespace_rw_infoblock(ndns, &ri_ctx, READ);
>  					if (rc == 0)
> @@ -2281,9 +2281,6 @@ static int do_xaction_namespace(const char *namespace,
>  	if (ri_ctx.jblocks)
>  		util_display_json_array(ri_ctx.f_out, ri_ctx.jblocks, 0);
> 
> -	if (ri_ctx.f_out && ri_ctx.f_out != stdout)
> -		fclose(ri_ctx.f_out);
> -
>  	if (action == ACTION_CREATE && rc == -EAGAIN) {
>  		/*
>  		 * Namespace creation searched through all candidate
> @@ -2301,6 +2298,10 @@ static int do_xaction_namespace(const char *namespace,
>  	if (saved_rc)
>  		rc = saved_rc;
> 
> +out:
> +	if (ri_ctx.f_out && ri_ctx.f_out != stdout)
> +		fclose(ri_ctx.f_out);
> +
>  	return rc;
>  }
> 
> -- 
> 2.23.0
> 
> 
> 
> 
> .
> 
> 
> 

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [ndctl PATCH 2/2] namespace: fix potentail fd leak problem in do_xaction_namespace()
  2021-06-30 17:47   ` Alison Schofield
@ 2021-07-01  1:42     ` Zhiqiang Liu
  0 siblings, 0 replies; 9+ messages in thread
From: Zhiqiang Liu @ 2021-07-01  1:42 UTC (permalink / raw)
  To: Alison Schofield; +Cc: vishal.l.verma, nvdimm, linfeilong, lixiaokeng


On 2021/7/1 1:47, Alison Schofield wrote:
> On Tue, Jun 15, 2021 at 08:39:20PM +0800, Zhiqiang Liu wrote:
>> In do_xaction_namespace(), ri_ctx.f_out should be closed after
>> being opened.
>>
> Hi Zhiqiang,
>
> The commit message and commit log need to be swapped.
>
> Something like:
>
> Commit message says what the patch does:
> [ndctl PATCH 2/2] namespace: Close fd before return in do_xaction_namespace()
>
> Commit log says why it needs to be done:
> This prevents a potential file descriptor leak in do_xaction_namespace()
>
> And, same as in Patch 1 - mention it was found by Coverity.
>
> Alison

Thanks for your advice.

I will do that as your suggestion in v2 patch.



>
>> Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
>> ---
>>  ndctl/namespace.c | 17 +++++++++--------
>>  1 file changed, 9 insertions(+), 8 deletions(-)
>>
>> diff --git a/ndctl/namespace.c b/ndctl/namespace.c
>> index 21089d7..55364ac 100644
>> --- a/ndctl/namespace.c
>> +++ b/ndctl/namespace.c
>> @@ -2141,7 +2141,7 @@ static int do_xaction_namespace(const char *namespace,
>>  				util_display_json_array(ri_ctx.f_out, ri_ctx.jblocks, 0);
>>  			if (rc >= 0)
>>  				(*processed)++;
>> -			return rc;
>> +			goto out;
>>  		}
>>  	}
>>
>> @@ -2152,11 +2152,11 @@ static int do_xaction_namespace(const char *namespace,
>>  		rc = file_write_infoblock(param.outfile);
>>  		if (rc >= 0)
>>  			(*processed)++;
>> -		return rc;
>> +		goto out;
>>  	}
>>
>>  	if (!namespace && action != ACTION_CREATE)
>> -		return rc;
>> +		goto out;
>>
>>  	if (verbose)
>>  		ndctl_set_log_priority(ctx, LOG_DEBUG);
>> @@ -2212,7 +2212,7 @@ static int do_xaction_namespace(const char *namespace,
>>  						saved_rc = rc;
>>  						continue;
>>  				}
>> -				return rc;
>> +				goto out;
>>  			}
>>  			ndctl_namespace_foreach_safe(region, ndns, _n) {
>>  				ndns_name = ndctl_namespace_get_devname(ndns);
>> @@ -2259,7 +2259,7 @@ static int do_xaction_namespace(const char *namespace,
>>  					rc = namespace_reconfig(region, ndns);
>>  					if (rc == 0)
>>  						*processed = 1;
>> -					return rc;
>> +					goto out;
>>  				case ACTION_READ_INFOBLOCK:
>>  					rc = namespace_rw_infoblock(ndns, &ri_ctx, READ);
>>  					if (rc == 0)
>> @@ -2281,9 +2281,6 @@ static int do_xaction_namespace(const char *namespace,
>>  	if (ri_ctx.jblocks)
>>  		util_display_json_array(ri_ctx.f_out, ri_ctx.jblocks, 0);
>>
>> -	if (ri_ctx.f_out && ri_ctx.f_out != stdout)
>> -		fclose(ri_ctx.f_out);
>> -
>>  	if (action == ACTION_CREATE && rc == -EAGAIN) {
>>  		/*
>>  		 * Namespace creation searched through all candidate
>> @@ -2301,6 +2298,10 @@ static int do_xaction_namespace(const char *namespace,
>>  	if (saved_rc)
>>  		rc = saved_rc;
>>
>> +out:
>> +	if (ri_ctx.f_out && ri_ctx.f_out != stdout)
>> +		fclose(ri_ctx.f_out);
>> +
>>  	return rc;
>>  }
>>
>> -- 
>> 2.23.0
>>
>>
>>
>>
>> .
>>
>>
>>
> .


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [ndctl PATCH 1/2] libndctl: check return value of ndctl_pfn_get_namespace
  2021-06-30 17:41   ` Alison Schofield
@ 2021-07-01  3:23     ` Zhiqiang Liu
  2021-07-06  4:35       ` Zhiqiang Liu
  0 siblings, 1 reply; 9+ messages in thread
From: Zhiqiang Liu @ 2021-07-01  3:23 UTC (permalink / raw)
  To: Alison Schofield; +Cc: vishal.l.verma, nvdimm, linfeilong, lixiaokeng


On 2021/7/1 1:41, Alison Schofield wrote:
> On Tue, Jun 15, 2021 at 08:38:33PM +0800, Zhiqiang Liu wrote:
>> ndctl_pfn_get_namespace() may return NULL, so callers
>> should check return value of it. Otherwise, it may
>> cause access NULL pointer problem.
>>
> Hi Zhiqiang,
>
> I see you mentioned this was found by Coverity in the cover letter.
> Please repeat that in the commit log here.
>
> What about the call path:
> ndctl_dax_get_namespace() --> ndctl_pfn_get_namespace()
>
> Seems like another place where ndctl_pfn_get_namespace() could
> eventually lead to a NULL ptr dereference.
>
> Alison

Thanks for your reply.

Call path:

namespace_clear_bb

 -> if (dax) dax_clear_badblocks(dax)

     ->ndctl_dax_get_namespace(dax)

        ->ndctl_pfn_get_namespace(&dax->pfn)

            ->ndctl_pfn_get_ctx(pfn)


struct ndctl_dax {
    struct ndctl_pfn pfn;
    struct daxctl_region *region;
};

Here, we have checked that dax is not NULL before calling ndctl_dax_get_namespace(dax).

If dax is not a NULL pointer, the dax->pfn will not be a NULL pointer.

As for ndctl_pfn_get_ctx(pfn), it will access pfn->region->bus without NULL-checking, which

may lead to a NULL ptr dereference as you said. I will correct it in the v2 patch.


Regards,

Zhiqiang Liu

>> Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
>> ---
>>  ndctl/namespace.c | 18 ++++++++++++++----
>>  test/libndctl.c   |  4 ++--
>>  util/json.c       |  2 ++
>>  3 files changed, 18 insertions(+), 6 deletions(-)
>>
>> diff --git a/ndctl/namespace.c b/ndctl/namespace.c
>> index 0c8df9f..21089d7 100644
>> --- a/ndctl/namespace.c
>> +++ b/ndctl/namespace.c
>> @@ -1417,11 +1417,16 @@ static int nstype_clear_badblocks(struct ndctl_namespace *ndns,
>>
>>  static int dax_clear_badblocks(struct ndctl_dax *dax)
>>  {
>> -	struct ndctl_namespace *ndns = ndctl_dax_get_namespace(dax);
>> -	const char *devname = ndctl_dax_get_devname(dax);
>> +	struct ndctl_namespace *ndns;
>> +	const char *devname;
>>  	unsigned long long begin, size;
>>  	int rc;
>>
>> +	ndns = ndctl_dax_get_namespace(dax);
>> +	if (!ndns)
>> +		return -ENXIO;
>> +
>> +	devname = ndctl_dax_get_devname(dax);
>>  	begin = ndctl_dax_get_resource(dax);
>>  	if (begin == ULLONG_MAX)
>>  		return -ENXIO;
>> @@ -1441,11 +1446,16 @@ static int dax_clear_badblocks(struct ndctl_dax *dax)
>>
>>  static int pfn_clear_badblocks(struct ndctl_pfn *pfn)
>>  {
>> -	struct ndctl_namespace *ndns = ndctl_pfn_get_namespace(pfn);
>> -	const char *devname = ndctl_pfn_get_devname(pfn);
>> +	struct ndctl_namespace *ndns;
>> +	const char *devname;
>>  	unsigned long long begin, size;
>>  	int rc;
>>
>> +	ndns = ndctl_pfn_get_namespace(pfn);
>> +	if (!ndns)
>> +		return -ENXIO;
>> +
>> +	devname = ndctl_pfn_get_devname(pfn);
>>  	begin = ndctl_pfn_get_resource(pfn);
>>  	if (begin == ULLONG_MAX)
>>  		return -ENXIO;
>> diff --git a/test/libndctl.c b/test/libndctl.c
>> index 24d72b3..05e5ff2 100644
>> --- a/test/libndctl.c
>> +++ b/test/libndctl.c
>> @@ -1275,7 +1275,7 @@ static int check_pfn_autodetect(struct ndctl_bus *bus,
>>  		if (!ndctl_pfn_is_enabled(pfn))
>>  			continue;
>>  		pfn_ndns = ndctl_pfn_get_namespace(pfn);
>> -		if (strcmp(ndctl_namespace_get_devname(pfn_ndns), devname) != 0)
>> +		if (!pfn_ndns || strcmp(ndctl_namespace_get_devname(pfn_ndns), devname) != 0)
>>  			continue;
>>  		fprintf(stderr, "%s: pfn_ndns: %p ndns: %p\n", __func__,
>>  				pfn_ndns, ndns);
>> @@ -1372,7 +1372,7 @@ static int check_dax_autodetect(struct ndctl_bus *bus,
>>  		if (!ndctl_dax_is_enabled(dax))
>>  			continue;
>>  		dax_ndns = ndctl_dax_get_namespace(dax);
>> -		if (strcmp(ndctl_namespace_get_devname(dax_ndns), devname) != 0)
>> +		if (!dax_ndns || strcmp(ndctl_namespace_get_devname(dax_ndns), devname) != 0)
>>  			continue;
>>  		fprintf(stderr, "%s: dax_ndns: %p ndns: %p\n", __func__,
>>  				dax_ndns, ndns);
>> diff --git a/util/json.c b/util/json.c
>> index ca0167b..249f021 100644
>> --- a/util/json.c
>> +++ b/util/json.c
>> @@ -1002,6 +1002,8 @@ static struct json_object *util_pfn_badblocks_to_json(struct ndctl_pfn *pfn,
>>  	pfn_begin = ndctl_pfn_get_resource(pfn);
>>  	if (pfn_begin == ULLONG_MAX) {
>>  		struct ndctl_namespace *ndns = ndctl_pfn_get_namespace(pfn);
>> +		if (!ndns)
>> +			return NULL;
>>
>>  		return util_namespace_badblocks_to_json(ndns, bb_count, flags);
>>  	}
>> -- 
>> 2.23.0
>>
>>
>>
>>
>> .
>>
>>
>>
> .


^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [ndctl PATCH 1/2] libndctl: check return value of ndctl_pfn_get_namespace
  2021-07-01  3:23     ` Zhiqiang Liu
@ 2021-07-06  4:35       ` Zhiqiang Liu
  0 siblings, 0 replies; 9+ messages in thread
From: Zhiqiang Liu @ 2021-07-06  4:35 UTC (permalink / raw)
  To: Alison Schofield; +Cc: vishal.l.verma, nvdimm, linfeilong, lixiaokeng



On 2021/7/1 11:23, Zhiqiang Liu wrote:
> 
> On 2021/7/1 1:41, Alison Schofield wrote:
>> On Tue, Jun 15, 2021 at 08:38:33PM +0800, Zhiqiang Liu wrote:
>>> ndctl_pfn_get_namespace() may return NULL, so callers
>>> should check return value of it. Otherwise, it may
>>> cause access NULL pointer problem.
>>>
>> Hi Zhiqiang,
>>
>> I see you mentioned this was found by Coverity in the cover letter.
>> Please repeat that in the commit log here.
>>
>> What about the call path:
>> ndctl_dax_get_namespace() --> ndctl_pfn_get_namespace()
>>
>> Seems like another place where ndctl_pfn_get_namespace() could
>> eventually lead to a NULL ptr dereference.
>>
>> Alison
> 
> Thanks for your reply.
> 
> Call path:
> 
> namespace_clear_bb
> 
>  -> if (dax) dax_clear_badblocks(dax)
> 
>      ->ndctl_dax_get_namespace(dax)
> 
>         ->ndctl_pfn_get_namespace(&dax->pfn)
> 
>             ->ndctl_pfn_get_ctx(pfn)
> 
> 
> struct ndctl_dax {
>     struct ndctl_pfn pfn;
>     struct daxctl_region *region;
> };
> 
> Here, we have checked that dax is not NULL before calling ndctl_dax_get_namespace(dax).
> 
> If dax is not a NULL pointer, the dax->pfn will not be a NULL pointer.
> 
> As for ndctl_pfn_get_ctx(pfn), it will access pfn->region->bus without NULL-checking, which
> 
> may lead to a NULL ptr dereference as you said. I will correct it in the v2 patch.
> 

Null_check in ndctl_pfn_get_**(pfn) is a common problem. I will try to solve this kind
problem in new patches.

Regards
Zhiqiang Liu

> 
> Regards,
> 
> Zhiqiang Liu
> 
>>> Signed-off-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
>>> ---
>>>  ndctl/namespace.c | 18 ++++++++++++++----
>>>  test/libndctl.c   |  4 ++--
>>>  util/json.c       |  2 ++
>>>  3 files changed, 18 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/ndctl/namespace.c b/ndctl/namespace.c
>>> index 0c8df9f..21089d7 100644
>>> --- a/ndctl/namespace.c
>>> +++ b/ndctl/namespace.c
>>> @@ -1417,11 +1417,16 @@ static int nstype_clear_badblocks(struct ndctl_namespace *ndns,
>>>
>>>  static int dax_clear_badblocks(struct ndctl_dax *dax)
>>>  {
>>> -	struct ndctl_namespace *ndns = ndctl_dax_get_namespace(dax);
>>> -	const char *devname = ndctl_dax_get_devname(dax);
>>> +	struct ndctl_namespace *ndns;
>>> +	const char *devname;
>>>  	unsigned long long begin, size;
>>>  	int rc;
>>>
>>> +	ndns = ndctl_dax_get_namespace(dax);
>>> +	if (!ndns)
>>> +		return -ENXIO;
>>> +
>>> +	devname = ndctl_dax_get_devname(dax);
>>>  	begin = ndctl_dax_get_resource(dax);
>>>  	if (begin == ULLONG_MAX)
>>>  		return -ENXIO;
>>> @@ -1441,11 +1446,16 @@ static int dax_clear_badblocks(struct ndctl_dax *dax)
>>>
>>>  static int pfn_clear_badblocks(struct ndctl_pfn *pfn)
>>>  {
>>> -	struct ndctl_namespace *ndns = ndctl_pfn_get_namespace(pfn);
>>> -	const char *devname = ndctl_pfn_get_devname(pfn);
>>> +	struct ndctl_namespace *ndns;
>>> +	const char *devname;
>>>  	unsigned long long begin, size;
>>>  	int rc;
>>>
>>> +	ndns = ndctl_pfn_get_namespace(pfn);
>>> +	if (!ndns)
>>> +		return -ENXIO;
>>> +
>>> +	devname = ndctl_pfn_get_devname(pfn);
>>>  	begin = ndctl_pfn_get_resource(pfn);
>>>  	if (begin == ULLONG_MAX)
>>>  		return -ENXIO;
>>> diff --git a/test/libndctl.c b/test/libndctl.c
>>> index 24d72b3..05e5ff2 100644
>>> --- a/test/libndctl.c
>>> +++ b/test/libndctl.c
>>> @@ -1275,7 +1275,7 @@ static int check_pfn_autodetect(struct ndctl_bus *bus,
>>>  		if (!ndctl_pfn_is_enabled(pfn))
>>>  			continue;
>>>  		pfn_ndns = ndctl_pfn_get_namespace(pfn);
>>> -		if (strcmp(ndctl_namespace_get_devname(pfn_ndns), devname) != 0)
>>> +		if (!pfn_ndns || strcmp(ndctl_namespace_get_devname(pfn_ndns), devname) != 0)
>>>  			continue;
>>>  		fprintf(stderr, "%s: pfn_ndns: %p ndns: %p\n", __func__,
>>>  				pfn_ndns, ndns);
>>> @@ -1372,7 +1372,7 @@ static int check_dax_autodetect(struct ndctl_bus *bus,
>>>  		if (!ndctl_dax_is_enabled(dax))
>>>  			continue;
>>>  		dax_ndns = ndctl_dax_get_namespace(dax);
>>> -		if (strcmp(ndctl_namespace_get_devname(dax_ndns), devname) != 0)
>>> +		if (!dax_ndns || strcmp(ndctl_namespace_get_devname(dax_ndns), devname) != 0)
>>>  			continue;
>>>  		fprintf(stderr, "%s: dax_ndns: %p ndns: %p\n", __func__,
>>>  				dax_ndns, ndns);
>>> diff --git a/util/json.c b/util/json.c
>>> index ca0167b..249f021 100644
>>> --- a/util/json.c
>>> +++ b/util/json.c
>>> @@ -1002,6 +1002,8 @@ static struct json_object *util_pfn_badblocks_to_json(struct ndctl_pfn *pfn,
>>>  	pfn_begin = ndctl_pfn_get_resource(pfn);
>>>  	if (pfn_begin == ULLONG_MAX) {
>>>  		struct ndctl_namespace *ndns = ndctl_pfn_get_namespace(pfn);
>>> +		if (!ndns)
>>> +			return NULL;
>>>
>>>  		return util_namespace_badblocks_to_json(ndns, bb_count, flags);
>>>  	}
>>> -- 
>>> 2.23.0
>>>
>>>
>>>
>>>
>>> .
>>>
>>>
>>>
>> .


^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2021-07-06  4:35 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-15 12:37 [ndctl PATCH 0/2] fix two issues reported by Coverity Zhiqiang Liu
2021-06-15 12:38 ` [ndctl PATCH 1/2] libndctl: check return value of ndctl_pfn_get_namespace Zhiqiang Liu
2021-06-30 17:41   ` Alison Schofield
2021-07-01  3:23     ` Zhiqiang Liu
2021-07-06  4:35       ` Zhiqiang Liu
2021-06-15 12:39 ` [ndctl PATCH 2/2] namespace: fix potentail fd leak problem in do_xaction_namespace() Zhiqiang Liu
2021-06-30 17:47   ` Alison Schofield
2021-07-01  1:42     ` Zhiqiang Liu
2021-06-30  2:55 ` [ndctl PATCH 0/2] fix two issues reported by Coverity Zhiqiang Liu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).