| Message ID | 20231204020745.2445944-1-chentao@kylinos.cn (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | cxl: Fix null pointer dereference in cxl_get_fd | expand |
| Context | Check | Description |
|---|---|---|
| snowpatch_ozlabs/github-powerpc_sparse | success | Successfully ran 4 jobs. |
| snowpatch_ozlabs/github-powerpc_clang | success | Successfully ran 6 jobs. |
| snowpatch_ozlabs/github-powerpc_kernel_qemu | success | Successfully ran 23 jobs. |
On 04/12/2023 03:07, Kunwu Chan wrote: > kasprintf() returns a pointer to dynamically allocated memory > which can be NULL upon failure. > > Fixes: bdecf76e319a ("cxl: Fix coredump generation when cxl_get_fd() is used") > Signed-off-by: Kunwu Chan <chentao@kylinos.cn> > --- > drivers/misc/cxl/api.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/misc/cxl/api.c b/drivers/misc/cxl/api.c > index d85c56530863..bfd7ccd4d7e1 100644 > --- a/drivers/misc/cxl/api.c > +++ b/drivers/misc/cxl/api.c > @@ -419,6 +419,10 @@ struct file *cxl_get_fd(struct cxl_context *ctx, struct file_operations *fops, > fops = (struct file_operations *)&afu_fops; > > name = kasprintf(GFP_KERNEL, "cxl:%d", ctx->pe); > + if (!name) { > + put_unused_fd(fdtmp); > + return ERR_PTR(-ENOMEM); > + } That works, but you might as well follow the existing error path: name = kasprintf(GFP_KERNEL, "cxl:%d", ctx->pe); if (!name) goto err_fd; Fred > file = cxl_getfile(name, fops, ctx, flags); > kfree(name); > if (IS_ERR(file))
Hi Fred,
Thanks for your reply.
But there is a question, whether we should return an error code in error
path so that the caller of the 'cxl_get_fd' can know the specific
reason. rather than just return NULL.
Such as:
- int rc, flags, fdtmp;
+ int rc = 0, flags, fdtmp;
char *name = NULL;
/* only allow one per context */
- if (ctx->mapping)
- return ERR_PTR(-EEXIST);
+ if (ctx->mapping) {
+ rc = -EEXIST;
+ goto err;
+ }
flags = O_RDWR | O_CLOEXEC;
/* This code is similar to anon_inode_getfd() */
rc = get_unused_fd_flags(flags);
- if (rc < 0)
- return ERR_PTR(rc);
+ if (rc < 0) {
+ goto err;
+ }
fdtmp = rc;
name = kasprintf(GFP_KERNEL, "cxl:%d", ctx->pe);
+ if (!name) {
+ rc = -ENOMEM;
+ goto err_fd;
+ }
file = cxl_getfile(name, fops, ctx, flags);
kfree(name);
@@ -434,6 +437,9 @@ struct file *cxl_get_fd(struct cxl_context *ctx,
struct file_operations *fops,
err_fd:
put_unused_fd(fdtmp);
+err:
+ if (rc)
+ return ERR_PTR(rc);
return NULL;
Thanks again,
Kunwu
On 2023/12/4 18:43, Frederic Barrat wrote:
>
>
> On 04/12/2023 03:07, Kunwu Chan wrote:
>> kasprintf() returns a pointer to dynamically allocated memory
>> which can be NULL upon failure.
>>
>> Fixes: bdecf76e319a ("cxl: Fix coredump generation when cxl_get_fd()
>> is used")
>> Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
>> ---
>> drivers/misc/cxl/api.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/drivers/misc/cxl/api.c b/drivers/misc/cxl/api.c
>> index d85c56530863..bfd7ccd4d7e1 100644
>> --- a/drivers/misc/cxl/api.c
>> +++ b/drivers/misc/cxl/api.c
>> @@ -419,6 +419,10 @@ struct file *cxl_get_fd(struct cxl_context *ctx,
>> struct file_operations *fops,
>> fops = (struct file_operations *)&afu_fops;
>> name = kasprintf(GFP_KERNEL, "cxl:%d", ctx->pe);
>> + if (!name) {
>> + put_unused_fd(fdtmp);
>> + return ERR_PTR(-ENOMEM);
>> + }
>
>
> That works, but you might as well follow the existing error path:
>
> name = kasprintf(GFP_KERNEL, "cxl:%d", ctx->pe);
> if (!name)
> goto err_fd;
>
> Fred
>
>
>> file = cxl_getfile(name, fops, ctx, flags);
>> kfree(name);
>> if (IS_ERR(file))
diff --git a/drivers/misc/cxl/api.c b/drivers/misc/cxl/api.c index d85c56530863..bfd7ccd4d7e1 100644 --- a/drivers/misc/cxl/api.c +++ b/drivers/misc/cxl/api.c @@ -419,6 +419,10 @@ struct file *cxl_get_fd(struct cxl_context *ctx, struct file_operations *fops, fops = (struct file_operations *)&afu_fops; name = kasprintf(GFP_KERNEL, "cxl:%d", ctx->pe); + if (!name) { + put_unused_fd(fdtmp); + return ERR_PTR(-ENOMEM); + } file = cxl_getfile(name, fops, ctx, flags); kfree(name); if (IS_ERR(file))
kasprintf() returns a pointer to dynamically allocated memory which can be NULL upon failure. Fixes: bdecf76e319a ("cxl: Fix coredump generation when cxl_get_fd() is used") Signed-off-by: Kunwu Chan <chentao@kylinos.cn> --- drivers/misc/cxl/api.c | 4 ++++ 1 file changed, 4 insertions(+)