From: Dan Carpenter <error27@gmail.com>
To: Maxim Levitsky <maximlevitsky@gmail.com>
Cc: Mauro Carvalho Chehab <mchehab@infradead.org>,
linux-media@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch] IR: ene_ir: problems in unwinding on probe
Date: Thu, 12 Aug 2010 16:19:27 +0000 [thread overview]
Message-ID: <20100812161927.GQ645@bicker> (raw)
In-Reply-To: <1281623704.10393.2.camel@maxim-laptop>
On Thu, Aug 12, 2010 at 05:35:04PM +0300, Maxim Levitsky wrote:
> On Thu, 2010-08-12 at 09:46 +0200, Dan Carpenter wrote:
> > There were a couple issues here. If the allocation failed for "dev"
> > then it would lead to a NULL dereference. If request_irq() or
> > request_region() failed it would release the irq and the region even
> > though they were not successfully aquired.
> >
> > Signed-off-by: Dan Carpenter <error27@gmail.com>
>
> I don't think this is needed.
> I just alloc all the stuff, and if one of allocations fail, I free them
> all. {k}free on NULL pointer is perfectly legal.
>
> Same about IO and IRQ.
> IRQ0 and IO 0 isn't valid, and I do test that in error path.
>
>
Here is the original code:
Here is where we set "dev".
785 dev = kzalloc(sizeof(struct ene_device), GFP_KERNEL);
786
787 if (!input_dev || !ir_props || !dev)
788 goto error;
[snip]
Here is where we set the IO and IRQ:
800 dev->hw_io = pnp_port_start(pnp_dev, 0);
801 dev->irq = pnp_irq(pnp_dev, 0);
[snip]
Here is where the request_region() and request_irq() are.
806 if (!request_region(dev->hw_io, ENE_MAX_IO, ENE_DRIVER_NAME))
807 goto error;
808
809 if (request_irq(dev->irq, ene_isr,
810 IRQF_SHARED, ENE_DRIVER_NAME, (void *)dev))
811 goto error;
[snip]
Here is the error label:
897 error:
898 if (dev->irq)
^^^^^^^^
Oops! The allocation of dev failed and this is a NULL
dereference.
899 free_irq(dev->irq, dev);
Oops! Request region failed and dev->irq is non-zero but
request_irq() hasn't been called.
900 if (dev->hw_io)
901 release_region(dev->hw_io, ENE_MAX_IO);
Oops! dev->hw_io is non-zero but request_region() failed and so
we just released someone else's region.
Hehe. :P
regards,
dan carpenter
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <error27@gmail.com>
To: Maxim Levitsky <maximlevitsky@gmail.com>
Cc: Mauro Carvalho Chehab <mchehab@infradead.org>,
linux-media@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [patch] IR: ene_ir: problems in unwinding on probe
Date: Thu, 12 Aug 2010 18:19:27 +0200 [thread overview]
Message-ID: <20100812161927.GQ645@bicker> (raw)
In-Reply-To: <1281623704.10393.2.camel@maxim-laptop>
On Thu, Aug 12, 2010 at 05:35:04PM +0300, Maxim Levitsky wrote:
> On Thu, 2010-08-12 at 09:46 +0200, Dan Carpenter wrote:
> > There were a couple issues here. If the allocation failed for "dev"
> > then it would lead to a NULL dereference. If request_irq() or
> > request_region() failed it would release the irq and the region even
> > though they were not successfully aquired.
> >
> > Signed-off-by: Dan Carpenter <error27@gmail.com>
>
> I don't think this is needed.
> I just alloc all the stuff, and if one of allocations fail, I free them
> all. {k}free on NULL pointer is perfectly legal.
>
> Same about IO and IRQ.
> IRQ0 and IO 0 isn't valid, and I do test that in error path.
>
>
Here is the original code:
Here is where we set "dev".
785 dev = kzalloc(sizeof(struct ene_device), GFP_KERNEL);
786
787 if (!input_dev || !ir_props || !dev)
788 goto error;
[snip]
Here is where we set the IO and IRQ:
800 dev->hw_io = pnp_port_start(pnp_dev, 0);
801 dev->irq = pnp_irq(pnp_dev, 0);
[snip]
Here is where the request_region() and request_irq() are.
806 if (!request_region(dev->hw_io, ENE_MAX_IO, ENE_DRIVER_NAME))
807 goto error;
808
809 if (request_irq(dev->irq, ene_isr,
810 IRQF_SHARED, ENE_DRIVER_NAME, (void *)dev))
811 goto error;
[snip]
Here is the error label:
897 error:
898 if (dev->irq)
^^^^^^^^
Oops! The allocation of dev failed and this is a NULL
dereference.
899 free_irq(dev->irq, dev);
Oops! Request region failed and dev->irq is non-zero but
request_irq() hasn't been called.
900 if (dev->hw_io)
901 release_region(dev->hw_io, ENE_MAX_IO);
Oops! dev->hw_io is non-zero but request_region() failed and so
we just released someone else's region.
Hehe. :P
regards,
dan carpenter
next prev parent reply other threads:[~2010-08-12 16:19 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-12 7:46 [patch] IR: ene_ir: problems in unwinding on probe Dan Carpenter
2010-08-12 7:46 ` Dan Carpenter
2010-08-12 14:35 ` Maxim Levitsky
2010-08-12 14:35 ` Maxim Levitsky
2010-08-12 16:19 ` Dan Carpenter [this message]
2010-08-12 16:19 ` Dan Carpenter
2010-08-12 16:42 ` Maxim Levitsky
2010-08-12 16:42 ` Maxim Levitsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100812161927.GQ645@bicker \
--to=error27@gmail.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=maximlevitsky@gmail.com \
--cc=mchehab@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.