All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: sean@mess.org
Cc: linux-media@vger.kernel.org
Subject: [bug report] [media] lirc: prevent use-after free
Date: Sat, 26 Nov 2016 12:57:17 +0300	[thread overview]
Message-ID: <20161126095717.GA3150@mwanda> (raw)

Hello Sean Young,

The patch afbb110172b9: "[media] lirc: prevent use-after free" from
Oct 31, 2016, leads to the following static checker warning:

	drivers/media/rc/lirc_dev.c:190 lirc_cdev_add()
	error: potential null dereference 'cdev'.  (cdev_alloc returns null)

drivers/media/rc/lirc_dev.c
   158  static int lirc_cdev_add(struct irctl *ir)
   159  {
   160          int retval = -ENOMEM;
   161          struct lirc_driver *d = &ir->d;
   162          struct cdev *cdev;
   163  
   164          cdev = cdev_alloc();
   165          if (!cdev)
   166                  goto err_out;

Classic one err bug.  Just return directly here.  return -ENOMEM is 100%
readable but goto err_out is opaque because you first have to scroll
down to see what err_out does then you have to scroll to the start of
the function to verify that retval is set.

   167  
   168          if (d->fops) {
   169                  cdev->ops = d->fops;
   170                  cdev->owner = d->owner;
   171          } else {
   172                  cdev->ops = &lirc_dev_fops;
   173                  cdev->owner = THIS_MODULE;
   174          }
   175          retval = kobject_set_name(&cdev->kobj, "lirc%d", d->minor);
   176          if (retval)
   177                  goto err_out;
   178  
   179          retval = cdev_add(cdev, MKDEV(MAJOR(lirc_base_dev), d->minor), 1);
   180          if (retval) {
   181                  kobject_put(&cdev->kobj);

This is a double free, isn't it?  It should just be goto del_cdev;

   182                  goto err_out;
   183          }
   184  
   185          ir->cdev = cdev;
   186  
   187          return 0;
   188  
   189  err_out:
   190          cdev_del(cdev);

Can't pass NULLs to this function.

   191          return retval;
   192  }

regards,
dan carpenter

             reply	other threads:[~2016-11-26  9:57 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-26  9:57 Dan Carpenter [this message]
2016-11-26 11:26 ` [bug report] [media] lirc: prevent use-after free Sean Young
2016-11-27 19:01   ` [PATCH] [media] lirc: fix error paths in lirc_cdev_add() Sean Young

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161126095717.GA3150@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=linux-media@vger.kernel.org \
    --cc=sean@mess.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.