From: Dan Carpenter <dan.carpenter@oracle.com>
To: SF Markus Elfring <elfring@users.sourceforge.net>
Cc: devel@driverdev.osuosl.org, Chris Cesare <chris.cesare@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
H Hartley Sweeten <hsweeten@visionengravers.com>,
Ian Abbott <abbotti@mev.co.uk>,
LKML <linux-kernel@vger.kernel.org>,
kernel-janitors@vger.kernel.org
Subject: Re: [PATCH 2/5] staging: comedi: usbdux: Split a condition check in usbdux_alloc_usb_buffers()
Date: Thu, 08 Dec 2016 12:35:21 +0000 [thread overview]
Message-ID: <20161208123521.GT8176@mwanda> (raw)
In-Reply-To: <50c7beca-40ba-6d58-5e2d-568844382bfe@users.sourceforge.net>
On Thu, Dec 08, 2016 at 12:34:27PM +0100, SF Markus Elfring wrote:
> From: Markus Elfring <elfring@users.sourceforge.net>
> Date: Thu, 8 Dec 2016 10:01:54 +0100
>
> The functions "kcalloc" and "kzalloc" were called in four cases by the
> function "usbdux_alloc_usb_buffers" without checking immediately
> if they succeded.
> This issue was detected by using the Coccinelle software.
>
> Allocated memory was also not released if one of these function
> calls failed.
>
> * Split a condition check for memory allocation failures.
>
> * Add more exception handling.
>
> Fixes: ef1e3c4a3b383c6da3979670fcb5c6e9c7de4741 ("staging: comedi: usbdux: tidy up usbdux_alloc_usb_buffers()")
>
> Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
> ---
> drivers/staging/comedi/drivers/usbdux.c | 53 ++++++++++++++++++++++++++-------
> 1 file changed, 43 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/staging/comedi/drivers/usbdux.c b/drivers/staging/comedi/drivers/usbdux.c
> index f4f05d29d30d..d7d683bd669c 100644
> --- a/drivers/staging/comedi/drivers/usbdux.c
> +++ b/drivers/staging/comedi/drivers/usbdux.c
> @@ -1449,24 +1449,35 @@ static int usbdux_alloc_usb_buffers(struct comedi_device *dev)
> struct usb_device *usb = comedi_to_usb_dev(dev);
> struct usbdux_private *devpriv = dev->private;
> struct urb *urb;
> - int i;
> + int i, x;
>
> devpriv->dux_commands = kzalloc(SIZEOFDUXBUFFER, GFP_KERNEL);
> + if (!devpriv->dux_commands)
> + return -ENOMEM;
> +
> devpriv->in_buf = kzalloc(SIZEINBUF, GFP_KERNEL);
> + if (!devpriv->in_buf)
> + goto free_commands;
> +
> devpriv->insn_buf = kzalloc(SIZEINSNBUF, GFP_KERNEL);
> + if (!devpriv->insn_buf)
> + goto free_in_buf;
> +
> devpriv->ai_urbs = kcalloc(devpriv->n_ai_urbs, sizeof(void *),
> GFP_KERNEL);
> + if (!devpriv->ai_urbs)
> + goto free_insn_buf;
> +
> devpriv->ao_urbs = kcalloc(devpriv->n_ao_urbs, sizeof(void *),
> GFP_KERNEL);
> - if (!devpriv->dux_commands || !devpriv->in_buf || !devpriv->insn_buf ||
> - !devpriv->ai_urbs || !devpriv->ao_urbs)
> - return -ENOMEM;
> + if (!devpriv->ao_urbs)
> + goto free_ai_urbs;
>
> for (i = 0; i < devpriv->n_ai_urbs; i++) {
> /* one frame: 1ms */
> urb = usb_alloc_urb(1, GFP_KERNEL);
> if (!urb)
> - return -ENOMEM;
> + goto free_n_ai_urbs;
> devpriv->ai_urbs[i] = urb;
>
> urb->dev = usb;
> @@ -1475,7 +1486,7 @@ static int usbdux_alloc_usb_buffers(struct comedi_device *dev)
> urb->transfer_flags = URB_ISO_ASAP;
> urb->transfer_buffer = kzalloc(SIZEINBUF, GFP_KERNEL);
> if (!urb->transfer_buffer)
> - return -ENOMEM;
> + goto free_n_ai_urbs;
>
> urb->complete = usbduxsub_ai_isoc_irq;
> urb->number_of_packets = 1;
> @@ -1488,7 +1499,7 @@ static int usbdux_alloc_usb_buffers(struct comedi_device *dev)
> /* one frame: 1ms */
> urb = usb_alloc_urb(1, GFP_KERNEL);
> if (!urb)
> - return -ENOMEM;
> + goto free_n_ao_urbs;
> devpriv->ao_urbs[i] = urb;
>
> urb->dev = usb;
> @@ -1497,7 +1508,7 @@ static int usbdux_alloc_usb_buffers(struct comedi_device *dev)
> urb->transfer_flags = URB_ISO_ASAP;
> urb->transfer_buffer = kzalloc(SIZEOUTBUF, GFP_KERNEL);
> if (!urb->transfer_buffer)
> - return -ENOMEM;
> + goto free_n_ao_urbs;
>
> urb->complete = usbduxsub_ao_isoc_irq;
> urb->number_of_packets = 1;
> @@ -1514,17 +1525,39 @@ static int usbdux_alloc_usb_buffers(struct comedi_device *dev)
> if (devpriv->pwm_buf_sz) {
> urb = usb_alloc_urb(0, GFP_KERNEL);
> if (!urb)
> - return -ENOMEM;
> + goto free_n_ao_urbs;
> devpriv->pwm_urb = urb;
>
> /* max bulk ep size in high speed */
> urb->transfer_buffer = kzalloc(devpriv->pwm_buf_sz,
> GFP_KERNEL);
> if (!urb->transfer_buffer)
> - return -ENOMEM;
> + goto free_pwm_urb;
> }
>
> return 0;
> +free_pwm_urb:
> + usb_free_urb(urb);
> +free_n_ao_urbs:
> + for (x = 0; x < i; ++x) {
> + kfree(devpriv->ao_urbs[x]->transfer_buffer);
> + usb_free_urb(devpriv->ao_urbs[x]);
> + }
> +free_n_ai_urbs:
> + for (x = 0; x < i; ++x) {
> + kfree(devpriv->ai_urbs[x]->transfer_buffer);
> + usb_free_urb(devpriv->ai_urbs[x]);
> + }
This is buggy. We re-use i for two loops so if it fails part way
through allocating ->ao_urbs[] then we don't free all the ->ai_urbs[].
Also the use of "x" as a generic iterator name is not idiomatic.
Better to change the first loop to use n_ai and the second to use n_ao
as iterators. Then use i as an iterator to free them.
regards,
dan carpenter
> + kfree(devpriv->ao_urbs);
> +free_ai_urbs:
> + kfree(devpriv->ai_urbs);
> +free_insn_buf:
> + kfree(devpriv->insn_buf);
> +free_in_buf:
> + kfree(devpriv->in_buf);
> +free_commands:
> + kfree(devpriv->dux_commands);
> + return -ENOMEM;
> }
>
> static void usbdux_free_usb_buffers(struct comedi_device *dev)
> --
> 2.11.0
>
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: SF Markus Elfring <elfring@users.sourceforge.net>
Cc: devel@driverdev.osuosl.org, Chris Cesare <chris.cesare@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
H Hartley Sweeten <hsweeten@visionengravers.com>,
Ian Abbott <abbotti@mev.co.uk>,
LKML <linux-kernel@vger.kernel.org>,
kernel-janitors@vger.kernel.org
Subject: Re: [PATCH 2/5] staging: comedi: usbdux: Split a condition check in usbdux_alloc_usb_buffers()
Date: Thu, 8 Dec 2016 15:35:21 +0300 [thread overview]
Message-ID: <20161208123521.GT8176@mwanda> (raw)
In-Reply-To: <50c7beca-40ba-6d58-5e2d-568844382bfe@users.sourceforge.net>
On Thu, Dec 08, 2016 at 12:34:27PM +0100, SF Markus Elfring wrote:
> From: Markus Elfring <elfring@users.sourceforge.net>
> Date: Thu, 8 Dec 2016 10:01:54 +0100
>
> The functions "kcalloc" and "kzalloc" were called in four cases by the
> function "usbdux_alloc_usb_buffers" without checking immediately
> if they succeded.
> This issue was detected by using the Coccinelle software.
>
> Allocated memory was also not released if one of these function
> calls failed.
>
> * Split a condition check for memory allocation failures.
>
> * Add more exception handling.
>
> Fixes: ef1e3c4a3b383c6da3979670fcb5c6e9c7de4741 ("staging: comedi: usbdux: tidy up usbdux_alloc_usb_buffers()")
>
> Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
> ---
> drivers/staging/comedi/drivers/usbdux.c | 53 ++++++++++++++++++++++++++-------
> 1 file changed, 43 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/staging/comedi/drivers/usbdux.c b/drivers/staging/comedi/drivers/usbdux.c
> index f4f05d29d30d..d7d683bd669c 100644
> --- a/drivers/staging/comedi/drivers/usbdux.c
> +++ b/drivers/staging/comedi/drivers/usbdux.c
> @@ -1449,24 +1449,35 @@ static int usbdux_alloc_usb_buffers(struct comedi_device *dev)
> struct usb_device *usb = comedi_to_usb_dev(dev);
> struct usbdux_private *devpriv = dev->private;
> struct urb *urb;
> - int i;
> + int i, x;
>
> devpriv->dux_commands = kzalloc(SIZEOFDUXBUFFER, GFP_KERNEL);
> + if (!devpriv->dux_commands)
> + return -ENOMEM;
> +
> devpriv->in_buf = kzalloc(SIZEINBUF, GFP_KERNEL);
> + if (!devpriv->in_buf)
> + goto free_commands;
> +
> devpriv->insn_buf = kzalloc(SIZEINSNBUF, GFP_KERNEL);
> + if (!devpriv->insn_buf)
> + goto free_in_buf;
> +
> devpriv->ai_urbs = kcalloc(devpriv->n_ai_urbs, sizeof(void *),
> GFP_KERNEL);
> + if (!devpriv->ai_urbs)
> + goto free_insn_buf;
> +
> devpriv->ao_urbs = kcalloc(devpriv->n_ao_urbs, sizeof(void *),
> GFP_KERNEL);
> - if (!devpriv->dux_commands || !devpriv->in_buf || !devpriv->insn_buf ||
> - !devpriv->ai_urbs || !devpriv->ao_urbs)
> - return -ENOMEM;
> + if (!devpriv->ao_urbs)
> + goto free_ai_urbs;
>
> for (i = 0; i < devpriv->n_ai_urbs; i++) {
> /* one frame: 1ms */
> urb = usb_alloc_urb(1, GFP_KERNEL);
> if (!urb)
> - return -ENOMEM;
> + goto free_n_ai_urbs;
> devpriv->ai_urbs[i] = urb;
>
> urb->dev = usb;
> @@ -1475,7 +1486,7 @@ static int usbdux_alloc_usb_buffers(struct comedi_device *dev)
> urb->transfer_flags = URB_ISO_ASAP;
> urb->transfer_buffer = kzalloc(SIZEINBUF, GFP_KERNEL);
> if (!urb->transfer_buffer)
> - return -ENOMEM;
> + goto free_n_ai_urbs;
>
> urb->complete = usbduxsub_ai_isoc_irq;
> urb->number_of_packets = 1;
> @@ -1488,7 +1499,7 @@ static int usbdux_alloc_usb_buffers(struct comedi_device *dev)
> /* one frame: 1ms */
> urb = usb_alloc_urb(1, GFP_KERNEL);
> if (!urb)
> - return -ENOMEM;
> + goto free_n_ao_urbs;
> devpriv->ao_urbs[i] = urb;
>
> urb->dev = usb;
> @@ -1497,7 +1508,7 @@ static int usbdux_alloc_usb_buffers(struct comedi_device *dev)
> urb->transfer_flags = URB_ISO_ASAP;
> urb->transfer_buffer = kzalloc(SIZEOUTBUF, GFP_KERNEL);
> if (!urb->transfer_buffer)
> - return -ENOMEM;
> + goto free_n_ao_urbs;
>
> urb->complete = usbduxsub_ao_isoc_irq;
> urb->number_of_packets = 1;
> @@ -1514,17 +1525,39 @@ static int usbdux_alloc_usb_buffers(struct comedi_device *dev)
> if (devpriv->pwm_buf_sz) {
> urb = usb_alloc_urb(0, GFP_KERNEL);
> if (!urb)
> - return -ENOMEM;
> + goto free_n_ao_urbs;
> devpriv->pwm_urb = urb;
>
> /* max bulk ep size in high speed */
> urb->transfer_buffer = kzalloc(devpriv->pwm_buf_sz,
> GFP_KERNEL);
> if (!urb->transfer_buffer)
> - return -ENOMEM;
> + goto free_pwm_urb;
> }
>
> return 0;
> +free_pwm_urb:
> + usb_free_urb(urb);
> +free_n_ao_urbs:
> + for (x = 0; x < i; ++x) {
> + kfree(devpriv->ao_urbs[x]->transfer_buffer);
> + usb_free_urb(devpriv->ao_urbs[x]);
> + }
> +free_n_ai_urbs:
> + for (x = 0; x < i; ++x) {
> + kfree(devpriv->ai_urbs[x]->transfer_buffer);
> + usb_free_urb(devpriv->ai_urbs[x]);
> + }
This is buggy. We re-use i for two loops so if it fails part way
through allocating ->ao_urbs[] then we don't free all the ->ai_urbs[].
Also the use of "x" as a generic iterator name is not idiomatic.
Better to change the first loop to use n_ai and the second to use n_ao
as iterators. Then use i as an iterator to free them.
regards,
dan carpenter
> + kfree(devpriv->ao_urbs);
> +free_ai_urbs:
> + kfree(devpriv->ai_urbs);
> +free_insn_buf:
> + kfree(devpriv->insn_buf);
> +free_in_buf:
> + kfree(devpriv->in_buf);
> +free_commands:
> + kfree(devpriv->dux_commands);
> + return -ENOMEM;
> }
>
> static void usbdux_free_usb_buffers(struct comedi_device *dev)
> --
> 2.11.0
>
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2016-12-08 12:35 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-08 11:30 [PATCH 0/5] staging-COMEDI: Fine-tuning for three functions SF Markus Elfring
2016-12-08 11:30 ` SF Markus Elfring
2016-12-08 11:33 ` [PATCH 1/5] staging: comedi: serial2002: Combine four kcalloc() calls into one in serial2002_setup_s SF Markus Elfring
2016-12-08 11:33 ` [PATCH 1/5] staging: comedi: serial2002: Combine four kcalloc() calls into one in serial2002_setup_subdevs() SF Markus Elfring
2016-12-08 12:22 ` [PATCH 1/5] staging: comedi: serial2002: Combine four kcalloc() calls into one in serial2002_set Dan Carpenter
2016-12-08 12:22 ` [PATCH 1/5] staging: comedi: serial2002: Combine four kcalloc() calls into one in serial2002_setup_subdevs() Dan Carpenter
2016-12-08 11:34 ` [PATCH 2/5] staging: comedi: usbdux: Split a condition check in usbdux_alloc_usb_buffers() SF Markus Elfring
2016-12-08 11:34 ` SF Markus Elfring
2016-12-08 12:35 ` Dan Carpenter [this message]
2016-12-08 12:35 ` Dan Carpenter
2016-12-08 12:37 ` Dan Carpenter
2016-12-08 12:37 ` Dan Carpenter
2016-12-08 12:44 ` Ian Abbott
2016-12-08 12:44 ` Ian Abbott
2016-12-08 15:43 ` SF Markus Elfring
2016-12-08 15:43 ` SF Markus Elfring
2016-12-08 11:35 ` [PATCH 3/5] staging: comedi: usbdux: Move an assignment " SF Markus Elfring
2016-12-08 11:35 ` SF Markus Elfring
2016-12-08 12:40 ` Dan Carpenter
2016-12-08 12:40 ` Dan Carpenter
2016-12-08 11:37 ` [PATCH 4/5] staging: comedi: usbduxsigma: Split a condition check in usbduxsigma_alloc_usb_buffers() SF Markus Elfring
2016-12-08 11:37 ` SF Markus Elfring
2016-12-08 12:51 ` [PATCH 4/5] staging: comedi: usbduxsigma: Split a condition check in usbduxsigma_alloc_usb_buffe Ian Abbott
2016-12-08 12:51 ` [PATCH 4/5] staging: comedi: usbduxsigma: Split a condition check in usbduxsigma_alloc_usb_buffers() Ian Abbott
2016-12-08 15:46 ` SF Markus Elfring
2016-12-08 15:46 ` SF Markus Elfring
2016-12-08 18:12 ` Ian Abbott
2016-12-08 18:12 ` Ian Abbott
2016-12-08 11:38 ` [PATCH 5/5] staging: comedi: usbduxsigma: Move an assignment " SF Markus Elfring
2016-12-08 11:38 ` SF Markus Elfring
2016-12-08 13:30 ` [PATCH 0/5] staging-COMEDI: Fine-tuning for three functions Greg Kroah-Hartman
2016-12-08 13:30 ` Greg Kroah-Hartman
2016-12-08 15:26 ` SF Markus Elfring
2016-12-08 15:26 ` SF Markus Elfring
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161208123521.GT8176@mwanda \
--to=dan.carpenter@oracle.com \
--cc=abbotti@mev.co.uk \
--cc=chris.cesare@gmail.com \
--cc=devel@driverdev.osuosl.org \
--cc=elfring@users.sourceforge.net \
--cc=gregkh@linuxfoundation.org \
--cc=hsweeten@visionengravers.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.