From: Gen Zhang <blackgod016574@gmail.com>
To: Nicolas Pitre <nico@fluxnic.net>
Cc: Greg KH <gregkh@linuxfoundation.org>,
jslaby@suse.com, kilobyte@angband.pl, textshell@uchuujin.de,
mpatocka@redhat.com, daniel.vetter@ffwll.ch,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] vt: Fix a missing-check bug in con_init()
Date: Sun, 9 Jun 2019 23:45:21 -0700 [thread overview]
Message-ID: <20190610064519.GA3143@ubuntu> (raw)
In-Reply-To: <nycvar.YSQ.7.76.1906082010430.1558@knanqh.ubzr>
On Sat, Jun 08, 2019 at 08:15:46PM -0400, Nicolas Pitre wrote:
> On Sat, 8 Jun 2019, Greg KH wrote:
>
> > On Sun, Jun 09, 2019 at 12:01:38AM +0800, Gen Zhang wrote:
> > > On Tue, May 28, 2019 at 08:45:29AM +0800, Gen Zhang wrote:
> > > > In function con_init(), the pointer variable vc_cons[currcons].d, vc and
> > > > vc->vc_screenbuf is allocated by kzalloc(). And they are used in the
> > > > following codes. However, kzalloc() returns NULL when fails, and null
> > > > pointer dereference may happen. And it will cause the kernel to crash.
> > > > Therefore, we should check the return value and handle the error.
> > > >
> > > > Further, since the allcoation is in a loop, we should free all the
> > > > allocated memory in a loop.
> > > >
> > > > Signed-off-by: Gen Zhang <blackgod016574@gmail.com>
> > > > Reviewed-by: Nicolas Pitre <nico@fluxnic.net>
> > > > ---
> > > > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> > > > index fdd12f8..d50f68f 100644
> > > > --- a/drivers/tty/vt/vt.c
> > > > +++ b/drivers/tty/vt/vt.c
> > > > @@ -3350,10 +3350,14 @@ static int __init con_init(void)
> > > >
> > > > for (currcons = 0; currcons < MIN_NR_CONSOLES; currcons++) {
> > > > vc_cons[currcons].d = vc = kzalloc(sizeof(struct vc_data), GFP_NOWAIT);
> > > > + if (!vc)
> > > > + goto fail1;
> > > > INIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK);
> > > > tty_port_init(&vc->port);
> > > > visual_init(vc, currcons, 1);
> > > > vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_NOWAIT);
> > > > + if (!vc->vc_screenbuf)
> > > > + goto fail2;
> > > > vc_init(vc, vc->vc_rows, vc->vc_cols,
> > > > currcons || !vc->vc_sw->con_save_screen);
> > > > }
> > > > @@ -3375,6 +3379,16 @@ static int __init con_init(void)
> > > > register_console(&vt_console_driver);
> > > > #endif
> > > > return 0;
> > > > +fail1:
> > > > + while (currcons > 0) {
> > > > + currcons--;
> > > > + kfree(vc_cons[currcons].d->vc_screenbuf);
> > > > +fail2:
> > > > + kfree(vc_cons[currcons].d);
> > > > + vc_cons[currcons].d = NULL;
> > > > + }
> >
> > Wait, will that even work? You can jump into the middle of a while
> > loop?
>
> Absolutely.
>
> > Ugh, that's beyond ugly.
>
> That was me who suggested to do it like that. To me, this is nicer than
> the proposed alternatives. For an error path that is rather unlikely to
> happen, I think this is a very concise and eleguant way to do it.
>
> > And please provide "real" names for the
> > labels, "fail1" and "fail2" do not tell anything here.
>
> That I agree with.
>
>
> Nicolas
Thanks for your comments. Then am I supposed to revise the patch and
send a v4 version?
Thanks
Gen
next prev parent reply other threads:[~2019-06-10 6:45 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-28 0:45 [PATCH v3] vt: Fix a missing-check bug in con_init() Gen Zhang
2019-06-08 16:01 ` Gen Zhang
2019-06-08 16:21 ` Greg KH
2019-06-08 16:27 ` Gen Zhang
2019-06-08 16:34 ` Gen Zhang
2019-06-08 16:22 ` Greg KH
2019-06-08 16:30 ` Gen Zhang
2019-06-09 0:15 ` Nicolas Pitre
2019-06-10 6:45 ` Gen Zhang [this message]
2019-06-10 14:31 ` Nicolas Pitre
2019-06-10 7:10 ` Jiri Slaby
-- strict thread matches above, loose matches on Subject: below --
2019-05-21 2:29 [PATCH v2] vt: Fix a missing-check bug in drivers/tty/vt/vt.c Gen Zhang
2019-05-21 2:55 ` Nicolas Pitre
2019-05-21 3:09 ` Gen Zhang
2019-05-21 3:26 ` Nicolas Pitre
2019-05-21 4:00 ` Gen Zhang
2019-05-21 4:30 ` Nicolas Pitre
2019-05-21 7:39 ` Gen Zhang
2019-05-22 2:43 ` Nicolas Pitre
2019-05-22 12:19 ` [PATCH v3] " Gen Zhang
2019-05-22 14:18 ` Nicolas Pitre
2019-05-24 2:27 ` [PATCH v3] vt: Fix a missing-check bug in con_init() Gen Zhang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190610064519.GA3143@ubuntu \
--to=blackgod016574@gmail.com \
--cc=daniel.vetter@ffwll.ch \
--cc=gregkh@linuxfoundation.org \
--cc=jslaby@suse.com \
--cc=kilobyte@angband.pl \
--cc=linux-kernel@vger.kernel.org \
--cc=mpatocka@redhat.com \
--cc=nico@fluxnic.net \
--cc=textshell@uchuujin.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.