From: SF Markus Elfring <elfring@users.sourceforge.net>
To: linux-media@vger.kernel.org,
Alexey Khoroshilov <khoroshilov@ispras.ru>,
Hans Verkuil <hans.verkuil@cisco.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: LKML <linux-kernel@vger.kernel.org>, kernel-janitors@vger.kernel.org
Subject: [PATCH 4/4] [media] bt8xx: Less function calls in dst_ca_ioctl() after error detection
Date: Sat, 10 Dec 2016 20:53:09 +0000 [thread overview]
Message-ID: <eee59395-e2aa-fdce-68f0-1a3e630f08d0@users.sourceforge.net> (raw)
In-Reply-To: <d9a0777b-8ea7-3f7d-4fa2-b16468c4a1a4@users.sourceforge.net>
From: Markus Elfring <elfring@users.sourceforge.net>
Date: Sat, 10 Dec 2016 21:30:10 +0100
The kfree() function was called in up to three cases
by the dst_ca_ioctl() function during error handling
even if the passed variable contained a null pointer.
This issue was detected by using the Coccinelle software.
* Split a condition check for memory allocation failures so that
each pointer from these function calls will be checked immediately.
See also background information:
Topic "CWE-754: Improper check for unusual or exceptional conditions"
Link: https://cwe.mitre.org/data/definitions/754.html
Fixes: b57e5578f913a304e97cb66aa0044a894ca47f2f ("Fixes some sync issues between V4L/DVB development and GIT")
* Replace the specification of data structures by pointer dereferences
to make the corresponding size determination a bit safer.
* Adjust jump targets according to the Linux coding style convention.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
---
drivers/media/pci/bt8xx/dst_ca.c | 51 +++++++++++++++++++++++++---------------
1 file changed, 32 insertions(+), 19 deletions(-)
diff --git a/drivers/media/pci/bt8xx/dst_ca.c b/drivers/media/pci/bt8xx/dst_ca.c
index 04d06c564602..50cdb53c9e8a 100644
--- a/drivers/media/pci/bt8xx/dst_ca.c
+++ b/drivers/media/pci/bt8xx/dst_ca.c
@@ -559,16 +559,27 @@ static long dst_ca_ioctl(struct file *file, unsigned int cmd, unsigned long ioct
int result = 0;
mutex_lock(&dst_ca_mutex);
- dvbdev = file->private_data;
- state = (struct dst_state *)dvbdev->priv;
- p_ca_message = kmalloc(sizeof (struct ca_msg), GFP_KERNEL);
- p_ca_slot_info = kmalloc(sizeof (struct ca_slot_info), GFP_KERNEL);
- p_ca_caps = kmalloc(sizeof (struct ca_caps), GFP_KERNEL);
- if (!p_ca_message || !p_ca_slot_info || !p_ca_caps) {
+ p_ca_message = kmalloc(sizeof(*p_ca_message), GFP_KERNEL);
+ if (!p_ca_message) {
result = -ENOMEM;
- goto free_mem_and_exit;
+ goto unlock;
+ }
+
+ p_ca_slot_info = kmalloc(sizeof(*p_ca_slot_info), GFP_KERNEL);
+ if (!p_ca_slot_info) {
+ result = -ENOMEM;
+ goto free_message;
}
+ p_ca_caps = kmalloc(sizeof(*p_ca_caps), GFP_KERNEL);
+ if (!p_ca_caps) {
+ result = -ENOMEM;
+ goto free_slot_info;
+ }
+
+ dvbdev = file->private_data;
+ state = (struct dst_state *)dvbdev->priv;
+
/* We have now only the standard ioctl's, the driver is upposed to handle internals. */
switch (cmd) {
case CA_SEND_MSG:
@@ -576,7 +587,7 @@ static long dst_ca_ioctl(struct file *file, unsigned int cmd, unsigned long ioct
if ((ca_send_message(state, p_ca_message, arg)) < 0) {
dprintk(verbose, DST_CA_ERROR, 1, " -->CA_SEND_MSG Failed !");
result = -1;
- goto free_mem_and_exit;
+ goto free_caps;
}
break;
case CA_GET_MSG:
@@ -584,7 +595,7 @@ static long dst_ca_ioctl(struct file *file, unsigned int cmd, unsigned long ioct
if ((ca_get_message(state, p_ca_message, arg)) < 0) {
dprintk(verbose, DST_CA_ERROR, 1, " -->CA_GET_MSG Failed !");
result = -1;
- goto free_mem_and_exit;
+ goto free_caps;
}
dprintk(verbose, DST_CA_INFO, 1, " -->CA_GET_MSG Success !");
break;
@@ -598,7 +609,7 @@ static long dst_ca_ioctl(struct file *file, unsigned int cmd, unsigned long ioct
if ((ca_get_slot_info(state, p_ca_slot_info, arg)) < 0) {
dprintk(verbose, DST_CA_ERROR, 1, " -->CA_GET_SLOT_INFO Failed !");
result = -1;
- goto free_mem_and_exit;
+ goto free_caps;
}
dprintk(verbose, DST_CA_INFO, 1, " -->CA_GET_SLOT_INFO Success !");
break;
@@ -607,7 +618,7 @@ static long dst_ca_ioctl(struct file *file, unsigned int cmd, unsigned long ioct
if ((ca_get_slot_caps(state, p_ca_caps, arg)) < 0) {
dprintk(verbose, DST_CA_ERROR, 1, " -->CA_GET_CAP Failed !");
result = -1;
- goto free_mem_and_exit;
+ goto free_caps;
}
dprintk(verbose, DST_CA_INFO, 1, " -->CA_GET_CAP Success !");
break;
@@ -616,7 +627,7 @@ static long dst_ca_ioctl(struct file *file, unsigned int cmd, unsigned long ioct
if ((ca_get_slot_descr(state, p_ca_message, arg)) < 0) {
dprintk(verbose, DST_CA_ERROR, 1, " -->CA_GET_DESCR_INFO Failed !");
result = -1;
- goto free_mem_and_exit;
+ goto free_caps;
}
dprintk(verbose, DST_CA_INFO, 1, " -->CA_GET_DESCR_INFO Success !");
break;
@@ -625,7 +636,7 @@ static long dst_ca_ioctl(struct file *file, unsigned int cmd, unsigned long ioct
if ((ca_set_slot_descr()) < 0) {
dprintk(verbose, DST_CA_ERROR, 1, " -->CA_SET_DESCR Failed !");
result = -1;
- goto free_mem_and_exit;
+ goto free_caps;
}
dprintk(verbose, DST_CA_INFO, 1, " -->CA_SET_DESCR Success !");
break;
@@ -634,17 +645,19 @@ static long dst_ca_ioctl(struct file *file, unsigned int cmd, unsigned long ioct
if ((ca_set_pid()) < 0) {
dprintk(verbose, DST_CA_ERROR, 1, " -->CA_SET_PID Failed !");
result = -1;
- goto free_mem_and_exit;
+ goto free_caps;
}
dprintk(verbose, DST_CA_INFO, 1, " -->CA_SET_PID Success !");
default:
result = -EOPNOTSUPP;
}
- free_mem_and_exit:
- kfree (p_ca_message);
- kfree (p_ca_slot_info);
- kfree (p_ca_caps);
-
+free_caps:
+ kfree(p_ca_caps);
+free_slot_info:
+ kfree(p_ca_slot_info);
+free_message:
+ kfree(p_ca_message);
+unlock:
mutex_unlock(&dst_ca_mutex);
return result;
}
--
2.11.0
WARNING: multiple messages have this Message-ID (diff)
From: SF Markus Elfring <elfring@users.sourceforge.net>
To: linux-media@vger.kernel.org,
Alexey Khoroshilov <khoroshilov@ispras.ru>,
Hans Verkuil <hans.verkuil@cisco.com>,
Mauro Carvalho Chehab <mchehab@kernel.org>
Cc: LKML <linux-kernel@vger.kernel.org>, kernel-janitors@vger.kernel.org
Subject: [PATCH 4/4] [media] bt8xx: Less function calls in dst_ca_ioctl() after error detection
Date: Sat, 10 Dec 2016 21:53:09 +0100 [thread overview]
Message-ID: <eee59395-e2aa-fdce-68f0-1a3e630f08d0@users.sourceforge.net> (raw)
In-Reply-To: <d9a0777b-8ea7-3f7d-4fa2-b16468c4a1a4@users.sourceforge.net>
From: Markus Elfring <elfring@users.sourceforge.net>
Date: Sat, 10 Dec 2016 21:30:10 +0100
The kfree() function was called in up to three cases
by the dst_ca_ioctl() function during error handling
even if the passed variable contained a null pointer.
This issue was detected by using the Coccinelle software.
* Split a condition check for memory allocation failures so that
each pointer from these function calls will be checked immediately.
See also background information:
Topic "CWE-754: Improper check for unusual or exceptional conditions"
Link: https://cwe.mitre.org/data/definitions/754.html
Fixes: b57e5578f913a304e97cb66aa0044a894ca47f2f ("Fixes some sync issues between V4L/DVB development and GIT")
* Replace the specification of data structures by pointer dereferences
to make the corresponding size determination a bit safer.
* Adjust jump targets according to the Linux coding style convention.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
---
drivers/media/pci/bt8xx/dst_ca.c | 51 +++++++++++++++++++++++++---------------
1 file changed, 32 insertions(+), 19 deletions(-)
diff --git a/drivers/media/pci/bt8xx/dst_ca.c b/drivers/media/pci/bt8xx/dst_ca.c
index 04d06c564602..50cdb53c9e8a 100644
--- a/drivers/media/pci/bt8xx/dst_ca.c
+++ b/drivers/media/pci/bt8xx/dst_ca.c
@@ -559,16 +559,27 @@ static long dst_ca_ioctl(struct file *file, unsigned int cmd, unsigned long ioct
int result = 0;
mutex_lock(&dst_ca_mutex);
- dvbdev = file->private_data;
- state = (struct dst_state *)dvbdev->priv;
- p_ca_message = kmalloc(sizeof (struct ca_msg), GFP_KERNEL);
- p_ca_slot_info = kmalloc(sizeof (struct ca_slot_info), GFP_KERNEL);
- p_ca_caps = kmalloc(sizeof (struct ca_caps), GFP_KERNEL);
- if (!p_ca_message || !p_ca_slot_info || !p_ca_caps) {
+ p_ca_message = kmalloc(sizeof(*p_ca_message), GFP_KERNEL);
+ if (!p_ca_message) {
result = -ENOMEM;
- goto free_mem_and_exit;
+ goto unlock;
+ }
+
+ p_ca_slot_info = kmalloc(sizeof(*p_ca_slot_info), GFP_KERNEL);
+ if (!p_ca_slot_info) {
+ result = -ENOMEM;
+ goto free_message;
}
+ p_ca_caps = kmalloc(sizeof(*p_ca_caps), GFP_KERNEL);
+ if (!p_ca_caps) {
+ result = -ENOMEM;
+ goto free_slot_info;
+ }
+
+ dvbdev = file->private_data;
+ state = (struct dst_state *)dvbdev->priv;
+
/* We have now only the standard ioctl's, the driver is upposed to handle internals. */
switch (cmd) {
case CA_SEND_MSG:
@@ -576,7 +587,7 @@ static long dst_ca_ioctl(struct file *file, unsigned int cmd, unsigned long ioct
if ((ca_send_message(state, p_ca_message, arg)) < 0) {
dprintk(verbose, DST_CA_ERROR, 1, " -->CA_SEND_MSG Failed !");
result = -1;
- goto free_mem_and_exit;
+ goto free_caps;
}
break;
case CA_GET_MSG:
@@ -584,7 +595,7 @@ static long dst_ca_ioctl(struct file *file, unsigned int cmd, unsigned long ioct
if ((ca_get_message(state, p_ca_message, arg)) < 0) {
dprintk(verbose, DST_CA_ERROR, 1, " -->CA_GET_MSG Failed !");
result = -1;
- goto free_mem_and_exit;
+ goto free_caps;
}
dprintk(verbose, DST_CA_INFO, 1, " -->CA_GET_MSG Success !");
break;
@@ -598,7 +609,7 @@ static long dst_ca_ioctl(struct file *file, unsigned int cmd, unsigned long ioct
if ((ca_get_slot_info(state, p_ca_slot_info, arg)) < 0) {
dprintk(verbose, DST_CA_ERROR, 1, " -->CA_GET_SLOT_INFO Failed !");
result = -1;
- goto free_mem_and_exit;
+ goto free_caps;
}
dprintk(verbose, DST_CA_INFO, 1, " -->CA_GET_SLOT_INFO Success !");
break;
@@ -607,7 +618,7 @@ static long dst_ca_ioctl(struct file *file, unsigned int cmd, unsigned long ioct
if ((ca_get_slot_caps(state, p_ca_caps, arg)) < 0) {
dprintk(verbose, DST_CA_ERROR, 1, " -->CA_GET_CAP Failed !");
result = -1;
- goto free_mem_and_exit;
+ goto free_caps;
}
dprintk(verbose, DST_CA_INFO, 1, " -->CA_GET_CAP Success !");
break;
@@ -616,7 +627,7 @@ static long dst_ca_ioctl(struct file *file, unsigned int cmd, unsigned long ioct
if ((ca_get_slot_descr(state, p_ca_message, arg)) < 0) {
dprintk(verbose, DST_CA_ERROR, 1, " -->CA_GET_DESCR_INFO Failed !");
result = -1;
- goto free_mem_and_exit;
+ goto free_caps;
}
dprintk(verbose, DST_CA_INFO, 1, " -->CA_GET_DESCR_INFO Success !");
break;
@@ -625,7 +636,7 @@ static long dst_ca_ioctl(struct file *file, unsigned int cmd, unsigned long ioct
if ((ca_set_slot_descr()) < 0) {
dprintk(verbose, DST_CA_ERROR, 1, " -->CA_SET_DESCR Failed !");
result = -1;
- goto free_mem_and_exit;
+ goto free_caps;
}
dprintk(verbose, DST_CA_INFO, 1, " -->CA_SET_DESCR Success !");
break;
@@ -634,17 +645,19 @@ static long dst_ca_ioctl(struct file *file, unsigned int cmd, unsigned long ioct
if ((ca_set_pid()) < 0) {
dprintk(verbose, DST_CA_ERROR, 1, " -->CA_SET_PID Failed !");
result = -1;
- goto free_mem_and_exit;
+ goto free_caps;
}
dprintk(verbose, DST_CA_INFO, 1, " -->CA_SET_PID Success !");
default:
result = -EOPNOTSUPP;
}
- free_mem_and_exit:
- kfree (p_ca_message);
- kfree (p_ca_slot_info);
- kfree (p_ca_caps);
-
+free_caps:
+ kfree(p_ca_caps);
+free_slot_info:
+ kfree(p_ca_slot_info);
+free_message:
+ kfree(p_ca_message);
+unlock:
mutex_unlock(&dst_ca_mutex);
return result;
}
--
2.11.0
next prev parent reply other threads:[~2016-12-10 20:53 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-10 20:45 [PATCH 0/4] [media] bt8xx: Fine-tuning for three functions SF Markus Elfring
2016-12-10 20:45 ` SF Markus Elfring
2016-12-10 20:48 ` [PATCH 1/4] [media] bt8xx: One function call less in bttv_input_init() after error detection SF Markus Elfring
2016-12-10 20:48 ` SF Markus Elfring
2016-12-10 21:29 ` Daniele Nicolodi
2016-12-10 21:29 ` Daniele Nicolodi
2016-12-10 22:10 ` SF Markus Elfring
2016-12-10 22:10 ` SF Markus Elfring
2016-12-11 21:52 ` Daniele Nicolodi
2016-12-11 21:52 ` Daniele Nicolodi
2016-12-12 7:33 ` SF Markus Elfring
2016-12-12 7:33 ` SF Markus Elfring
2016-12-12 7:39 ` Daniele Nicolodi
2016-12-12 7:39 ` Daniele Nicolodi
2016-12-12 17:15 ` SF Markus Elfring
2016-12-12 17:15 ` SF Markus Elfring
2016-12-12 17:56 ` Daniele Nicolodi
2016-12-12 17:56 ` Daniele Nicolodi
2016-12-12 18:03 ` Clarification for acceptance statistics? SF Markus Elfring
2016-12-12 18:03 ` SF Markus Elfring
2016-12-12 21:02 ` Daniele Nicolodi
2016-12-12 21:02 ` Daniele Nicolodi
2016-12-12 22:11 ` SF Markus Elfring
2016-12-12 22:11 ` SF Markus Elfring
2016-12-12 23:19 ` Daniele Nicolodi
2016-12-12 23:19 ` Daniele Nicolodi
2016-12-12 19:11 ` [media] bt8xx: One function call less in bttv_input_init() after error detection Dan Carpenter
2016-12-12 19:11 ` Dan Carpenter
2016-12-10 20:50 ` [PATCH 2/4] [media] bt8xx: Delete two error messages for a failed memory allocation SF Markus Elfring
2016-12-10 20:50 ` SF Markus Elfring
2016-12-10 20:51 ` [PATCH 3/4] [media] bt8xx: Delete unnecessary variable initialisations in ca_send_message() SF Markus Elfring
2016-12-10 20:51 ` SF Markus Elfring
2016-12-10 20:53 ` SF Markus Elfring [this message]
2016-12-10 20:53 ` [PATCH 4/4] [media] bt8xx: Less function calls in dst_ca_ioctl() after error detection SF Markus Elfring
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=eee59395-e2aa-fdce-68f0-1a3e630f08d0@users.sourceforge.net \
--to=elfring@users.sourceforge.net \
--cc=hans.verkuil@cisco.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=khoroshilov@ispras.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-media@vger.kernel.org \
--cc=mchehab@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.