[PATCH V3 0/2] mtd: nandsim: fix error handling

[PATCH V3 0/2] mtd: nandsim: fix error handling

[Sheng Yong]

V3:
Fix compiling error of PATCH 2 because of my silly bindly rebase without
testing :( These 2 patches are already tested.

V2:
Resend the patches against l2-mtd/master.

V1:
These 2 patches fix error handling when nandsim initialization fails.

In alloc_device(), if creating slab memory fails, free_device() will try
to destroy the slab memory without checking if it exists.  PATCH 1 fixes
it.

If something goes wrong in init_nandsim(), it calls free_device() before
returning. However, the caller of init_nandsim() - ns_init_module() - also
does the cleanup by calling free_nandsim(). This causes double free. PATCH
2 fixes it.

Thanks,
Sheng

Sheng Yong (2):
  mtd: nandsim: fix free of NULL pointer
  mtd: nandsim: fix double free

 drivers/mtd/nand/nandsim.c | 28 +++++++++-------------------
 1 file changed, 9 insertions(+), 19 deletions(-)

-- 
1.8.3.4

[PATCH V3 1/2] mtd: nandsim: fix free of NULL pointer

[Sheng Yong]

If allocating ns->nand_pages_slab fails, do not try to destroy it when
cleaning up nandsim resources.

Signed-off-by: Sheng Yong <shengyong1@huawei.com>
---
 drivers/mtd/nand/nandsim.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/mtd/nand/nandsim.c b/drivers/mtd/nand/nandsim.c
index 52c0c1a..6a74f62 100644
--- a/drivers/mtd/nand/nandsim.c
+++ b/drivers/mtd/nand/nandsim.c
@@ -649,7 +649,8 @@ static void free_device(struct nandsim *ns)
 				kmem_cache_free(ns->nand_pages_slab,
 						ns->pages[i].byte);
 		}
-		kmem_cache_destroy(ns->nand_pages_slab);
+		if (ns->nand_pages_slab)
+			kmem_cache_destroy(ns->nand_pages_slab);
 		vfree(ns->pages);
 	}
 }
-- 
1.8.3.4

[PATCH V3 2/2] mtd: nandsim: fix double free

[Sheng Yong]

Do not call free_device() in init_nandsim, the caller - ns_init_module -
will take care of that if something goes wrong.

Signed-off-by: Sheng Yong <shengyong1@huawei.com>
---
 drivers/mtd/nand/nandsim.c | 25 +++++++------------------
 1 file changed, 7 insertions(+), 18 deletions(-)

diff --git a/drivers/mtd/nand/nandsim.c b/drivers/mtd/nand/nandsim.c
index 6a74f62..95d0cc4 100644
--- a/drivers/mtd/nand/nandsim.c
+++ b/drivers/mtd/nand/nandsim.c
@@ -730,8 +730,7 @@ static int init_nandsim(struct mtd_info *mtd)
 	/* Fill the partition_info structure */
 	if (parts_num > ARRAY_SIZE(ns->partitions)) {
 		NS_ERR("too many partitions.\n");
-		ret = -EINVAL;
-		goto error;
+		return -EINVAL;
 	}
 	remains = ns->geom.totsz;
 	next_offset = 0;
@@ -740,14 +739,12 @@ static int init_nandsim(struct mtd_info *mtd)
 
 		if (!part_sz || part_sz > remains) {
 			NS_ERR("bad partition size.\n");
-			ret = -EINVAL;
-			goto error;
+			return -EINVAL;
 		}
 		ns->partitions[i].name   = get_partition_name(i);
 		if (!ns->partitions[i].name) {
 			NS_ERR("unable to allocate memory.\n");
-			ret = -ENOMEM;
-			goto error;
+			return -ENOMEM;
 		}
 		ns->partitions[i].offset = next_offset;
 		ns->partitions[i].size   = part_sz;
@@ -758,14 +755,12 @@ static int init_nandsim(struct mtd_info *mtd)
 	if (remains) {
 		if (parts_num + 1 > ARRAY_SIZE(ns->partitions)) {
 			NS_ERR("too many partitions.\n");
-			ret = -EINVAL;
-			goto error;
+			return -EINVAL;
 		}
 		ns->partitions[i].name   = get_partition_name(i);
 		if (!ns->partitions[i].name) {
 			NS_ERR("unable to allocate memory.\n");
-			ret = -ENOMEM;
-			goto error;
+			return -ENOMEM;
 		}
 		ns->partitions[i].offset = next_offset;
 		ns->partitions[i].size   = remains;
@@ -793,24 +788,18 @@ static int init_nandsim(struct mtd_info *mtd)
 	printk("options: %#x\n",                ns->options);
 
 	if ((ret = alloc_device(ns)) != 0)
-		goto error;
+		return ret;
 
 	/* Allocate / initialize the internal buffer */
 	ns->buf.byte = kmalloc(ns->geom.pgszoob, GFP_KERNEL);
 	if (!ns->buf.byte) {
 		NS_ERR("init_nandsim: unable to allocate %u bytes for the internal buffer\n",
 			ns->geom.pgszoob);
-		ret = -ENOMEM;
-		goto error;
+		return -ENOMEM;
 	}
 	memset(ns->buf.byte, 0xFF, ns->geom.pgszoob);
 
 	return 0;
-
-error:
-	free_device(ns);
-
-	return ret;
 }
 
 /*
-- 
1.8.3.4

Re: [PATCH V3 0/2] mtd: nandsim: fix error handling

[Sheng Yong]

Ping.

thanks,
Sheng

On 6/25/2015 10:23 AM, Sheng Yong wrote:
> V3:
> Fix compiling error of PATCH 2 because of my silly bindly rebase without
> testing :( These 2 patches are already tested.
> 
> V2:
> Resend the patches against l2-mtd/master.
> 
> V1:
> These 2 patches fix error handling when nandsim initialization fails.
> 
> In alloc_device(), if creating slab memory fails, free_device() will try
> to destroy the slab memory without checking if it exists.  PATCH 1 fixes
> it.
> 
> If something goes wrong in init_nandsim(), it calls free_device() before
> returning. However, the caller of init_nandsim() - ns_init_module() - also
> does the cleanup by calling free_nandsim(). This causes double free. PATCH
> 2 fixes it.
> 
> Thanks,
> Sheng
> 
> Sheng Yong (2):
>   mtd: nandsim: fix free of NULL pointer
>   mtd: nandsim: fix double free
> 
>  drivers/mtd/nand/nandsim.c | 28 +++++++++-------------------
>  1 file changed, 9 insertions(+), 19 deletions(-)
> 

Re: [PATCH V3 0/2] mtd: nandsim: fix error handling

[Brian Norris]

On Thu, Jun 25, 2015 at 02:23:12AM +0000, Sheng Yong wrote:
> V3:
> Fix compiling error of PATCH 2 because of my silly bindly rebase without
> testing :( These 2 patches are already tested.
> 
> V2:
> Resend the patches against l2-mtd/master.
> 
> V1:
> These 2 patches fix error handling when nandsim initialization fails.
> 
> In alloc_device(), if creating slab memory fails, free_device() will try
> to destroy the slab memory without checking if it exists.  PATCH 1 fixes
> it.
> 
> If something goes wrong in init_nandsim(), it calls free_device() before
> returning. However, the caller of init_nandsim() - ns_init_module() - also
> does the cleanup by calling free_nandsim(). This causes double free. PATCH
> 2 fixes it.

Pushed both to l2-mtd.git. Thanks!

Brian