[PATCH] drivers/mmc/card/block.c: fix potential null dereference 'idata'

[PATCH] drivers/mmc/card/block.c: fix potential null dereference 'idata'

[Vladimir Motyka]

When allocation of idata fails there was a null dereferece.

Signed-off-by: Vladimir Motyka <vladimir.motyka@gmail.com>

---
diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
index 407836d..3dec493 100644
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -266,10 +266,10 @@ static struct mmc_blk_ioc_data
*mmc_blk_ioctl_copy_from_user(
 	return idata;

 copy_err:
-	kfree(idata->buf);
+	if(idata)
+		kfree(idata->buf);
 	kfree(idata);
 	return ERR_PTR(err);
-
 }

 static int mmc_blk_ioctl_cmd(struct block_device *bdev,

Re: [PATCH] drivers/mmc/card/block.c: fix potential null dereference 'idata'

[Julia Lawall]

On Mon, 9 May 2011, Vladimir Motyka wrote:

> When allocation of idata fails there was a null dereferece.

Why not have a different label for the two cases?  That would make the 
code easier to statically analyze, and perhaps be more understandable as 
well.

julia


> Signed-off-by: Vladimir Motyka <vladimir.motyka@gmail.com>
> 
> ---
> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
> index 407836d..3dec493 100644
> --- a/drivers/mmc/card/block.c
> +++ b/drivers/mmc/card/block.c
> @@ -266,10 +266,10 @@ static struct mmc_blk_ioc_data
> *mmc_blk_ioctl_copy_from_user(
>  	return idata;
> 
>  copy_err:
> -	kfree(idata->buf);
> +	if(idata)
> +		kfree(idata->buf);
>  	kfree(idata);
>  	return ERR_PTR(err);
> -
>  }
> 
>  static int mmc_blk_ioctl_cmd(struct block_device *bdev,
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: [PATCH] drivers/mmc/card/block.c: fix potential null dereference 'idata'

[Vladimir Motyka]

On 05/09/2011 04:32 PM, Julia Lawall wrote:
> On Mon, 9 May 2011, Vladimir Motyka wrote:
> 
>> When allocation of idata fails there was a null dereferece.
> 
> Why not have a different label for the two cases?  That would make the 
> code easier to statically analyze, and perhaps be more understandable as 
> well.
> 
> julia
>
I think You are right. So it could be better like this?

diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
index 3dec493..a03cdc6 100644
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -237,7 +237,7 @@ static struct mmc_blk_ioc_data
*mmc_blk_ioctl_copy_from_user(
 	idata = kzalloc(sizeof(*idata), GFP_KERNEL);
 	if (!idata) {
 		err = -ENOMEM;
-		goto copy_err;
+		goto alloc_err;
 	}

 	if (copy_from_user(&idata->ic, user, sizeof(idata->ic))) {
@@ -266,9 +266,9 @@ static struct mmc_blk_ioc_data
*mmc_blk_ioctl_copy_from_user(
 	return idata;

 copy_err:
-	if(idata)
-		kfree(idata->buf);
+	kfree(idata->buf);
 	kfree(idata);
+alloc_err:
 	return ERR_PTR(err);
 }

Or it could return right after allocation fails so there needn't be
goto. It is simplier, but maybe worse looking and to read. What is your
opinion?

Vladimir Motyka

> 
>> Signed-off-by: Vladimir Motyka <vladimir.motyka@gmail.com>
>>
>> ---
>> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
>> index 407836d..3dec493 100644
>> --- a/drivers/mmc/card/block.c
>> +++ b/drivers/mmc/card/block.c
>> @@ -266,10 +266,10 @@ static struct mmc_blk_ioc_data
>> *mmc_blk_ioctl_copy_from_user(
>>  	return idata;
>>
>>  copy_err:
>> -	kfree(idata->buf);
>> +	if(idata)
>> +		kfree(idata->buf);
>>  	kfree(idata);
>>  	return ERR_PTR(err);
>> -
>>  }
>>
>>  static int mmc_blk_ioctl_cmd(struct block_device *bdev,
>> --
>> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>

Re: [PATCH] drivers/mmc/card/block.c: fix potential null dereference 'idata'

[Andy Shevchenko]

On Mon, May 9, 2011 at 6:05 PM, Vladimir Motyka
<vladimir.motyka@gmail.com> wrote:
> On 05/09/2011 04:32 PM, Julia Lawall wrote:
>> On Mon, 9 May 2011, Vladimir Motyka wrote:
>>
>>> When allocation of idata fails there was a null dereferece.
>>
>> Why not have a different label for the two cases?  That would make the
>> code easier to statically analyze, and perhaps be more understandable as
>> well.
>>
>> julia
>>
> I think You are right. So it could be better like this?
>
> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
> index 3dec493..a03cdc6 100644
> --- a/drivers/mmc/card/block.c
> +++ b/drivers/mmc/card/block.c
> @@ -237,7 +237,7 @@ static struct mmc_blk_ioc_data
> *mmc_blk_ioctl_copy_from_user(
>        idata = kzalloc(sizeof(*idata), GFP_KERNEL);
>        if (!idata) {
>                err = -ENOMEM;
> -               goto copy_err;
> +               goto alloc_err;
>        }
>
>        if (copy_from_user(&idata->ic, user, sizeof(idata->ic))) {
> @@ -266,9 +266,9 @@ static struct mmc_blk_ioc_data
> *mmc_blk_ioctl_copy_from_user(
>        return idata;
>
>  copy_err:
> -       if(idata)
> -               kfree(idata->buf);
> +       kfree(idata->buf);
Make it one patch not series.

>        kfree(idata);
> +alloc_err:
>        return ERR_PTR(err);
>  }
>
> Or it could return right after allocation fails so there needn't be
> goto. It is simplier, but maybe worse looking and to read. What is your
> opinion?
>
> Vladimir Motyka
>
>>
>>> Signed-off-by: Vladimir Motyka <vladimir.motyka@gmail.com>
>>>
>>> ---
>>> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
>>> index 407836d..3dec493 100644
>>> --- a/drivers/mmc/card/block.c
>>> +++ b/drivers/mmc/card/block.c
>>> @@ -266,10 +266,10 @@ static struct mmc_blk_ioc_data
>>> *mmc_blk_ioctl_copy_from_user(
>>>      return idata;
>>>
>>>  copy_err:
>>> -    kfree(idata->buf);
>>> +    if(idata)
>>> +            kfree(idata->buf);
>>>      kfree(idata);
>>>      return ERR_PTR(err);
>>> -
>>>  }
>>>
>>>  static int mmc_blk_ioctl_cmd(struct block_device *bdev,
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
>>> the body of a message to majordomo@vger.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>



-- 
With Best Regards,
Andy Shevchenko

Re: [PATCH] drivers/mmc/card/block.c: fix potential null dereference 'idata'

[Julia Lawall]

On Mon, 9 May 2011, Vladimir Motyka wrote:

> On 05/09/2011 04:32 PM, Julia Lawall wrote:
> > On Mon, 9 May 2011, Vladimir Motyka wrote:
> > 
> >> When allocation of idata fails there was a null dereferece.
> > 
> > Why not have a different label for the two cases?  That would make the 
> > code easier to statically analyze, and perhaps be more understandable as 
> > well.
> > 
> > julia
> >
> I think You are right. So it could be better like this?
> 
> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
> index 3dec493..a03cdc6 100644
> --- a/drivers/mmc/card/block.c
> +++ b/drivers/mmc/card/block.c
> @@ -237,7 +237,7 @@ static struct mmc_blk_ioc_data
> *mmc_blk_ioctl_copy_from_user(
>  	idata = kzalloc(sizeof(*idata), GFP_KERNEL);
>  	if (!idata) {
>  		err = -ENOMEM;
> -		goto copy_err;
> +		goto alloc_err;
>  	}
> 
>  	if (copy_from_user(&idata->ic, user, sizeof(idata->ic))) {
> @@ -266,9 +266,9 @@ static struct mmc_blk_ioc_data
> *mmc_blk_ioctl_copy_from_user(
>  	return idata;
> 
>  copy_err:
> -	if(idata)
> -		kfree(idata->buf);
> +	kfree(idata->buf);
>  	kfree(idata);
> +alloc_err:
>  	return ERR_PTR(err);
>  }
> 
> Or it could return right after allocation fails so there needn't be
> goto. It is simplier, but maybe worse looking and to read. What is your
> opinion?

Perhaps it is also pointless to call kfree on something that is known to 
be NULL.  But I think that there is quite some code that does that, so 
others might have another opinion.

julia


> 
> Vladimir Motyka
> 
> > 
> >> Signed-off-by: Vladimir Motyka <vladimir.motyka@gmail.com>
> >>
> >> ---
> >> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
> >> index 407836d..3dec493 100644
> >> --- a/drivers/mmc/card/block.c
> >> +++ b/drivers/mmc/card/block.c
> >> @@ -266,10 +266,10 @@ static struct mmc_blk_ioc_data
> >> *mmc_blk_ioctl_copy_from_user(
> >>  	return idata;
> >>
> >>  copy_err:
> >> -	kfree(idata->buf);
> >> +	if(idata)
> >> +		kfree(idata->buf);
> >>  	kfree(idata);
> >>  	return ERR_PTR(err);
> >> -
> >>  }
> >>
> >>  static int mmc_blk_ioctl_cmd(struct block_device *bdev,
> >> --
> >> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> >> the body of a message to majordomo@vger.kernel.org
> >> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >>
> 
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: [PATCH] drivers/mmc/card/block.c: fix potential null dereference 'idata'

[Vladimir Motyka]

When allocation of idata fails there was a null dereference.

Signed-off-by: Vladimir Motyka <vladimir.motyka@gmail.com>
---
diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
index 407836d..a03cdc6 100644
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -237,7 +237,7 @@ static struct mmc_blk_ioc_data
*mmc_blk_ioctl_copy_from_user(
 	idata = kzalloc(sizeof(*idata), GFP_KERNEL);
 	if (!idata) {
 		err = -ENOMEM;
-		goto copy_err;
+		goto alloc_err;
 	}

 	if (copy_from_user(&idata->ic, user, sizeof(idata->ic))) {
@@ -268,8 +268,8 @@ static struct mmc_blk_ioc_data
*mmc_blk_ioctl_copy_from_user(
 copy_err:
 	kfree(idata->buf);
 	kfree(idata);
+alloc_err:
 	return ERR_PTR(err);
-
 }

 static int mmc_blk_ioctl_cmd(struct block_device *bdev,

Re: [PATCH] drivers/mmc/card/block.c: fix potential null dereference 'idata'

[Julia Lawall]

I guess there is also a point at which idata has been successfully 
allocated but idata->buf has not.

julia


On Mon, 9 May 2011, Vladimir Motyka wrote:

> When allocation of idata fails there was a null dereference.
> 
> Signed-off-by: Vladimir Motyka <vladimir.motyka@gmail.com>
> ---
> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
> index 407836d..a03cdc6 100644
> --- a/drivers/mmc/card/block.c
> +++ b/drivers/mmc/card/block.c
> @@ -237,7 +237,7 @@ static struct mmc_blk_ioc_data
> *mmc_blk_ioctl_copy_from_user(
>  	idata = kzalloc(sizeof(*idata), GFP_KERNEL);
>  	if (!idata) {
>  		err = -ENOMEM;
> -		goto copy_err;
> +		goto alloc_err;
>  	}
> 
>  	if (copy_from_user(&idata->ic, user, sizeof(idata->ic))) {
> @@ -268,8 +268,8 @@ static struct mmc_blk_ioc_data
> *mmc_blk_ioctl_copy_from_user(
>  copy_err:
>  	kfree(idata->buf);
>  	kfree(idata);
> +alloc_err:
>  	return ERR_PTR(err);
> -
>  }
> 
>  static int mmc_blk_ioctl_cmd(struct block_device *bdev,
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Re: [PATCH] drivers/mmc/card/block.c: fix potential null dereference 'idata'

[Vladimir Motyka]

On 05/09/2011 06:12 PM, Julia Lawall wrote:
> I guess there is also a point at which idata has been successfully 
> allocated but idata->buf has not.
> 
> julia
> 
Yes there is. Thank You for pointing out.

Vladimir Motyka

> On Mon, 9 May 2011, Vladimir Motyka wrote:
> 
>> When allocation of idata fails there was a null dereference.
>>
>> Signed-off-by: Vladimir Motyka <vladimir.motyka@gmail.com>
>> ---
>> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
>> index 407836d..a03cdc6 100644
>> --- a/drivers/mmc/card/block.c
>> +++ b/drivers/mmc/card/block.c
>> @@ -237,7 +237,7 @@ static struct mmc_blk_ioc_data
>> *mmc_blk_ioctl_copy_from_user(
>>  	idata = kzalloc(sizeof(*idata), GFP_KERNEL);
>>  	if (!idata) {
>>  		err = -ENOMEM;
>> -		goto copy_err;
>> +		goto alloc_err;
>>  	}
>>
>>  	if (copy_from_user(&idata->ic, user, sizeof(idata->ic))) {
>> @@ -268,8 +268,8 @@ static struct mmc_blk_ioc_data
>> *mmc_blk_ioctl_copy_from_user(
>>  copy_err:
>>  	kfree(idata->buf);
>>  	kfree(idata);
>> +alloc_err:
>>  	return ERR_PTR(err);
>> -
>>  }
>>
>>  static int mmc_blk_ioctl_cmd(struct block_device *bdev,
>> --
>> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>

Re: [PATCH] drivers/mmc/card/block.c: fix potential null dereference 'idata'

[Vladimir Motyka]

When allocation of idata failed there was a null dereference. Also avoid
calling kfree where it is needn't.

---
diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
index 407836d..126c7f4 100644
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -237,24 +237,24 @@ static struct mmc_blk_ioc_data
*mmc_blk_ioctl_copy_from_user(
 	idata = kzalloc(sizeof(*idata), GFP_KERNEL);
 	if (!idata) {
 		err = -ENOMEM;
-		goto copy_err;
+		goto out;
 	}

 	if (copy_from_user(&idata->ic, user, sizeof(idata->ic))) {
 		err = -EFAULT;
-		goto copy_err;
+		goto idata_err;
 	}

 	idata->buf_bytes = (u64) idata->ic.blksz * idata->ic.blocks;
 	if (idata->buf_bytes > MMC_IOC_MAX_BYTES) {
 		err = -EOVERFLOW;
-		goto copy_err;
+		goto idata_err;
 	}

 	idata->buf = kzalloc(idata->buf_bytes, GFP_KERNEL);
 	if (!idata->buf) {
 		err = -ENOMEM;
-		goto copy_err;
+		goto idata_err;
 	}

 	if (copy_from_user(idata->buf, (void __user *)(unsigned long)
@@ -267,9 +267,10 @@ static struct mmc_blk_ioc_data
*mmc_blk_ioctl_copy_from_user(

 copy_err:
 	kfree(idata->buf);
+idata_err:
 	kfree(idata);
+out:
 	return ERR_PTR(err);
-
 }

 static int mmc_blk_ioctl_cmd(struct block_device *bdev,

Re: [PATCH] drivers/mmc/card/block.c: fix potential null dereference 'idata'

[Chris Ball]

Hi,

On Mon, May 09 2011, Vladimir Motyka wrote:
> When allocation of idata failed there was a null dereference. Also avoid
> calling kfree where it is needn't.
>
> ---
> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
> index 407836d..126c7f4 100644
> --- a/drivers/mmc/card/block.c
> +++ b/drivers/mmc/card/block.c
> @@ -237,24 +237,24 @@ static struct mmc_blk_ioc_data
> *mmc_blk_ioctl_copy_from_user(

Thanks, I've pushed this version of the patch to mmc-next.

(The patch you sent was corrupted by gmail; it added a line break on the
last line quoted above where there shouldn't be one.  Please fix that
for next time.)

- Chris.
-- 
Chris Ball   <cjb@laptop.org>   <http://printf.net/>
One Laptop Per Child

Re: [PATCH] drivers/mmc/card/block.c: fix potential null dereference 'idata'

[Andy Shevchenko]

On Mon, May 9, 2011 at 7:12 PM, Julia Lawall <julia@diku.dk> wrote:
> I guess there is also a point at which idata has been successfully
> allocated but idata->buf has not.
And? kfree() simple ignores NULL pointers.
I would prefer to see previous version of patch, but let maintainer to choose.

-- 
With Best Regards,
Andy Shevchenko

Re: [PATCH] drivers/mmc/card/block.c: fix potential null dereference 'idata'

[Julia Lawall]

On Tue, 10 May 2011, Andy Shevchenko wrote:

> On Mon, May 9, 2011 at 7:12 PM, Julia Lawall <julia@diku.dk> wrote:
> > I guess there is also a point at which idata has been successfully
> > allocated but idata->buf has not.
> And? kfree() simple ignores NULL pointers.

Unnecessarily calling a function suggests that calling that function is 
necessary when it is not.  But it is probably not a big deal, especially 
for a well known function like kfree.

julia

> I would prefer to see previous version of patch, but let maintainer to choose.
> 
> -- 
> With Best Regards,
> Andy Shevchenko
>