* [FWD] PROBLEM: there exists a wrong return value of function mkiss_open()
@ 2015-08-10 16:42 Linus Torvalds
2015-08-10 21:39 ` [patch] hamradio/kiss: missing error code in mkiss_open() Dan Carpenter
0 siblings, 1 reply; 4+ messages in thread
From: Linus Torvalds @ 2015-08-10 16:42 UTC (permalink / raw)
To: David Miller, Eric W. Biederman, Dan Carpenter; +Cc: Network Development
I don't know how many people care about hamradio, but the report that
mkiss_open() returns success even when register_netdev() fails seems
entirely true. The email was just not sent to the right people..
Linus
On Sun, Aug 9, 2015 at 5:08 PM, RUC_Soft_Sec <zy900702@163.com> wrote:
> Summary:
> there exists a wrong return value of function mkiss_open(). It's a
> theoretical problem. we use static analysis method to detect this bug.
> Bug Description:
>
> In function mkiss_open() at drivers/net/hamradio/mkiss.c:726, the call to
> register_netdev() in line 765 may return a negative error code, and thus
> function mkiss_open() will return the value of variable err. And, the
> function mkiss_open() will return 0 at last when it runs well. However, when
> the call to register_netdev() in line 765 return a negative error code, the
> value of err is 0. So the function mkiss_open() will return 0 to its caller
> functions when it runs error because of the failing call to
> register_netdev(), leading to a wrong return value of function mkiss_open().
> The related code snippets in mkiss_open() is as following.
> mkiss_open @@ drivers/net/hamradio/mkiss.c:726
> 726static int mkiss_open(struct tty_struct *tty)
> 727{
> ...
> 761 if ((err = ax_open(ax->dev))) {
> 762 goto out_free_netdev;
> 763 }
> 764
> 765 if (register_netdev(dev))
> 766 goto out_free_buffers;
> ...
> 800out_free_buffers:
> 801 kfree(ax->rbuff);
> 802 kfree(ax->xbuff);
> 803
> 804out_free_netdev:
> 805 free_netdev(dev);
> 806
> 807out:
> 808 return err;
> 809}
>
> Generally, when the call to register_netdev() fails, the return value of
> caller functions should be different from another return value set when the
> call to register_netdev() succeeds, like the following codes in another
> file.
> com90io_found @@ drivers/net/arcnet/com90io.c:234
> 234static int __init com90io_found(struct net_device *dev)
> 235{
> ...
> 268 err = register_netdev(dev);
> 269 if (err) {
> 270 outb((inb(_CONFIG) & ~IOMAPflag), _CONFIG);
> 271 free_irq(dev->irq, dev);
> 272 release_region(dev->base_addr, ARCNET_TOTAL_SIZE);
> 273 return err;
> 274 }
> 275
> 276 BUGMSG(D_NORMAL, "COM90IO: station %02Xh found at %03lXh, IRQ
> %d.\n",
> 277 dev->dev_addr[0], dev->base_addr, dev->irq);
> 278
> 279 return 0;
> 280}
>
> Kernel version:
> 3.19.1
>
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [patch] hamradio/kiss: missing error code in mkiss_open()
2015-08-10 16:42 [FWD] PROBLEM: there exists a wrong return value of function mkiss_open() Linus Torvalds
@ 2015-08-10 21:39 ` Dan Carpenter
2015-08-11 0:32 ` Fabio Estevam
2015-08-11 4:19 ` David Miller
0 siblings, 2 replies; 4+ messages in thread
From: Dan Carpenter @ 2015-08-10 21:39 UTC (permalink / raw)
To: David S. Miller; +Cc: Eric W. Biederman, netdev, Linus Torvalds, RUC_Soft_Sec
If register_netdev() fails we return success but we should return an
error code instead.
Reported-by: RUC_Soft_Sec <zy900702@163.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/net/hamradio/mkiss.c b/drivers/net/hamradio/mkiss.c
index 2ffbf13..dcb6bb7 100644
--- a/drivers/net/hamradio/mkiss.c
+++ b/drivers/net/hamradio/mkiss.c
@@ -732,7 +732,8 @@ static int mkiss_open(struct tty_struct *tty)
goto out_free_netdev;
}
- if (register_netdev(dev))
+ err = register_netdev(dev);
+ if (err)
goto out_free_buffers;
/* after register_netdev() - because else printk smashes the kernel */
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [patch] hamradio/kiss: missing error code in mkiss_open()
2015-08-10 21:39 ` [patch] hamradio/kiss: missing error code in mkiss_open() Dan Carpenter
@ 2015-08-11 0:32 ` Fabio Estevam
2015-08-11 4:19 ` David Miller
1 sibling, 0 replies; 4+ messages in thread
From: Fabio Estevam @ 2015-08-11 0:32 UTC (permalink / raw)
To: Dan Carpenter
Cc: David S. Miller, Eric W. Biederman, netdev@vger.kernel.org,
Linus Torvalds, RUC_Soft_Sec
On Mon, Aug 10, 2015 at 6:39 PM, Dan Carpenter <dan.carpenter@oracle.com> wrote:
> If register_netdev() fails we return success but we should return an
> error code instead.
>
> Reported-by: RUC_Soft_Sec <zy900702@163.com>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
I have also sent a similar one:
https://patchwork.ozlabs.org/patch/505758/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [patch] hamradio/kiss: missing error code in mkiss_open()
2015-08-10 21:39 ` [patch] hamradio/kiss: missing error code in mkiss_open() Dan Carpenter
2015-08-11 0:32 ` Fabio Estevam
@ 2015-08-11 4:19 ` David Miller
1 sibling, 0 replies; 4+ messages in thread
From: David Miller @ 2015-08-11 4:19 UTC (permalink / raw)
To: dan.carpenter; +Cc: ebiederm, netdev, torvalds, zy900702
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Tue, 11 Aug 2015 00:39:22 +0300
> If register_netdev() fails we return success but we should return an
> error code instead.
>
> Reported-by: RUC_Soft_Sec <zy900702@163.com>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
I just applied another patch which fixes this earlier.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-08-11 4:19 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-08-10 16:42 [FWD] PROBLEM: there exists a wrong return value of function mkiss_open() Linus Torvalds
2015-08-10 21:39 ` [patch] hamradio/kiss: missing error code in mkiss_open() Dan Carpenter
2015-08-11 0:32 ` Fabio Estevam
2015-08-11 4:19 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).