| Message ID | YtEhXsr6vJeoiYhd@kili (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/2] null_blk: prevent NULL dereference in null_init_tag_set() | expand |
On 15.07.22 10:12, Dan Carpenter wrote: > - nullb->index = ida_simple_get(&nullb_indexes, 0, 0, GFP_KERNEL); > - dev->index = nullb->index; > + rv = ida_simple_get(&nullb_indexes, 0, 0, GFP_KERNEL); > + if (rv < 0) { > + mutex_unlock(&lock); > + goto out_cleanup_zone; > + } > + nullb->index = rv; > + dev->index = rv; Isn't ida_simple_get() deprecated? And actually the 'max' argument is 0 here, so ida_alloc_range() tries to allocate a number between 0 and 0?
On Fri, Jul 15, 2022 at 08:23:24AM +0000, Johannes Thumshirn wrote: > On 15.07.22 10:12, Dan Carpenter wrote: > > - nullb->index = ida_simple_get(&nullb_indexes, 0, 0, GFP_KERNEL); > > - dev->index = nullb->index; > > + rv = ida_simple_get(&nullb_indexes, 0, 0, GFP_KERNEL); > > + if (rv < 0) { > > + mutex_unlock(&lock); > > + goto out_cleanup_zone; > > + } > > + nullb->index = rv; > > + dev->index = rv; > > Isn't ida_simple_get() deprecated? And actually the 'max' argument is 0 here, > so ida_alloc_range() tries to allocate a number between 0 and 0? That was already there in the original code. I was just fixing the bugs, not doing cleanup. The second zero means use INT_MAX. (When a function has "simple" in the name it is always intended ironically). regards, dan carpenter
diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c index 016ec3a2f98f..3d334d46d5f6 100644 --- a/drivers/block/null_blk/main.c +++ b/drivers/block/null_blk/main.c @@ -2074,8 +2074,13 @@ static int null_add_dev(struct nullb_device *dev) blk_queue_flag_clear(QUEUE_FLAG_ADD_RANDOM, nullb->q); mutex_lock(&lock); - nullb->index = ida_simple_get(&nullb_indexes, 0, 0, GFP_KERNEL); - dev->index = nullb->index; + rv = ida_simple_get(&nullb_indexes, 0, 0, GFP_KERNEL); + if (rv < 0) { + mutex_unlock(&lock); + goto out_cleanup_zone; + } + nullb->index = rv; + dev->index = rv; mutex_unlock(&lock); blk_queue_logical_block_size(nullb->q, dev->blocksize); @@ -2101,7 +2106,7 @@ static int null_add_dev(struct nullb_device *dev) rv = null_gendisk_register(nullb); if (rv) - goto out_cleanup_zone; + goto out_ida_free; mutex_lock(&lock); list_add_tail(&nullb->list, &nullb_list); @@ -2110,6 +2115,9 @@ static int null_add_dev(struct nullb_device *dev) pr_info("disk %s created\n", nullb->disk_name); return 0; + +out_ida_free: + ida_free(&nullb_indexes, nullb->index); out_cleanup_zone: null_free_zoned_dev(dev); out_cleanup_disk:
There needs to be some error checking if ida_simple_get() fails. Also call ida_free() if there are errors later. Fixes: 94bc02e30fb8 ("nullb: use ida to manage index") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/block/null_blk/main.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-)