diff mbox

drivers/mmc/card/block.c: fix potential null dereference 'idata'

Message ID 4DC8117C.7060200@gmail.com (mailing list archive)
State New, archived
Headers show

Commit Message

Vladimir Motyka May 9, 2011, 4:08 p.m. UTC 
When allocation of idata fails there was a null dereference.

Signed-off-by: Vladimir Motyka <vladimir.motyka@gmail.com>
---
 	if (copy_from_user(&idata->ic, user, sizeof(idata->ic))) {
@@ -268,8 +268,8 @@ static struct mmc_blk_ioc_data
*mmc_blk_ioctl_copy_from_user(
 copy_err:
 	kfree(idata->buf);
 	kfree(idata);
+alloc_err:
 	return ERR_PTR(err);
-
 }

 static int mmc_blk_ioctl_cmd(struct block_device *bdev,
--
To unsubscribe from this list: send the line "unsubscribe linux-mmc" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Julia Lawall May 9, 2011, 4:12 p.m. UTC | #1 
I guess there is also a point at which idata has been successfully 
allocated but idata->buf has not.

julia


On Mon, 9 May 2011, Vladimir Motyka wrote:

> When allocation of idata fails there was a null dereference.
> 
> Signed-off-by: Vladimir Motyka <vladimir.motyka@gmail.com>
> ---
> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
> index 407836d..a03cdc6 100644
> --- a/drivers/mmc/card/block.c
> +++ b/drivers/mmc/card/block.c
> @@ -237,7 +237,7 @@ static struct mmc_blk_ioc_data
> *mmc_blk_ioctl_copy_from_user(
>  	idata = kzalloc(sizeof(*idata), GFP_KERNEL);
>  	if (!idata) {
>  		err = -ENOMEM;
> -		goto copy_err;
> +		goto alloc_err;
>  	}
> 
>  	if (copy_from_user(&idata->ic, user, sizeof(idata->ic))) {
> @@ -268,8 +268,8 @@ static struct mmc_blk_ioc_data
> *mmc_blk_ioctl_copy_from_user(
>  copy_err:
>  	kfree(idata->buf);
>  	kfree(idata);
> +alloc_err:
>  	return ERR_PTR(err);
> -
>  }
> 
>  static int mmc_blk_ioctl_cmd(struct block_device *bdev,
> --
> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-mmc" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Vladimir Motyka May 9, 2011, 8:37 p.m. UTC | #2 
On 05/09/2011 06:12 PM, Julia Lawall wrote:
> I guess there is also a point at which idata has been successfully 
> allocated but idata->buf has not.
> 
> julia
> 
Yes there is. Thank You for pointing out.

Vladimir Motyka

> On Mon, 9 May 2011, Vladimir Motyka wrote:
> 
>> When allocation of idata fails there was a null dereference.
>>
>> Signed-off-by: Vladimir Motyka <vladimir.motyka@gmail.com>
>> ---
>> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
>> index 407836d..a03cdc6 100644
>> --- a/drivers/mmc/card/block.c
>> +++ b/drivers/mmc/card/block.c
>> @@ -237,7 +237,7 @@ static struct mmc_blk_ioc_data
>> *mmc_blk_ioctl_copy_from_user(
>>  	idata = kzalloc(sizeof(*idata), GFP_KERNEL);
>>  	if (!idata) {
>>  		err = -ENOMEM;
>> -		goto copy_err;
>> +		goto alloc_err;
>>  	}
>>
>>  	if (copy_from_user(&idata->ic, user, sizeof(idata->ic))) {
>> @@ -268,8 +268,8 @@ static struct mmc_blk_ioc_data
>> *mmc_blk_ioctl_copy_from_user(
>>  copy_err:
>>  	kfree(idata->buf);
>>  	kfree(idata);
>> +alloc_err:
>>  	return ERR_PTR(err);
>> -
>>  }
>>
>>  static int mmc_blk_ioctl_cmd(struct block_device *bdev,
>> --
>> To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>

--
To unsubscribe from this list: send the line "unsubscribe linux-mmc" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Andy Shevchenko May 10, 2011, 7:47 a.m. UTC | #3 
On Mon, May 9, 2011 at 7:12 PM, Julia Lawall <julia@diku.dk> wrote:
> I guess there is also a point at which idata has been successfully
> allocated but idata->buf has not.
And? kfree() simple ignores NULL pointers.
I would prefer to see previous version of patch, but let maintainer to choose.
Julia Lawall May 10, 2011, 7:57 a.m. UTC | #4 
On Tue, 10 May 2011, Andy Shevchenko wrote:

> On Mon, May 9, 2011 at 7:12 PM, Julia Lawall <julia@diku.dk> wrote:
> > I guess there is also a point at which idata has been successfully
> > allocated but idata->buf has not.
> And? kfree() simple ignores NULL pointers.

Unnecessarily calling a function suggests that calling that function is 
necessary when it is not.  But it is probably not a big deal, especially 
for a well known function like kfree.

julia

> I would prefer to see previous version of patch, but let maintainer to choose.
> 
> -- 
> With Best Regards,
> Andy Shevchenko
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-mmc" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
index 407836d..a03cdc6 100644
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -237,7 +237,7 @@  static struct mmc_blk_ioc_data
*mmc_blk_ioctl_copy_from_user(
 	idata = kzalloc(sizeof(*idata), GFP_KERNEL);
 	if (!idata) {
 		err = -ENOMEM;
-		goto copy_err;
+		goto alloc_err;
 	}