From patchwork Tue Nov  7 23:47:06 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Verma, Vishal L" <vishal.l.verma@intel.com>
X-Patchwork-Id: 10047377
Return-Path: <linux-nvdimm-bounces@lists.01.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	4D4CA60360 for <patchwork-linux-nvdimm@patchwork.kernel.org>;
	Tue,  7 Nov 2017 23:49:25 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3405829A72
	for <patchwork-linux-nvdimm@patchwork.kernel.org>;
	Tue,  7 Nov 2017 23:49:25 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 2667329ADD; Tue,  7 Nov 2017 23:49:25 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE
	autolearn=ham version=3.3.1
Received: from ml01.01.org (ml01.01.org [198.145.21.10])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id AA76D29A72
	for <patchwork-linux-nvdimm@patchwork.kernel.org>;
	Tue,  7 Nov 2017 23:49:24 +0000 (UTC)
Received: from [127.0.0.1] (localhost [IPv6:::1])
	by ml01.01.org (Postfix) with ESMTP id 0FC4221C913C6;
	Tue,  7 Nov 2017 15:45:24 -0800 (PST)
X-Original-To: linux-nvdimm@lists.01.org
Delivered-To: linux-nvdimm@lists.01.org
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
	client-ip=192.55.52.120; helo=mga04.intel.com;
	envelope-from=vishal.l.verma@intel.com;
	receiver=linux-nvdimm@lists.01.org
Received: from mga04.intel.com (mga04.intel.com [192.55.52.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ml01.01.org (Postfix) with ESMTPS id 9EEDF2034D834
	for <linux-nvdimm@lists.01.org>; Tue,  7 Nov 2017 15:45:22 -0800 (PST)
Received: from fmsmga006.fm.intel.com ([10.253.24.20])
	by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	07 Nov 2017 15:49:21 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.44,361,1505804400"; d="scan'208";a="173356157"
Received: from omniknight.lm.intel.com ([10.232.112.27])
	by fmsmga006.fm.intel.com with ESMTP; 07 Nov 2017 15:49:21 -0800
From: Vishal Verma <vishal.l.verma@intel.com>
To: <linux-nvdimm@lists.01.org>
Subject: [ndctl PATCH] libndctl,
	inject: ensure that bb_add_record doesn't leak memory
Date: Tue,  7 Nov 2017 16:47:06 -0700
Message-Id: <20171107234706.6406-1-vishal.l.verma@intel.com>
X-Mailer: git-send-email 2.9.5
X-BeenThere: linux-nvdimm@lists.01.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Linux-nvdimm developer list." <linux-nvdimm.lists.01.org>
List-Unsubscribe: <https://lists.01.org/mailman/options/linux-nvdimm>,
	<mailto:linux-nvdimm-request@lists.01.org?subject=unsubscribe>
List-Archive: <http://lists.01.org/pipermail/linux-nvdimm/>
List-Post: <mailto:linux-nvdimm@lists.01.org>
List-Help: <mailto:linux-nvdimm-request@lists.01.org?subject=help>
List-Subscribe: <https://lists.01.org/mailman/listinfo/linux-nvdimm>,
	<mailto:linux-nvdimm-request@lists.01.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: linux-nvdimm-bounces@lists.01.org
Sender: "Linux-nvdimm" <linux-nvdimm-bounces@lists.01.org>
X-Virus-Scanned: ClamAV using ClamSMTP

It was non-obvious that in the loop to add a new badblock, the entry
allocated was always consumed by adding it to the list. Ensure that it
happens by setting the 'bb' pointer to NULL when we add it to the list,
and at the end of the loop, free and error out if it was not added.

Cc: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Vishal Verma <vishal.l.verma@intel.com>
---
 ndctl/lib/inject.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/ndctl/lib/inject.c b/ndctl/lib/inject.c
index 4df6414..8bfb5c9 100644
--- a/ndctl/lib/inject.c
+++ b/ndctl/lib/inject.c
@@ -199,6 +199,7 @@ static int bb_add_record(struct list_head *h, u64 block, u64 count)
 			/* bb_iter is the first entry */
 			if (bb->block < bb_iter->block) {
 				list_add(h, &bb->list);
+				bb = NULL;
 				break;
 			}
 		}
@@ -210,12 +211,14 @@ static int bb_add_record(struct list_head *h, u64 block, u64 count)
 			 * following checks for the previous iteration.
 			 */
 			list_add_tail(h, &bb->list);
+			bb = NULL;
 			break;
 		}
 		/* Add to the left of bb_iter */
 		if (bb->block <= bb_iter->block) {
 			if (bb_prev && (bb_prev->block <= bb->block)) {
 				list_add_after(h, &bb_prev->list, &bb->list);
+				bb = NULL;
 				break;
 			}
 		}
@@ -223,11 +226,18 @@ static int bb_add_record(struct list_head *h, u64 block, u64 count)
 		if (bb_iter->block <= bb->block) {
 			if (bb_next && (bb->block <= bb_next->block)) {
 				list_add_after(h, &bb_iter->list, &bb->list);
+				bb = NULL;
 				break;
 			}
 		}
 	}
 
+	/* ensure bb has actually been consumed (set to NULL earlier) */
+	if (bb != NULL) {
+		free(bb);
+		return -ENXIO;
+	}
+
 	/* second pass over the list looking for mergeable entries */
 	list_for_each(h, bb_iter, list) {
 		u64 cur_end, next_end, cur_start, next_start;
@@ -357,6 +367,11 @@ NDCTL_EXPORT int ndctl_namespace_injection_status(struct ndctl_namespace *ndns)
 		}
 		rc = injection_status_to_bb(ndns, err_inj_stat,
 			ns_offset, ns_size);
+		if (rc) {
+			dbg(ctx, "Error converting status to badblocks: %d\n",
+				rc);
+			goto out;
+		}
 	}
 
  out: