| Message ID | 20220107144405.4081288-1-jiasheng@iscas.ac.cn (mailing list archive) |
|---|---|
| State | Changes Requested, archived |
| Headers | show |
| Series | [v2] thermal/int340x_thermal: Check for null pointer after calling kmemdup | expand |
On Fri, Jan 7, 2022 at 3:44 PM Jiasheng Jiang <jiasheng@iscas.ac.cn> wrote: > > As the possible failure of the allocation, kmemdup() may return NULL > pointer. > Then the 'bin_attr_data_vault.private' will be NULL pointer but the > 'bin_attr_data_vault.size' is not 0. > Therefore, it should be better to check the return value of kmemdup() to > avoid the wrong size. > > Fixes: 0ba13c763aac ("thermal/int340x_thermal: Export GDDV") > Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> > --- > Changelog > > v1 -> v2 > > * Change 1. Use out_kfree to simplify the code. > --- > .../thermal/intel/int340x_thermal/int3400_thermal.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > > diff --git a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c > index 19926beeb3b7..f869aeb087d3 100644 > --- a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c > +++ b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c > @@ -457,17 +457,21 @@ static void int3400_setup_gddv(struct int3400_thermal_priv *priv) > > obj = buffer.pointer; > if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count != 1 > - || obj->package.elements[0].type != ACPI_TYPE_BUFFER) { > - kfree(buffer.pointer); > - return; > - } > + || obj->package.elements[0].type != ACPI_TYPE_BUFFER) > + goto out_kfree; This change isn't strictly necessary. > > priv->data_vault = kmemdup(obj->package.elements[0].buffer.pointer, > obj->package.elements[0].buffer.length, > GFP_KERNEL); > + if (!priv->data_vault) > + goto out_kfree; > + > bin_attr_data_vault.private = priv->data_vault; > bin_attr_data_vault.size = obj->package.elements[0].buffer.length; > kfree(buffer.pointer); > + > +out_kfree: > + kfree(buffer.pointer); On success, this would be the second kfree() for the same pointer in a row, which would be a bug. > } > > static int int3400_thermal_probe(struct platform_device *pdev) > --
diff --git a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c index 19926beeb3b7..f869aeb087d3 100644 --- a/drivers/thermal/intel/int340x_thermal/int3400_thermal.c +++ b/drivers/thermal/intel/int340x_thermal/int3400_thermal.c @@ -457,17 +457,21 @@ static void int3400_setup_gddv(struct int3400_thermal_priv *priv) obj = buffer.pointer; if (obj->type != ACPI_TYPE_PACKAGE || obj->package.count != 1 - || obj->package.elements[0].type != ACPI_TYPE_BUFFER) { - kfree(buffer.pointer); - return; - } + || obj->package.elements[0].type != ACPI_TYPE_BUFFER) + goto out_kfree; priv->data_vault = kmemdup(obj->package.elements[0].buffer.pointer, obj->package.elements[0].buffer.length, GFP_KERNEL); + if (!priv->data_vault) + goto out_kfree; + bin_attr_data_vault.private = priv->data_vault; bin_attr_data_vault.size = obj->package.elements[0].buffer.length; kfree(buffer.pointer); + +out_kfree: + kfree(buffer.pointer); } static int int3400_thermal_probe(struct platform_device *pdev)
As the possible failure of the allocation, kmemdup() may return NULL pointer. Then the 'bin_attr_data_vault.private' will be NULL pointer but the 'bin_attr_data_vault.size' is not 0. Therefore, it should be better to check the return value of kmemdup() to avoid the wrong size. Fixes: 0ba13c763aac ("thermal/int340x_thermal: Export GDDV") Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> --- Changelog v1 -> v2 * Change 1. Use out_kfree to simplify the code. --- .../thermal/intel/int340x_thermal/int3400_thermal.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-)