lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20211201065502.GC9522@kadam>
Date:   Wed, 1 Dec 2021 09:55:02 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     Yang Yingliang <yangyingliang@...wei.com>
Cc:     Pavel Skripkin <paskripkin@...il.com>,
        linux-kernel@...r.kernel.org, linux-staging@...ts.linux.dev,
        gregkh@...uxfoundation.org
Subject: Re: [PATCH -next] staging: rtl8192e: rtllib_module: fix missing
 free_netdev() on error in alloc_rtllib()

On Wed, Dec 01, 2021 at 10:41:41AM +0800, Yang Yingliang wrote:
> Hi,
> 
> On 2021/12/1 2:57, Pavel Skripkin wrote:
> > On 11/30/21 06:40, Yang Yingliang wrote:
> > > Add the missing free_netdev() before return from alloc_rtllib()
> > > in the error handling case.
> > > 
> > > Signed-off-by: Yang Yingliang <yangyingliang@...wei.com>
> > > ---
> > >   drivers/staging/rtl8192e/rtllib_module.c | 2 +-
> > >   1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/drivers/staging/rtl8192e/rtllib_module.c
> > > b/drivers/staging/rtl8192e/rtllib_module.c
> > > index 64d9feee1f39..18d898714c5c 100644
> > > --- a/drivers/staging/rtl8192e/rtllib_module.c
> > > +++ b/drivers/staging/rtl8192e/rtllib_module.c
> > > @@ -125,7 +125,7 @@ struct net_device *alloc_rtllib(int sizeof_priv)
> > >         ieee->pHTInfo = kzalloc(sizeof(struct rt_hi_throughput),
> > > GFP_KERNEL);
> > >       if (!ieee->pHTInfo)
> > > -        return NULL;
> > > +        goto failed;
> > >         HTUpdateDefaultSetting(ieee);
> > >       HTInitializeHTInfo(ieee);
> > > 
> > 
> > Good catch!
> > 
> > There are 2 more possible leaks, tho. rtllib_networks_allocate() and
> > rtllib_softmac_init() should be unwinded too.
> The error path of rtllib_networks_allocate()  won't leak the dev.

You've misunderstood what Pavel is saying.  He's saying that we need to
call rtllib_networks_free() as well as free_netdev().

This code has a "goto failed" and that means it is either going to do
nothing or do everything.  It is a bad style of error handling and it
often has bugs like this.  The best way to write error handling is to
use Free the Last Thing style.

int my_alloc_function()
{
	a = alloc();
	if (!a)
		return -ENOMEM;  // <- there is no last thing

	b = alloc();
	if (!b) {
		ret = -ENOMEM;
		goto free_a;  // <- this name says "a" is the last thing
	}

	c = alloc();
	if (!c) {
		ret = -ENOMEM;
		goto free_b;
	}

	return 0;

free_b:
	free(b);
free_a:
	free(a);

	return ret;
}

In this style of error handling you only need to remember the last
successful allocation and the names tell you what the goto does so it
is much easier to check if it's correct.

Then to create a my_free_function() you can just: Copy and paste the
error handling.  Add a free(c).  Delete the labels.

void my_free_function()
{
	free(c);
	free(b);
	free(a);
}

The free function for alloc_rtllib() is free_rtllib() and it looks like
this:

drivers/staging/rtl8192e/rtllib_module.c
   150  void free_rtllib(struct net_device *dev)
   151  {
   152          struct rtllib_device *ieee = (struct rtllib_device *)
   153                                        netdev_priv_rsl(dev);
   154  
   155          kfree(ieee->pHTInfo);
   156          ieee->pHTInfo = NULL;
                ^^^^^^^^^^^^^^^^^^^^^
This line is pointless and should be deleted.

   157          rtllib_softmac_free(ieee);
   158  
   159          lib80211_crypt_info_free(&ieee->crypt_info);
   160  
   161          rtllib_networks_free(ieee);
   162          free_netdev(dev);
   163  }

As you can see this free function calls rtllib_softmac_free(),
lib80211_crypt_info_free() and rtllib_networks_free() so the error
handling in alloc_rtllib() needs to do that as well.  Based on what
I have said, then ideally the error handling for alloc_rtllib() would
look something like this:

        return dev;

free_softmac:
        rtllib_softmac_free(ieee);
        lib80211_crypt_info_free(&ieee->crypt_info);
free_networks:
        rtllib_networks_free(ieee);
free_netdev:
        free_netdev(dev);

        return NULL;

The rtllib_softmac_init() function should really return an int, but it
returns void.  That could be fixed in a separate patch if you want.

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ