lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <6977ce32695df_2c39100a7@iweiny-mobl.notmuch>
Date: Mon, 26 Jan 2026 14:27:30 -0600
From: Ira Weiny <ira.weiny@...el.com>
To: Zhaoyang Yu <2426767509@...com>, <dan.j.williams@...el.com>
CC: <vishal.l.verma@...el.com>, <dave.jiang@...el.com>, <ira.weiny@...el.com>,
	<nvdimm@...ts.linux.dev>, <linux-kernel@...r.kernel.org>,
	<gszhai@...u.edu.cn>, Zhaoyang Yu <2426767509@...com>
Subject: Re: [PATCH] nvdimm: Add check for devm_kmalloc() and fix NULL
 pointer dereference in nd_pfn_probe() and nd_dax_probe()

Zhaoyang Yu wrote:
> The devm_kmalloc() function may return NULL when memory allocation fails.
> In nd_pfn_probe() and nd_dax_probe(), the return values of devm_kmalloc()
> are not checked. If pfn_sb is NULL, it will cause a NULL pointer
> dereference in the subsequent calls to nd_pfn_validate().
> 
> Additionally, if the allocation fails, the devices initialized by
> nd_pfn_devinit() or nd_dax_devinit() are not properly released, leading
> to memory leaks.
> 
> Fix this by checking the return value of devm_kmalloc() in both functions.
> If the allocation fails, use put_device() to release the initialized device
> and return -ENOMEM.
> 
> Signed-off-by: Zhaoyang Yu <2426767509@...com>
> ---
>  drivers/nvdimm/dax_devs.c | 4 ++++
>  drivers/nvdimm/pfn_devs.c | 4 ++++
>  2 files changed, 8 insertions(+)
> 
> diff --git a/drivers/nvdimm/dax_devs.c b/drivers/nvdimm/dax_devs.c
> index ba4c409ede65..aa51a9022d12 100644
> --- a/drivers/nvdimm/dax_devs.c
> +++ b/drivers/nvdimm/dax_devs.c
> @@ -111,6 +111,10 @@ int nd_dax_probe(struct device *dev, struct nd_namespace_common *ndns)
>  			return -ENOMEM;
>  	}
>  	pfn_sb = devm_kmalloc(dev, sizeof(*pfn_sb), GFP_KERNEL);
> +	if (!pfn_sb) {
> +		put_device(dax_dev);
> +		return -ENOMEM;
> +	}

Sorry this is a NAK.

While I don't like the implicit nature of the check...  This is not
needed.

The validity of pfn_sb is checked in nd_pfn_validate()

It is unfortunate that the errno reported in that case is ENODEV rather
than ENOMEM...  But I would not change that now.

>  	nd_pfn = &nd_dax->nd_pfn;
>  	nd_pfn->pfn_sb = pfn_sb;
>  	rc = nd_pfn_validate(nd_pfn, DAX_SIG);
> diff --git a/drivers/nvdimm/pfn_devs.c b/drivers/nvdimm/pfn_devs.c
> index 42b172fc5576..6a69d8bfeb7c 100644
> --- a/drivers/nvdimm/pfn_devs.c
> +++ b/drivers/nvdimm/pfn_devs.c
> @@ -635,6 +635,10 @@ int nd_pfn_probe(struct device *dev, struct nd_namespace_common *ndns)
>  	if (!pfn_dev)
>  		return -ENOMEM;
>  	pfn_sb = devm_kmalloc(dev, sizeof(*pfn_sb), GFP_KERNEL);
> +	if (!pfn_sb) {
> +		put_device(pfn_dev);
> +		return -ENOMEM;
> +	}
>  	nd_pfn = to_nd_pfn(pfn_dev);
>  	nd_pfn->pfn_sb = pfn_sb;
>  	rc = nd_pfn_validate(nd_pfn, PFN_SIG);

Same issue here.

Ira

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ