lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Mon, 11 Jul 2022 16:16:08 +0300
From:   Sergey Ryazanov <ryazanov.s.a@...il.com>
To:     Bo Liu <liubo03@...pur.com>
Cc:     Loic Poulain <loic.poulain@...aro.org>,
        Johannes Berg <johannes@...solutions.net>,
        David Miller <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org,
        open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2 1/1] net: wwan: call ida_free when device_register fails

Hello Bo,

generally the patch looks good to me, but it needs improvement in the
wwan_create_dev() part. Sorry that I missed this part in the previous
review. See details below.

On Mon, Jul 11, 2022 at 3:54 AM Bo Liu <liubo03@...pur.com> wrote:
>
> when device_register() fails, we should call ida_free().
>
> Fixes: 9a44c1cc6388 ("net: Add a WWAN subsystem")
> Signed-off-by: Bo Liu <liubo03@...pur.com>
> ---
>  Changes from v1:
>  -Add a Fixes tag pointing to the commit
>
>  drivers/net/wwan/wwan_core.c | 12 +++++++-----
>  1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/net/wwan/wwan_core.c b/drivers/net/wwan/wwan_core.c
> index b8c7843730ed..0f653e320b2b 100644
> --- a/drivers/net/wwan/wwan_core.c
> +++ b/drivers/net/wwan/wwan_core.c
> @@ -228,8 +228,7 @@ static struct wwan_device *wwan_create_dev(struct device *parent)
>         wwandev = kzalloc(sizeof(*wwandev), GFP_KERNEL);
>         if (!wwandev) {
>                 wwandev = ERR_PTR(-ENOMEM);
> -               ida_free(&wwan_dev_ids, id);
> -               goto done_unlock;
> +               goto error_free_ida;
>         }
>
>         wwandev->dev.parent = parent;
> @@ -242,7 +241,7 @@ static struct wwan_device *wwan_create_dev(struct device *parent)
>         if (err) {
>                 put_device(&wwandev->dev);
>                 wwandev = ERR_PTR(err);
> -               goto done_unlock;
> +               goto error_free_ida;
>         }
>
>  #ifdef CONFIG_WWAN_DEBUGFS
> @@ -251,6 +250,8 @@ static struct wwan_device *wwan_create_dev(struct device *parent)
>                                            wwan_debugfs_dir);
>  #endif
>
> +error_free_ida:
> +       ida_free(&wwan_dev_ids, id);
>  done_unlock:
>         mutex_unlock(&wwan_register_lock);
>

This hunk misses the case of a successful device registration. After
patching, the code will look like this:

    err = device_register(&wwandev->dev);
    if (err) {
        put_device(&wwandev->dev);
        wwandev = ERR_PTR(err);
        goto error_free_ida;
    }

    wwandev->debugfs_dir =
debugfs_create_dir(kobject_name(&wwandev->dev.kobj),
wwan_debugfs_dir);

error_free_ida:
    ida_free(&wwan_dev_ids, id);
done_unlock:
    mutex_unlock(&wwan_register_lock);

As you can see, even if the device will be registered successfully,
the allocated id will be unconditionally freed.

The easiest way to fix this is to add "goto done_unlock" right after
the debugfs directory creation call. So the hunk should become
something like this:

@@ -249,8 +248,12 @@ static struct wwan_device *wwan_create_dev(struct
device *parent)
        wwandev->debugfs_dir =
                     debugfs_create_dir(kobject_name(&wwandev->dev.kobj),
                                           wwan_debugfs_dir);
 #endif

+      goto done_unlock;
+
+error_free_ida:
+       ida_free(&wwan_dev_ids, id);
 done_unlock:
        mutex_unlock(&wwan_register_lock);

-- 
Sergey

Powered by blists - more mailing lists