[1/2] mtd: nandsim: fix free of NULL pointer

Message ID	1434530713-81591-2-git-send-email-shengyong1@huawei.com
State	Accepted
Commit	ec7478fa173f65e5ee5fd2ba42c59ca3e700027b
Headers	show Return-Path: <linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org> From: Sheng Yong <shengyong1@huawei.com> To: <computersforpeace@gmail.com>, <dwmw2@infradead.org> Subject: [PATCH 1/2] mtd: nandsim: fix free of NULL pointer Date: Wed, 17 Jun 2015 08:45:12 +0000 Message-ID: <1434530713-81591-2-git-send-email-shengyong1@huawei.com> In-Reply-To: <1434530713-81591-1-git-send-email-shengyong1@huawei.com> References: <1434530713-81591-1-git-send-email-shengyong1@huawei.com> MIME-Version: 1.0 summary: Content analysis details: (-3.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [119.145.14.65 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [119.145.14.65 listed in wl.mailspike.net] -0.6 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders Cc: richard@nod.at, linux-mtd@lists.infradead.org Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-mtd" <linux-mtd-bounces@lists.infradead.org> Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

Message ID

1434530713-81591-2-git-send-email-shengyong1@huawei.com

State

Accepted

Commit

ec7478fa173f65e5ee5fd2ba42c59ca3e700027b

Headers

From: Sheng Yong <shengyong1@huawei.com>
To: <computersforpeace@gmail.com>, <dwmw2@infradead.org>
Subject: [PATCH 1/2] mtd: nandsim: fix free of NULL pointer
Date: Wed, 17 Jun 2015 08:45:12 +0000
Message-ID: <1434530713-81591-2-git-send-email-shengyong1@huawei.com>
In-Reply-To: <1434530713-81591-1-git-send-email-shengyong1@huawei.com>
References: <1434530713-81591-1-git-send-email-shengyong1@huawei.com>
MIME-Version: 1.0
Cc: richard@nod.at, linux-mtd@lists.infradead.org
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-mtd" <linux-mtd-bounces@lists.infradead.org>
Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org

If allocating ns->nand_pages_slab fails, do not try to destroy it when cleaning up nandsim resources. Signed-off-by: Sheng Yong <shengyong1@huawei.com> --- drivers/mtd/nand/nandsim.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Richard Weinberger June 17, 2015, 8:48 a.m. UTC | #1

Am 17.06.2015 um 10:45 schrieb Sheng Yong:
> If allocating ns->nand_pages_slab fails, do not try to destroy it when
> cleaning up nandsim resources.
> 
> Signed-off-by: Sheng Yong <shengyong1@huawei.com>
> ---
>  drivers/mtd/nand/nandsim.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/mtd/nand/nandsim.c b/drivers/mtd/nand/nandsim.c
> index cb38f3d..33e4064 100644
> --- a/drivers/mtd/nand/nandsim.c
> +++ b/drivers/mtd/nand/nandsim.c
> @@ -646,7 +646,8 @@ static void free_device(struct nandsim *ns)
>  				kmem_cache_free(ns->nand_pages_slab,
>  						ns->pages[i].byte);
>  		}
> -		kmem_cache_destroy(ns->nand_pages_slab);
> +		if (ns->nand_pages_slab)
> +			kmem_cache_destroy(ns->nand_pages_slab);

It is perfectly fine to free a NULL pointer.

Thanks,
//richard

Richard Weinberger June 17, 2015, 9 a.m. UTC | #2

Am 17.06.2015 um 10:48 schrieb Richard Weinberger:
> Am 17.06.2015 um 10:45 schrieb Sheng Yong:
>> If allocating ns->nand_pages_slab fails, do not try to destroy it when
>> cleaning up nandsim resources.
>>
>> Signed-off-by: Sheng Yong <shengyong1@huawei.com>
>> ---
>>  drivers/mtd/nand/nandsim.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/mtd/nand/nandsim.c b/drivers/mtd/nand/nandsim.c
>> index cb38f3d..33e4064 100644
>> --- a/drivers/mtd/nand/nandsim.c
>> +++ b/drivers/mtd/nand/nandsim.c
>> @@ -646,7 +646,8 @@ static void free_device(struct nandsim *ns)
>>  				kmem_cache_free(ns->nand_pages_slab,
>>  						ns->pages[i].byte);
>>  		}
>> -		kmem_cache_destroy(ns->nand_pages_slab);
>> +		if (ns->nand_pages_slab)
>> +			kmem_cache_destroy(ns->nand_pages_slab);
> 
> It is perfectly fine to free a NULL pointer.

Ignore that. /me needs more coffee. ;)

Thanks,
//richard

shengyong June 17, 2015, 9:03 a.m. UTC | #3

On 6/17/2015 4:48 PM, Richard Weinberger wrote:
> Am 17.06.2015 um 10:45 schrieb Sheng Yong:
>> If allocating ns->nand_pages_slab fails, do not try to destroy it when
>> cleaning up nandsim resources.
>>
>> Signed-off-by: Sheng Yong <shengyong1@huawei.com>
>> ---
>>  drivers/mtd/nand/nandsim.c | 3 ++-
>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/mtd/nand/nandsim.c b/drivers/mtd/nand/nandsim.c
>> index cb38f3d..33e4064 100644
>> --- a/drivers/mtd/nand/nandsim.c
>> +++ b/drivers/mtd/nand/nandsim.c
>> @@ -646,7 +646,8 @@ static void free_device(struct nandsim *ns)
>>  				kmem_cache_free(ns->nand_pages_slab,
>>  						ns->pages[i].byte);
>>  		}
>> -		kmem_cache_destroy(ns->nand_pages_slab);
>> +		if (ns->nand_pages_slab)
>> +			kmem_cache_destroy(ns->nand_pages_slab);
> 
> It is perfectly fine to free a NULL pointer.
OK, then maybe the double free is not a serious problem, besides we just
get a message "Trying to vfree() nonexistent vm area" or the like. But
kmem_cache_destroy() will access ns->nand_pages_slab, and ns->nand_pages_slab
is NULL. This will crash the kernel. :)

thanks,
Sheng
> 
> Thanks,
> //richard
> 
> .
>

Richard Weinberger June 17, 2015, 9:05 a.m. UTC | #4

Am 17.06.2015 um 11:03 schrieb Sheng Yong:
> 
> 
> On 6/17/2015 4:48 PM, Richard Weinberger wrote:
>> Am 17.06.2015 um 10:45 schrieb Sheng Yong:
>>> If allocating ns->nand_pages_slab fails, do not try to destroy it when
>>> cleaning up nandsim resources.
>>>
>>> Signed-off-by: Sheng Yong <shengyong1@huawei.com>
>>> ---
>>>  drivers/mtd/nand/nandsim.c | 3 ++-
>>>  1 file changed, 2 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/mtd/nand/nandsim.c b/drivers/mtd/nand/nandsim.c
>>> index cb38f3d..33e4064 100644
>>> --- a/drivers/mtd/nand/nandsim.c
>>> +++ b/drivers/mtd/nand/nandsim.c
>>> @@ -646,7 +646,8 @@ static void free_device(struct nandsim *ns)
>>>  				kmem_cache_free(ns->nand_pages_slab,
>>>  						ns->pages[i].byte);
>>>  		}
>>> -		kmem_cache_destroy(ns->nand_pages_slab);
>>> +		if (ns->nand_pages_slab)
>>> +			kmem_cache_destroy(ns->nand_pages_slab);
>>
>> It is perfectly fine to free a NULL pointer.
> OK, then maybe the double free is not a serious problem, besides we just
> get a message "Trying to vfree() nonexistent vm area" or the like. But
> kmem_cache_destroy() will access ns->nand_pages_slab, and ns->nand_pages_slab
> is NULL. This will crash the kernel. :)

Please see my other may, I was wrong. :)

Thanks,
//richard

diff --git a/drivers/mtd/nand/nandsim.c b/drivers/mtd/nand/nandsim.c
index cb38f3d..33e4064 100644
--- a/drivers/mtd/nand/nandsim.c
+++ b/drivers/mtd/nand/nandsim.c
@@ -646,7 +646,8 @@  static void free_device(struct nandsim *ns)
 				kmem_cache_free(ns->nand_pages_slab,
 						ns->pages[i].byte);
 		}
-		kmem_cache_destroy(ns->nand_pages_slab);
+		if (ns->nand_pages_slab)
+			kmem_cache_destroy(ns->nand_pages_slab);
 		vfree(ns->pages);
 	}
 }

[1/2] mtd: nandsim: fix free of NULL pointer

Commit Message

Comments

Patch