drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl
authorDan Carpenter <dan.carpenter@oracle.com>
Tue, 14 May 2019 22:47:00 +0000 (15:47 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Wed, 15 May 2019 02:52:52 +0000 (19:52 -0700)
strndup_user() returns error pointers on error, and then in the error
handling we pass the error pointers to kfree().  It will cause an Oops.

Link: http://lkml.kernel.org/r/20181218082003.GD32567@kadam
Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Timur Tabi <timur@freescale.com>
Cc: Mihai Caraman <mihai.caraman@freescale.com>
Cc: Kumar Gala <galak@kernel.crashing.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
drivers/virt/fsl_hypervisor.c

index 6446bcab41852eb846ac517da62f80a4dacf10bd..a41431edbf25c63a934edec8c9c6f1d6bc241b84 100644 (file)
@@ -331,8 +331,8 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set)
        struct fsl_hv_ioctl_prop param;
        char __user *upath, *upropname;
        void __user *upropval;
-       char *path = NULL, *propname = NULL;
-       void *propval = NULL;
+       char *path, *propname;
+       void *propval;
        int ret = 0;
 
        /* Get the parameters from the user. */
@@ -344,32 +344,30 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set)
        upropval = (void __user *)(uintptr_t)param.propval;
 
        path = strndup_user(upath, FH_DTPROP_MAX_PATHLEN);
-       if (IS_ERR(path)) {
-               ret = PTR_ERR(path);
-               goto out;
-       }
+       if (IS_ERR(path))
+               return PTR_ERR(path);
 
        propname = strndup_user(upropname, FH_DTPROP_MAX_PATHLEN);
        if (IS_ERR(propname)) {
                ret = PTR_ERR(propname);
-               goto out;
+               goto err_free_path;
        }
 
        if (param.proplen > FH_DTPROP_MAX_PROPLEN) {
                ret = -EINVAL;
-               goto out;
+               goto err_free_propname;
        }
 
        propval = kmalloc(param.proplen, GFP_KERNEL);
        if (!propval) {
                ret = -ENOMEM;
-               goto out;
+               goto err_free_propname;
        }
 
        if (set) {
                if (copy_from_user(propval, upropval, param.proplen)) {
                        ret = -EFAULT;
-                       goto out;
+                       goto err_free_propval;
                }
 
                param.ret = fh_partition_set_dtprop(param.handle,
@@ -388,7 +386,7 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set)
                        if (copy_to_user(upropval, propval, param.proplen) ||
                            put_user(param.proplen, &p->proplen)) {
                                ret = -EFAULT;
-                               goto out;
+                               goto err_free_propval;
                        }
                }
        }
@@ -396,10 +394,12 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set)
        if (put_user(param.ret, &p->ret))
                ret = -EFAULT;
 
-out:
-       kfree(path);
+err_free_propval:
        kfree(propval);
+err_free_propname:
        kfree(propname);
+err_free_path:
+       kfree(path);
 
        return ret;
 }