Commit c8ea3663 authored by Dan Carpenter's avatar Dan Carpenter Committed by Linus Torvalds

drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl

strndup_user() returns error pointers on error, and then in the error
handling we pass the error pointers to kfree().  It will cause an Oops.

Link: http://lkml.kernel.org/r/20181218082003.GD32567@kadam
Fixes: 6db71994 ("drivers/virt: introduce Freescale hypervisor management driver")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Cc: Timur Tabi <timur@freescale.com>
Cc: Mihai Caraman <mihai.caraman@freescale.com>
Cc: Kumar Gala <galak@kernel.crashing.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 871789d4
...@@ -331,8 +331,8 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set) ...@@ -331,8 +331,8 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set)
struct fsl_hv_ioctl_prop param; struct fsl_hv_ioctl_prop param;
char __user *upath, *upropname; char __user *upath, *upropname;
void __user *upropval; void __user *upropval;
char *path = NULL, *propname = NULL; char *path, *propname;
void *propval = NULL; void *propval;
int ret = 0; int ret = 0;
/* Get the parameters from the user. */ /* Get the parameters from the user. */
...@@ -344,32 +344,30 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set) ...@@ -344,32 +344,30 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set)
upropval = (void __user *)(uintptr_t)param.propval; upropval = (void __user *)(uintptr_t)param.propval;
path = strndup_user(upath, FH_DTPROP_MAX_PATHLEN); path = strndup_user(upath, FH_DTPROP_MAX_PATHLEN);
if (IS_ERR(path)) { if (IS_ERR(path))
ret = PTR_ERR(path); return PTR_ERR(path);
goto out;
}
propname = strndup_user(upropname, FH_DTPROP_MAX_PATHLEN); propname = strndup_user(upropname, FH_DTPROP_MAX_PATHLEN);
if (IS_ERR(propname)) { if (IS_ERR(propname)) {
ret = PTR_ERR(propname); ret = PTR_ERR(propname);
goto out; goto err_free_path;
} }
if (param.proplen > FH_DTPROP_MAX_PROPLEN) { if (param.proplen > FH_DTPROP_MAX_PROPLEN) {
ret = -EINVAL; ret = -EINVAL;
goto out; goto err_free_propname;
} }
propval = kmalloc(param.proplen, GFP_KERNEL); propval = kmalloc(param.proplen, GFP_KERNEL);
if (!propval) { if (!propval) {
ret = -ENOMEM; ret = -ENOMEM;
goto out; goto err_free_propname;
} }
if (set) { if (set) {
if (copy_from_user(propval, upropval, param.proplen)) { if (copy_from_user(propval, upropval, param.proplen)) {
ret = -EFAULT; ret = -EFAULT;
goto out; goto err_free_propval;
} }
param.ret = fh_partition_set_dtprop(param.handle, param.ret = fh_partition_set_dtprop(param.handle,
...@@ -388,7 +386,7 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set) ...@@ -388,7 +386,7 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set)
if (copy_to_user(upropval, propval, param.proplen) || if (copy_to_user(upropval, propval, param.proplen) ||
put_user(param.proplen, &p->proplen)) { put_user(param.proplen, &p->proplen)) {
ret = -EFAULT; ret = -EFAULT;
goto out; goto err_free_propval;
} }
} }
} }
...@@ -396,10 +394,12 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set) ...@@ -396,10 +394,12 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set)
if (put_user(param.ret, &p->ret)) if (put_user(param.ret, &p->ret))
ret = -EFAULT; ret = -EFAULT;
out: err_free_propval:
kfree(path);
kfree(propval); kfree(propval);
err_free_propname:
kfree(propname); kfree(propname);
err_free_path:
kfree(path);
return ret; return ret;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment