drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl
authorDan Carpenter <dan.carpenter@oracle.com>
Tue, 14 May 2019 22:47:00 +0000 (15:47 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 16 May 2019 17:43:47 +0000 (19:43 +0200)
commit c8ea3663f7a8e6996d44500ee818c9330ac4fd88 upstream.

strndup_user() returns error pointers on error, and then in the error
handling we pass the error pointers to kfree().  It will cause an Oops.

Link: http://lkml.kernel.org/r/20181218082003.GD32567@kadam
Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Timur Tabi <timur@freescale.com>
Cc: Mihai Caraman <mihai.caraman@freescale.com>
Cc: Kumar Gala <galak@kernel.crashing.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/virt/fsl_hypervisor.c

index 150ce2a..f71ef48 100644 (file)
@@ -334,8 +334,8 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set)
        struct fsl_hv_ioctl_prop param;
        char __user *upath, *upropname;
        void __user *upropval;
-       char *path = NULL, *propname = NULL;
-       void *propval = NULL;
+       char *path, *propname;
+       void *propval;
        int ret = 0;
 
        /* Get the parameters from the user. */
@@ -347,32 +347,30 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set)
        upropval = (void __user *)(uintptr_t)param.propval;
 
        path = strndup_user(upath, FH_DTPROP_MAX_PATHLEN);
-       if (IS_ERR(path)) {
-               ret = PTR_ERR(path);
-               goto out;
-       }
+       if (IS_ERR(path))
+               return PTR_ERR(path);
 
        propname = strndup_user(upropname, FH_DTPROP_MAX_PATHLEN);
        if (IS_ERR(propname)) {
                ret = PTR_ERR(propname);
-               goto out;
+               goto err_free_path;
        }
 
        if (param.proplen > FH_DTPROP_MAX_PROPLEN) {
                ret = -EINVAL;
-               goto out;
+               goto err_free_propname;
        }
 
        propval = kmalloc(param.proplen, GFP_KERNEL);
        if (!propval) {
                ret = -ENOMEM;
-               goto out;
+               goto err_free_propname;
        }
 
        if (set) {
                if (copy_from_user(propval, upropval, param.proplen)) {
                        ret = -EFAULT;
-                       goto out;
+                       goto err_free_propval;
                }
 
                param.ret = fh_partition_set_dtprop(param.handle,
@@ -391,7 +389,7 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set)
                        if (copy_to_user(upropval, propval, param.proplen) ||
                            put_user(param.proplen, &p->proplen)) {
                                ret = -EFAULT;
-                               goto out;
+                               goto err_free_propval;
                        }
                }
        }
@@ -399,10 +397,12 @@ static long ioctl_dtprop(struct fsl_hv_ioctl_prop __user *p, int set)
        if (put_user(param.ret, &p->ret))
                ret = -EFAULT;
 
-out:
-       kfree(path);
+err_free_propval:
        kfree(propval);
+err_free_propname:
        kfree(propname);
+err_free_path:
+       kfree(path);
 
        return ret;
 }