From f65f9a502b7ae620714f50829ad8f1bcf1f64635 Mon Sep 17 00:00:00 2001 From: Joe Perches Date: Wed, 13 Feb 2019 14:31:51 +0800 Subject: [PATCH] cifs: check kzalloc return MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit mainline inclusion from mainline-5.0 commit 0544b324e62c category: bugfix bugzilla: 5840 CVE: NA ------------------------------------------------- kzalloc can return NULL so an additional check is needed. While there is a check for ret_buf there is no check for the allocation of ret_buf->crfid.fid - this check is thus added. Both call-sites of tconInfoAlloc() check for NULL return of tconInfoAlloc() so returning NULL on failure of kzalloc() here seems appropriate. As the kzalloc() is the only thing here that can fail it is moved to the beginning so as not to initialize other resources on failure of kzalloc. Fixes: 3d4ef9a15343 ("smb3: fix redundant opens on root") conflict: fs/cifs/misc.c 由于未合入 fae8044c03 smb3: show number of current open files in /proc/fs/cifs/Stats,导致冲突 Signed-off-by: Joe Perches Signed-off-by: Steve French Signed-off-by: ZhangXiaoxu Reviewed-by: Miao Xie Signed-off-by: Yang Yingliang --- fs/cifs/misc.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c index 6926685e513c..50c2d7b16d59 100644 --- a/fs/cifs/misc.c +++ b/fs/cifs/misc.c @@ -111,19 +111,25 @@ struct cifs_tcon * tconInfoAlloc(void) { struct cifs_tcon *ret_buf; - ret_buf = kzalloc(sizeof(struct cifs_tcon), GFP_KERNEL); - if (ret_buf) { - atomic_inc(&tconInfoAllocCount); - ret_buf->tidStatus = CifsNew; - ++ret_buf->tc_count; - INIT_LIST_HEAD(&ret_buf->openFileList); - INIT_LIST_HEAD(&ret_buf->tcon_list); - spin_lock_init(&ret_buf->open_file_lock); - mutex_init(&ret_buf->crfid.fid_mutex); - ret_buf->crfid.fid = kzalloc(sizeof(struct cifs_fid), - GFP_KERNEL); - spin_lock_init(&ret_buf->stat_lock); + + ret_buf = kzalloc(sizeof(*ret_buf), GFP_KERNEL); + if (!ret_buf) + return NULL; + ret_buf->crfid.fid = kzalloc(sizeof(*ret_buf->crfid.fid), GFP_KERNEL); + if (!ret_buf->crfid.fid) { + kfree(ret_buf); + return NULL; } + + atomic_inc(&tconInfoAllocCount); + ret_buf->tidStatus = CifsNew; + ++ret_buf->tc_count; + INIT_LIST_HEAD(&ret_buf->openFileList); + INIT_LIST_HEAD(&ret_buf->tcon_list); + spin_lock_init(&ret_buf->open_file_lock); + mutex_init(&ret_buf->crfid.fid_mutex); + spin_lock_init(&ret_buf->stat_lock); + return ret_buf; } -- GitLab