[CHECKER] 24 memory leaks on error paths in 2.4.17

From: Dawson Engler (engler@csl.Stanford.EDU)
Date: Sun Jun 09 2002 - 22:55:58 EST


This checker warns when you do not free allocated memory on failure paths.
Note: while we only include 24 errors, there were lots in general; let me
know if more are useful.

Dawson

# BUGs | File Name
4 | /drivers/lvm.c
2 | /mtd/cfi_cmdset_0002.c
2 | /isdn/capi.c
2 | /media/msp3400.c
2 | /drivers/ixj.c
2 | /drivers/cpqfcTSinit.c
1 | /fs/rock.c
1 | /drivers/ixj_pcmcia.c
1 | /drivers/cs4232.c
1 | /drivers/radeonfb.c
1 | /2.4.17/socket.c
1 | /net/vlanproc.c
1 | /net/aironet4500_cs.c
1 | /mtd/sharp.c
1 | /isdn/avm_cs.c
1 | /isdn/icn.c

############################################################
# 2.4.17 specific errors

#
---------------------------------------------------------
[BUG] good stat ranking.
/u2/engler/mc/oses/linux/2.4.17/drivers/video/radeonfb.c:788:radeonfb_pci_register: ERROR:INVERSE:688:788:UNREVERSED 'rinfo' on error path! set by 'kmalloc':688 [nbytes=2216] [rank=easy] [COUNTER=kmalloc:688] [ERROR] [fit=2] [fit_fn=1] [fn_ex=4] [fn_counter=1] [ex=4] [counter=1] [z = -1.53896752812773] [fn-z = -1.53896752812773]
        int i, j;
        char *bios_seg = NULL;

        RTRACE("radeonfb_pci_register BEGIN\n");

Start --->
        rinfo = kmalloc (sizeof (struct radeonfb_info), GFP_KERNEL);

        ... DELETED 94 lines ...

                case PCI_DEVICE_ID_RADEON_LZ:
                        strcpy(rinfo->name, "Radeon M6 LZ ");
                        rinfo->hasCRTC2 = 1;
                        break;
                default:
Error --->
                        return -ENODEV;
        }

        /* framebuffer size */
---------------------------------------------------------
[BUG] good stat example. 2 others.
/u2/engler/mc/oses/linux/2.4.17/drivers/isdn/icn/icn.c:847:icn_loadboot: ERROR:INVERSE:820:847:UNREVERSED 'codebuf' on error path! set by 'kmalloc':820 [nbytes=1] [rank=easy] [COUNTER=kmalloc:820] [ERROR] [fit=4] [fit_fn=1] [fn_ex=3] [fn_counter=1] [ex=3] [counter=1] [z = -1.83532587096449] [fn-z = -1.83532587096449]
        unsigned long flags;

#ifdef BOOT_DEBUG
        printk(KERN_DEBUG "icn_loadboot called, buffaddr=%08lx\n", (ulong) buffer);
#endif
Start --->
        if (!(codebuf = kmalloc(ICN_CODE_STAGE1, GFP_KERNEL))) {

        ... DELETED 21 lines ...

        }
        if (!dev.mvalid) {
                if (check_mem_region(dev.memaddr, 0x4000)) {
                        printk(KERN_WARNING
                               "icn: memory at 0x%08lx in use.\n", dev.memaddr);
Error --->
                        return -EBUSY;
                }
                request_mem_region(dev.memaddr, 0x4000, "icn-isdn (all cards)");
                dev.shmem = ioremap(dev.memaddr, 0x4000);
---------------------------------------------------------
[BUG] no real examples though.
/u2/engler/mc/oses/linux/2.4.17/drivers/isdn/avmb1/avm_cs.c:184:avmcs_attach: ERROR:INVERSE:149:184:UNREVERSED 'link' on error path! set by 'kmalloc':149 [nbytes=144] [rank=easy] [COUNTER=kmalloc:149] [ERROR] [fit=6] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=2] [counter=1] [z = -2.25170500701057] [fn-z = -4.35889894354067]
    dev_link_t *link;
    local_info_t *local;
    int ret, i;
    
    /* Initialize the dev_link_t structure */
Start --->
    link = kmalloc(sizeof(struct dev_link_t), GFP_KERNEL);

        ... DELETED 29 lines ...

    link->conf.Present = PRESENT_OPTION;

    /* Allocate space for private device-specific data */
    local = kmalloc(sizeof(local_info_t), GFP_KERNEL);
    if (!local)
Error --->
        return NULL;
    memset(local, 0, sizeof(local_info_t));
    link->priv = local;
    
---------------------------------------------------------
[BUG] not good stat: no other examples.
/u2/engler/mc/oses/linux/2.4.17/drivers/telephony/ixj_pcmcia.c:75:ixj_attach: ERROR:INVERSE:62:75:UNREVERSED 'link' on error path! set by 'kmalloc':62 [nbytes=144] [rank=easy] [COUNTER=kmalloc:62] [ERROR] [fit=8] [fit_fn=1] [fn_ex=0] [fn_counter=1] [ex=2] [counter=1] [z = -2.25170500701057] [fn-z = -4.35889894354067]
        client_reg_t client_reg;
        dev_link_t *link;
        int ret;
        DEBUG(0, "ixj_attach()\n");
        /* Create new ixj device */
Start --->
        link = kmalloc(sizeof(struct dev_link_t), GFP_KERNEL);
        if (!link)
                return NULL;
        memset(link, 0, sizeof(struct dev_link_t));
        link->release.function = &ixj_cs_release;
        link->release.data = (u_long) link;
        link->io.Attributes1 = IO_DATA_PATH_WIDTH_8;
        link->io.Attributes2 = IO_DATA_PATH_WIDTH_8;
        link->io.IOAddrLines = 3;
        link->conf.Vcc = 50;
        link->conf.IntType = INT_MEMORY_AND_IO;
        link->priv = kmalloc(sizeof(struct ixj_info_t), GFP_KERNEL);
        if (!link->priv)
Error --->
                return NULL;
        memset(link->priv, 0, sizeof(struct ixj_info_t));
        /* Register with Card Services */
        link->next = dev_list;
---------------------------------------------------------
[BUG] good stat: though should have a lower p0 value. (2 examples, ranked lower)
/u2/engler/mc/oses/linux/2.4.17/drivers/sound/cs4232.c:409:cs4232_isapnp_probe: ERROR:INVERSE:382:409:UNREVERSED 'isapnpcfg' on error path! set by 'kmalloc':382 [nbytes=68] [rank=easy] [COUNTER=kmalloc:382] [ERROR] [fit=9] [fit_fn=1] [fn_ex=2] [fn_counter=1] [ex=2] [counter=1] [z = -2.25170500701057] [fn-z = -2.25170500701057]
int cs4232_isapnp_probe(struct pci_dev *dev, const struct isapnp_device_id *id)
{
        int ret;
        struct address_info *isapnpcfg;

Start --->
        isapnpcfg=(struct address_info*)kmalloc(sizeof(*isapnpcfg),GFP_KERNEL);

        ... DELETED 21 lines ...

        isapnpcfg->dma = dev->dma_resource[0].start;
        isapnpcfg->dma2 = dev->dma_resource[1].start;
        isapnpcfg->io_base = dev->resource[0].start;
        if (probe_cs4232(isapnpcfg,TRUE) == 0) {
                printk(KERN_ERR "cs4232: ISA PnP card found, but not detected?\n");
Error --->
                return -ENODEV;
        }
        attach_cs4232(isapnpcfg);
        pci_set_drvdata(dev,isapnpcfg);
---------------------------------------------------------
[BUG] pretty sure. rank should not be easy since it's passed to FN (BROKE)
/u2/engler/mc/oses/linux/2.4.17/net/8021q/vlanproc.c:256:vlan_proc_read: ERROR:INVERSE:244:256:UNREVERSED 'page' on error path! set by 'kmalloc':244 [nbytes=1] [rank=easy] [COUNTER=kmalloc:244] [ERROR] [fit=10] [fit_fn=1] [fn_ex=1] [fn_counter=1] [ex=2] [counter=1] [z = -2.25170500701057] [fn-z = -2.91998558035372]

        dent = inode->u.generic_ip;
        if ((dent == NULL) || (dent->get_info == NULL))
                return 0;

Start --->
        page = kmalloc(VLAN_PROC_BUFSZ, GFP_KERNEL);
        VLAN_MEM_DBG("page malloc, addr: %p size: %i\n",
                     page, VLAN_PROC_BUFSZ);

        if (page == NULL)
                return -ENOBUFS;

        pos = dent->get_info(page, dent->data, 0, 0);
        offs = file->f_pos;
        if (offs < pos) {
                len = min_t(int, pos - offs, count);
                if (copy_to_user(buf, (page + offs), len))
Error --->
                        return -EFAULT;

                file->f_pos += len;
        } else {
---------------------------------------------------------
[BUG] i think so. hard to follow paths though (FPP?)
/u2/engler/mc/oses/linux/2.4.17/fs/isofs/rock.c:588:rock_ridge_symlink_readpage: ERROR:INVERSE:560:588:UNREVERSED 'buffer' on error path! set by 'kmalloc':560 [nbytes=0] [rank=easy] [COUNTER=kmalloc:560] [ERROR] [fit=11] [fit_fn=1] [fn_ex=2] [fn_counter=1] [ex=2] [counter=1] [z = -2.25170500701057] [fn-z = -2.25170500701057]
                        CHECK_CE;
                default:
                        break;
                }
        }
Start --->
        MAYBE_CONTINUE(repeat, inode);

        ... DELETED 22 lines ...

        brelse(bh);
        unlock_kernel();
        SetPageError(page);
        kunmap(page);
        UnlockPage(page);
Error --->
        return -EIO;
}

struct address_space_operations isofs_symlink_aops = {
---------------------------------------------------------
[BUG] great stat example, since freed right above; p0 should be lower though.
/u2/engler/mc/oses/linux/2.4.17/drivers/net/pcmcia/aironet4500_cs.c:219:awc_attach: ERROR:INVERSE:179:219:UNREVERSED 'link' on error path! set by 'kmalloc':179 [nbytes=144] [rank=easy] [COUNTER=kmalloc:179] [ERROR] [fit=12] [fit_fn=1] [fn_ex=2] [fn_counter=1] [ex=2] [counter=1] [z = -2.25170500701057] [fn-z = -2.25170500701057]

        PC_DEBUG(0, "awc_attach()\n");
        flush_stale_links();

        /* Create the PC card device object. */
Start --->
        link = kmalloc(sizeof(struct dev_link_t), GFP_KERNEL);

        ... DELETED 34 lines ...

                kfree(link);
                return NULL;
        };
        memset(dev,0,sizeof(struct net_device));
        dev->priv = kmalloc(sizeof(struct awc_private), GFP_KERNEL);
Error --->
        if (!dev->priv ) {printk(KERN_CRIT "out of mem on dev priv alloc \n"); return NULL;};
        memset(dev->priv,0,sizeof(struct awc_private));
        
// link->dev->minor = dev->minor;
---------------------------------------------------------
[BUG] really good stat example --- code below frees when "on" true, showing
       that its a valid path (or the other guy is wrong).
/u2/engler/mc/oses/linux/2.4.17/net/socket.c:760:sock_fasync: ERROR:INVERSE:751:760:UNREVERSED 'fna' on error path! set by 'kmalloc':751 [nbytes=16] [rank=easy] [COUNTER=kmalloc:751] [ERROR] [fit=16] [fit_fn=1] [fn_ex=1] [fn_counter=1] [ex=1] [counter=1] [z = -2.91998558035372] [fn-z = -2.91998558035372]
        struct socket *sock;
        struct sock *sk;

        if (on)
        {
Start --->
                fna=(struct fasync_struct *)kmalloc(sizeof(struct fasync_struct), GFP_KERNEL);
                if(fna==NULL)
                        return -ENOMEM;
        }

        sock = socki_lookup(filp->f_dentry->d_inode);
        
        if ((sk=sock->sk) == NULL)
Error --->
                return -EINVAL;

        lock_sock(sk);

---------------------------------------------------------
[BUG] stat is not so good here since the bug is easy, but no corrective
      action in function pushes error low.
/u2/engler/mc/oses/linux/2.4.17/drivers/mtd/chips/sharp.c:120:sharp_probe: ERROR:INVERSE:114:120:UNREVERSED 'mtd' on error path! set by 'kmalloc':114 [nbytes=124] [rank=easy] [COUNTER=kmalloc:114] [ERROR] [fit=19] [fit_fn=1] [fn_ex=1] [fn_counter=1] [ex=1] [counter=1] [z = -2.91998558035372] [fn-z = -2.91998558035372]
{
        struct mtd_info *mtd = NULL;
        struct sharp_info *sharp = NULL;
        int width;

Start --->
        mtd = kmalloc(sizeof(*mtd), GFP_KERNEL);
        if(!mtd)
                return NULL;

        sharp = kmalloc(sizeof(*sharp), GFP_KERNEL);
        if(!sharp)
Error --->
                return NULL;

        memset(mtd, 0, sizeof(*mtd));

---------------------------------------------------------
[BUG] weird though: they sometimes free, sometimes not.
/u2/engler/mc/oses/linux/2.4.17/drivers/mtd/chips/cfi_cmdset_0002.c:177:cfi_amdstd_setup: ERROR:INVERSE:150:177:UNREVERSED 'mtd' on error path! set by 'kmalloc':150 [nbytes=124] [rank=easy] [COUNTER=kmalloc:150] [ERROR] [fit=24] [fit_fn=1] [fn_ex=1] [fn_counter=2] [ex=3] [counter=2] [z = -3.59092423229804] [fn-z = -4.90076972114066]
{
        struct cfi_private *cfi = map->fldrv_priv;
        struct mtd_info *mtd;
        unsigned long devsize = (1<<cfi->cfiq->DevSize) * cfi->interleave;

Start --->
        mtd = kmalloc(sizeof(*mtd), GFP_KERNEL);

        ... DELETED 21 lines ...

                mtd->numeraseregions = cfi->cfiq->NumEraseRegions * cfi->numchips;
                mtd->eraseregions = kmalloc(sizeof(struct mtd_erase_region_info) * mtd->numeraseregions, GFP_KERNEL);
                if (!mtd->eraseregions) {
                        printk(KERN_WARNING "Failed to allocate memory for MTD erase region info\n");
                        kfree(cfi->cmdset_priv);
Error --->
                        return NULL;
                }
                        
                for (i=0; i<cfi->cfiq->NumEraseRegions; i++) {
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/mtd/chips/cfi_cmdset_0002.c:200:cfi_amdstd_setup: ERROR:INVERSE:150:200:UNREVERSED 'mtd' on error path! set by 'kmalloc':150 [nbytes=124] [rank=easy] [COUNTER=kmalloc:150] [ERROR] [fit=24] [fit_fn=1] [fn_ex=1] [fn_counter=2] [ex=3] [counter=2] [z = -3.59092423229804] [fn-z = -4.90076972114066]
{
        struct cfi_private *cfi = map->fldrv_priv;
        struct mtd_info *mtd;
        unsigned long devsize = (1<<cfi->cfiq->DevSize) * cfi->interleave;

Start --->
        mtd = kmalloc(sizeof(*mtd), GFP_KERNEL);

        ... DELETED 44 lines ...

                if (offset != devsize) {
                        /* Argh */
                        printk(KERN_WARNING "Sum of regions (%lx) != total size of set of interleaved chips (%lx)\n", offset, devsize);
                        kfree(mtd->eraseregions);
                        kfree(cfi->cmdset_priv);
Error --->
                        return NULL;
                }
#if 0
                // debug
---------------------------------------------------------
[BUG] security --- has an example at the very end.
/u2/engler/mc/oses/linux/2.4.17/drivers/scsi/cpqfcTSinit.c:554:cpqfcTS_ioctl: ERROR:INVERSE:539:554:UNREVERSED 'buf' on error path! set by 'kmalloc':539 [nbytes=0] [rank=easy] [COUNTER=kmalloc:539] [ERROR] [fit=25] [fit_fn=1] [fn_ex=1] [fn_counter=2] [ex=2] [counter=2] [z = -4.12948320967011] [fn-z = -4.90076972114066]
        vendor_cmd = ioc.argp; // i.e., CPQ specific command struct

        // If necessary, grab a kernel/DMA buffer
        if( vendor_cmd->len)
        {
Start --->
            buf = kmalloc( vendor_cmd->len, GFP_KERNEL);

        ... DELETED 9 lines ...

        // Need data from user?
        // make sure caller's buffer is in kernel space.
        if( (vendor_cmd->rw_flag == VENDOR_WRITE_OPCODE) &&
            vendor_cmd->len)
        if( copy_from_user( buf, vendor_cmd->bufp, vendor_cmd->len))
Error --->
                return( -EFAULT);
            
        // copy the CDB (if/when MAX_COMMAND_SIZE is 16, remove copy below)
        memcpy( &ScsiPassThruCmnd->cmnd[0],
---------------------------------------------------------
[BUG] beautiful example of how stat helps --- frees it right below!
/u2/engler/mc/oses/linux/2.4.17/drivers/scsi/cpqfcTSinit.c:630:cpqfcTS_ioctl: ERROR:INVERSE:539:630:UNREVERSED 'buf' on error path! set by 'kmalloc':539 [nbytes=0] [rank=easy] [COUNTER=kmalloc:539] [ERROR] [fit=25] [fit_fn=1] [fn_ex=1] [fn_counter=2] [ex=2] [counter=2] [z = -4.12948320967011] [fn-z = -4.90076972114066]
        vendor_cmd = ioc.argp; // i.e., CPQ specific command struct

        // If necessary, grab a kernel/DMA buffer
        if( vendor_cmd->len)
        {
Start --->
            buf = kmalloc( vendor_cmd->len, GFP_KERNEL);

        ... DELETED 85 lines ...

        // need to pass data back to user (space)?
        if( (vendor_cmd->rw_flag == VENDOR_READ_OPCODE) &&
             vendor_cmd->len )
        if( copy_to_user( vendor_cmd->bufp, buf, vendor_cmd->len))
Error --->
                return( -EFAULT);

        if( buf)
          kfree( buf);
---------------------------------------------------------
[BUG] good stat example.
/u2/engler/mc/oses/linux/2.4.17/drivers/isdn/avmb1/capi.c:1194:capinc_raw_write: ERROR:INVERSE:1182:1194:UNREVERSED 'skb' on error path! set by 'alloc_skb':1182 [nbytes=168] [rank=easy] [COUNTER=alloc_skb:1182] [ERROR] [fit=26] [fit_fn=1] [fn_ex=2] [fn_counter=2] [ex=2] [counter=2] [z = -4.12948320967011] [fn-z = -4.12948320967011]
                return -ESPIPE;

        if (!mp || !mp->nccip)
                return -EINVAL;

Start --->
        skb = alloc_skb(CAPI_DATA_B3_REQ_LEN+count, GFP_USER);
        if (!skb)
                return -ENOMEM;

        skb_reserve(skb, CAPI_DATA_B3_REQ_LEN);
        if ((retval = copy_from_user(skb_put(skb, count), buf, count))) {
                kfree_skb(skb);
                return -EFAULT;
        }

        while (skb_queue_len(&mp->outqueue) > CAPINC_MAX_SENDQUEUE) {
                if (file->f_flags & O_NONBLOCK)
Error --->
                        return -EAGAIN;
                interruptible_sleep_on(&mp->sendwait);
                if (mp->nccip == 0) {
                        kfree_skb(skb);
---------------------------------------------------------
[BUG] another stat.
/u2/engler/mc/oses/linux/2.4.17/drivers/isdn/avmb1/capi.c:1201:capinc_raw_write: ERROR:INVERSE:1182:1201:UNREVERSED 'skb' on error path! set by 'alloc_skb':1182 [nbytes=168] [rank=easy] [COUNTER=alloc_skb:1182] [ERROR] [fit=26] [fit_fn=1] [fn_ex=2] [fn_counter=2] [ex=2] [counter=2] [z = -4.12948320967011] [fn-z = -4.12948320967011]
                return -ESPIPE;

        if (!mp || !mp->nccip)
                return -EINVAL;

Start --->
        skb = alloc_skb(CAPI_DATA_B3_REQ_LEN+count, GFP_USER);

        ... DELETED 13 lines ...

                if (mp->nccip == 0) {
                        kfree_skb(skb);
                        return -EIO;
                }
                if (signal_pending(current))
Error --->
                        return -ERESTARTNOHAND;
        }
        skb_queue_tail(&mp->outqueue, skb);
        mp->outbytes += skb->len;
---------------------------------------------------------
[BUG] security hole (not good for stat though)
/u2/engler/mc/oses/linux/2.4.17/drivers/telephony/ixj.c:5998:ixj_build_filter_cadence: ERROR:INVERSE:5987:5998:UNREVERSED 'lcp' on error path! set by 'kmalloc':5987 [nbytes=32] [rank=easy] [COUNTER=kmalloc:5987] [ERROR] [fit=29] [fit_fn=1] [fn_ex=1] [fn_counter=2] [ex=1] [counter=2] [z = -4.90076972114066] [fn-z = -4.90076972114066]
}

static int ixj_build_filter_cadence(IXJ *j, IXJ_FILTER_CADENCE * cp)
{
        IXJ_FILTER_CADENCE *lcp;
Start --->
        lcp = kmalloc(sizeof(IXJ_FILTER_CADENCE), GFP_KERNEL);
        if (lcp == NULL) {
                if(ixjdebug & 0x0001) {
                        printk(KERN_INFO "Could not allocate memory for cadence\n");
                }
                return -ENOMEM;
        }
        if (copy_from_user(lcp, (char *) cp, sizeof(IXJ_FILTER_CADENCE))) {
                if(ixjdebug & 0x0001) {
                        printk(KERN_INFO "Could not copy cadence to kernel\n");
                }
Error --->
                return -EFAULT;
        }
        if (lcp->filter > 5) {
                if(ixjdebug & 0x0001) {
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/telephony/ixj.c:6004:ixj_build_filter_cadence: ERROR:INVERSE:5987:6004:UNREVERSED 'lcp' on error path! set by 'kmalloc':5987 [nbytes=32] [rank=easy] [COUNTER=kmalloc:5987] [ERROR] [fit=29] [fit_fn=1] [fn_ex=1] [fn_counter=2] [ex=1] [counter=2] [z = -4.90076972114066] [fn-z = -4.90076972114066]
}

static int ixj_build_filter_cadence(IXJ *j, IXJ_FILTER_CADENCE * cp)
{
        IXJ_FILTER_CADENCE *lcp;
Start --->
        lcp = kmalloc(sizeof(IXJ_FILTER_CADENCE), GFP_KERNEL);

        ... DELETED 11 lines ...

        }
        if (lcp->filter > 5) {
                if(ixjdebug & 0x0001) {
                        printk(KERN_INFO "Cadence out of range\n");
                }
Error --->
                return -1;
        }
        j->cadence_f[lcp->filter].state = 0;
        j->cadence_f[lcp->filter].enable = lcp->enable;
---------------------------------------------------------
[BUG] but should have been demoted. good for stat [example above]
/u2/engler/mc/oses/linux/2.4.17/drivers/media/video/msp3400.c:1265:msp_attach: ERROR:INVERSE:1243:1265:UNREVERSED 'c' on error path! set by 'kmalloc':1243 [nbytes=60] [rank=easy] [COUNTER=kmalloc:1243] [ERROR] [fit=31] [fit_fn=1] [fn_ex=1] [fn_counter=2] [ex=1] [counter=2] [z = -4.90076972114066] [fn-z = -4.90076972114066]
        if (-1 == msp3400c_reset(&client_template)) {
                dprintk("msp3400: no chip found\n");
                return -1;
        }
        
Start --->
        if (NULL == (c = kmalloc(sizeof(struct i2c_client),GFP_KERNEL)))

        ... DELETED 16 lines ...

        init_waitqueue_head(&msp->wq);

        if (-1 == msp3400c_reset(c)) {
                kfree(msp);
                dprintk("msp3400: no chip found\n");
Error --->
                return -1;
        }
    
        rev1 = msp3400c_read(c, I2C_MSP3400C_DFP, 0x1e);
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/media/video/msp3400.c:1274:msp_attach: ERROR:INVERSE:1243:1274:UNREVERSED 'c' on error path! set by 'kmalloc':1243 [nbytes=60] [rank=easy] [COUNTER=kmalloc:1243] [ERROR] [fit=31] [fit_fn=1] [fn_ex=1] [fn_counter=2] [ex=1] [counter=2] [z = -4.90076972114066] [fn-z = -4.90076972114066]
        if (-1 == msp3400c_reset(&client_template)) {
                dprintk("msp3400: no chip found\n");
                return -1;
        }
        
Start --->
        if (NULL == (c = kmalloc(sizeof(struct i2c_client),GFP_KERNEL)))

        ... DELETED 25 lines ...

        if (-1 != rev1)
                rev2 = msp3400c_read(c, I2C_MSP3400C_DFP, 0x1f);
        if ((-1 == rev1) || (0 == rev1 && 0 == rev2)) {
                kfree(msp);
                printk("msp3400: error while reading chip version\n");
Error --->
                return -1;
        }

#if 0
---------------------------------------------------------
[BUG] security hole; reasonable example for stat (final cleanup frees)
/u2/engler/mc/oses/linux/2.4.17/drivers/md/lvm.c:1529:lvm_do_vg_create: ERROR:INVERSE:1510:1529:UNREVERSED 'snap_lv_ptr' on error path! set by 'vmalloc':1510 [nbytes=4] [rank=easy] [COUNTER=vmalloc:1510] [ERROR] [fit=32] [fit_fn=1] [fn_ex=1] [fn_counter=4] [ex=1] [counter=4] [z = -7.69483764063865] [fn-z = -7.69483764063865]
                        }
                }
        }

        size = vg_ptr->lv_max * sizeof(lv_t *);
Start --->
        if ((snap_lv_ptr = vmalloc ( size)) == NULL) {

        ... DELETED 13 lines ...

                if ((lvp = vg_ptr->lv[l]) != NULL) {
                        if (copy_from_user(&lv, lvp, sizeof(lv_t)) != 0) {
                                P_IOCTL("ERROR: copying LV ptr %p (%d bytes)\n",
                                        lvp, sizeof(lv_t));
                                lvm_do_vg_remove(minor);
Error --->
                                return -EFAULT;
                        }
                        if ( lv.lv_access & LV_SNAPSHOT) {
                                snap_lv_ptr[ls] = lvp;
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/md/lvm.c:1541:lvm_do_vg_create: ERROR:INVERSE:1510:1541:UNREVERSED 'snap_lv_ptr' on error path! set by 'vmalloc':1510 [nbytes=4] [rank=easy] [COUNTER=vmalloc:1510] [ERROR] [fit=32] [fit_fn=1] [fn_ex=1] [fn_counter=4] [ex=1] [counter=4] [z = -7.69483764063865] [fn-z = -7.69483764063865]
                        }
                }
        }

        size = vg_ptr->lv_max * sizeof(lv_t *);
Start --->
        if ((snap_lv_ptr = vmalloc ( size)) == NULL) {

        ... DELETED 25 lines ...

                        }
                        vg_ptr->lv[l] = NULL;
                        /* only create original logical volumes for now */
                        if (lvm_do_lv_create(minor, lv.lv_name, &lv) != 0) {
                                lvm_do_vg_remove(minor);
Error --->
                                return -EFAULT;
                        }
                }
        }
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/md/lvm.c:1552:lvm_do_vg_create: ERROR:INVERSE:1510:1552:UNREVERSED 'snap_lv_ptr' on error path! set by 'vmalloc':1510 [nbytes=4] [rank=easy] [COUNTER=vmalloc:1510] [ERROR] [fit=32] [fit_fn=1] [fn_ex=1] [fn_counter=4] [ex=1] [counter=4] [z = -7.69483764063865] [fn-z = -7.69483764063865]
                        }
                }
        }

        size = vg_ptr->lv_max * sizeof(lv_t *);
Start --->
        if ((snap_lv_ptr = vmalloc ( size)) == NULL) {

        ... DELETED 36 lines ...

           in place during first path above */
        for (l = 0; l < ls; l++) {
                lv_t *lvp = snap_lv_ptr[l];
                if (copy_from_user(&lv, lvp, sizeof(lv_t)) != 0) {
                        lvm_do_vg_remove(minor);
Error --->
                        return -EFAULT;
                }
                if (lvm_do_lv_create(minor, lv.lv_name, &lv) != 0) {
                        lvm_do_vg_remove(minor);
---------------------------------------------------------
[BUG]
/u2/engler/mc/oses/linux/2.4.17/drivers/md/lvm.c:1556:lvm_do_vg_create: ERROR:INVERSE:1510:1556:UNREVERSED 'snap_lv_ptr' on error path! set by 'vmalloc':1510 [nbytes=4] [rank=easy] [COUNTER=vmalloc:1510] [ERROR] [fit=32] [fit_fn=1] [fn_ex=1] [fn_counter=4] [ex=1] [counter=4] [z = -7.69483764063865] [fn-z = -7.69483764063865]
                        }
                }
        }

        size = vg_ptr->lv_max * sizeof(lv_t *);
Start --->
        if ((snap_lv_ptr = vmalloc ( size)) == NULL) {

        ... DELETED 40 lines ...

                        lvm_do_vg_remove(minor);
                        return -EFAULT;
                }
                if (lvm_do_lv_create(minor, lv.lv_name, &lv) != 0) {
                        lvm_do_vg_remove(minor);
Error --->
                        return -EFAULT;
                }
        }

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sat Jun 15 2002 - 22:00:15 EST