As kzalloc may fail and return NULL pointer,
it should be better to check the return value
in order to avoid the NULL pointer dereference.

Fixes: d6b98c8d242a ("ice: add write functionality for GNSS TTY")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
---
 drivers/net/ethernet/intel/ice/ice_gnss.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/intel/ice/ice_gnss.c b/drivers/net/ethernet/intel/ice/ice_gnss.c
index b5a7f246d230..6d3d5e75726b 100644
--- a/drivers/net/ethernet/intel/ice/ice_gnss.c
+++ b/drivers/net/ethernet/intel/ice/ice_gnss.c
@@ -421,7 +421,7 @@ static struct tty_driver *ice_gnss_create_tty_driver(struct ice_pf *pf)
 	const int ICE_TTYDRV_NAME_MAX = 14;
 	struct tty_driver *tty_driver;
 	char *ttydrv_name;
-	unsigned int i;
+	unsigned int i, j;
 	int err;
 
 	tty_driver = tty_alloc_driver(ICE_GNSS_TTY_MINOR_DEVICES,
@@ -462,6 +462,17 @@ static struct tty_driver *ice_gnss_create_tty_driver(struct ice_pf *pf)
 					       GFP_KERNEL);
 		pf->gnss_serial[i] = NULL;
 
+		if (!pf->gnss_tty_port[i]) {
+			for (j = 0; j < i; j++) {
+				tty_port_destroy(pf->gnss_tty_port[j]);
+				kfree(pf->gnss_tty_port[j]);
+			}
+			kfree(ttydrv_name);
+			tty_driver_kref_put(pf->ice_gnss_tty_driver);
+
+			return NULL;
+		}
+
 		tty_port_init(pf->gnss_tty_port[i]);
 		tty_port_link_device(pf->gnss_tty_port[i], tty_driver, i);
 	}
-- 
2.25.1

On Tue, Dec 06, 2022 at 11:08:05AM +0800, Jiasheng Jiang wrote:
> As kzalloc may fail and return NULL pointer,
> it should be better to check the return value
> in order to avoid the NULL pointer dereference.
> 
> Fixes: d6b98c8d242a ("ice: add write functionality for GNSS TTY")
> Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
> ---
>  drivers/net/ethernet/intel/ice/ice_gnss.c | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)

The idea is correct, but please change an implementation to use goto
and proper unwind for whole function. It will remove duplication in the
code which handles tty_port destroys.

Thanks

> 
> diff --git a/drivers/net/ethernet/intel/ice/ice_gnss.c b/drivers/net/ethernet/intel/ice/ice_gnss.c
> index b5a7f246d230..6d3d5e75726b 100644
> --- a/drivers/net/ethernet/intel/ice/ice_gnss.c
> +++ b/drivers/net/ethernet/intel/ice/ice_gnss.c
> @@ -421,7 +421,7 @@ static struct tty_driver *ice_gnss_create_tty_driver(struct ice_pf *pf)
>  	const int ICE_TTYDRV_NAME_MAX = 14;
>  	struct tty_driver *tty_driver;
>  	char *ttydrv_name;
> -	unsigned int i;
> +	unsigned int i, j;
>  	int err;
>  
>  	tty_driver = tty_alloc_driver(ICE_GNSS_TTY_MINOR_DEVICES,
> @@ -462,6 +462,17 @@ static struct tty_driver *ice_gnss_create_tty_driver(struct ice_pf *pf)
>  					       GFP_KERNEL);
>  		pf->gnss_serial[i] = NULL;
>  
> +		if (!pf->gnss_tty_port[i]) {
> +			for (j = 0; j < i; j++) {
> +				tty_port_destroy(pf->gnss_tty_port[j]);
> +				kfree(pf->gnss_tty_port[j]);
> +			}
> +			kfree(ttydrv_name);
> +			tty_driver_kref_put(pf->ice_gnss_tty_driver);
> +
> +			return NULL;
> +		}
> +
>  		tty_port_init(pf->gnss_tty_port[i]);
>  		tty_port_link_device(pf->gnss_tty_port[i], tty_driver, i);
>  	}
> -- 
> 2.25.1
>

Tue, Dec 06, 2022 at 04:08:05AM CET, jiasheng@iscas.ac.cn wrote:
>As kzalloc may fail and return NULL pointer,
>it should be better to check the return value
>in order to avoid the NULL pointer dereference.

Okay, so? Be imperative to the code base, tell it what to do in your
patch description.


>
>Fixes: d6b98c8d242a ("ice: add write functionality for GNSS TTY")
>Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
>---
> drivers/net/ethernet/intel/ice/ice_gnss.c | 13 ++++++++++++-
> 1 file changed, 12 insertions(+), 1 deletion(-)
>
>diff --git a/drivers/net/ethernet/intel/ice/ice_gnss.c b/drivers/net/ethernet/intel/ice/ice_gnss.c
>index b5a7f246d230..6d3d5e75726b 100644
>--- a/drivers/net/ethernet/intel/ice/ice_gnss.c
>+++ b/drivers/net/ethernet/intel/ice/ice_gnss.c
>@@ -421,7 +421,7 @@ static struct tty_driver *ice_gnss_create_tty_driver(struct ice_pf *pf)
> 	const int ICE_TTYDRV_NAME_MAX = 14;
> 	struct tty_driver *tty_driver;
> 	char *ttydrv_name;
>-	unsigned int i;
>+	unsigned int i, j;
> 	int err;
> 
> 	tty_driver = tty_alloc_driver(ICE_GNSS_TTY_MINOR_DEVICES,
>@@ -462,6 +462,17 @@ static struct tty_driver *ice_gnss_create_tty_driver(struct ice_pf *pf)
> 					       GFP_KERNEL);
> 		pf->gnss_serial[i] = NULL;
> 
>+		if (!pf->gnss_tty_port[i]) {
>+			for (j = 0; j < i; j++) {
>+				tty_port_destroy(pf->gnss_tty_port[j]);

You are destroying port which you didn't call (pf->gnss_tty_port[i])
for. Also, you are introducing a code duplication here with the error
path couple of lines below. Please convert this to goto-label error
path so the cleanup code is shared.


>+				kfree(pf->gnss_tty_port[j]);
>+			}
>+			kfree(ttydrv_name);
>+			tty_driver_kref_put(pf->ice_gnss_tty_driver);
>+
>+			return NULL;
>+		}
>+
> 		tty_port_init(pf->gnss_tty_port[i]);
> 		tty_port_link_device(pf->gnss_tty_port[i], tty_driver, i);
> 	}
>-- 
>2.25.1
>