From 1e26743c30eab7de59d341779dcd5159a9074154 Mon Sep 17 00:00:00 2001 From: Kuan-Wei Chiu Date: Thu, 9 May 2024 01:09:47 +0800 Subject: [PATCH 1/3] vinput: Remove redundant memset call Remove redundant memset calls as memory allocated with kzalloc is already zeroed due to the presence of the __GFP_ZERO gfp flag. --- examples/vinput.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/examples/vinput.c b/examples/vinput.c index cf4d8eac..d7d2d238 100644 --- a/examples/vinput.c +++ b/examples/vinput.c @@ -179,8 +179,6 @@ static struct vinput *vinput_alloc_vdevice(void) try_module_get(THIS_MODULE); - memset(vinput, 0, sizeof(struct vinput)); - spin_lock_init(&vinput->lock); spin_lock(&vinput_lock); From c068fa47e9246dcaac1f76bd76f7ea406c550114 Mon Sep 17 00:00:00 2001 From: Kuan-Wei Chiu Date: Thu, 9 May 2024 01:11:20 +0800 Subject: [PATCH 2/3] vinput: Fix NULL pointer dereference caused by failed kzalloc allocation When kzalloc fails to allocate memory and returns NULL, it leads to a NULL pointer dereference error later on. Add a check for the return value of kzalloc. When kzalloc fails to allocate memory, it prints an error message and returns ERR_PTR(-ENOMEM). --- examples/vinput.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/examples/vinput.c b/examples/vinput.c index d7d2d238..51a1396b 100644 --- a/examples/vinput.c +++ b/examples/vinput.c @@ -177,6 +177,11 @@ static struct vinput *vinput_alloc_vdevice(void) int err; struct vinput *vinput = kzalloc(sizeof(struct vinput), GFP_KERNEL); + if (!vinput) { + pr_err("vinput: Cannot allocate vinput input device\n"); + return ERR_PTR(-ENOMEM); + } + try_module_get(THIS_MODULE); spin_lock_init(&vinput->lock); From 0a23ecd02763e687d20c1706695ea84fb39f33c4 Mon Sep 17 00:00:00 2001 From: Kuan-Wei Chiu Date: Thu, 9 May 2024 01:12:39 +0800 Subject: [PATCH 3/3] vinput: Fix incorrect handling on raw_copy_to_user() failure When raw_copy_to_user() failed in vinput_read(), the function would set 'count' to -EFAULT and then subtract EFAULT from '*offset'. However, modifying '*offset' on raw_copy_to_user() failure was incorrect. Fix this behavior by changing count = -EFAULT to return -EFAULT. --- examples/vinput.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/vinput.c b/examples/vinput.c index 51a1396b..ff226e2f 100644 --- a/examples/vinput.c +++ b/examples/vinput.c @@ -106,7 +106,7 @@ static ssize_t vinput_read(struct file *file, char __user *buffer, size_t count, count = len - *offset; if (raw_copy_to_user(buffer, buff + *offset, count)) - count = -EFAULT; + return -EFAULT; *offset += count;