Bug 114371 - there exists four wrong return values of function uio_dev_add_attributes()
Summary: there exists four wrong return values of function uio_dev_add_attributes()
Status: NEW
Alias: None
Product: Drivers
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: drivers_other
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-11 12:25 UTC by RUC_Soft_Sec
Modified: 2016-03-11 12:25 UTC (History)
0 users

See Also:
Kernel Version: 4.5
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description RUC_Soft_Sec 2016-03-11 12:25:02 UTC 
In function uio_dev_add_attributes() at drivers/uio/uio.c:line 255, return value "0" indicates success.If kobject_create_and_add() at line 272 ,kzalloc() at line 277 fails, function uio_dev_add_attributes() will return the value of variable "ret" which was not assigned a value at line 257.
If kobject_create_and_add() at line 297 ,kzalloc() at line 302 fails,function uio_dev_add_attributes() will return the value of variable "ret",which is 0 indicating success because kobject_uevent() at line 286 succeeded previously.But, function uio_dev_add_attributes() should propagate the error and return a negative number to its caller functions.

The related code snippets in uio_dev_add_attributes are as following.
uio_dev_add_attributes @@ drivers/uio/uio.c:line 255
	
http://lxr.free-electrons.com/source/drivers/uio/uio.c?v=3.18#L255
255 static int uio_dev_add_attributes(struct uio_device *idev)
256 {
257         int ret;
		......
266         for (mi = 0; mi < MAX_UIO_MAPS; mi++) {
267                 mem = &idev->info->mem[mi];
268                 if (mem->size == 0)
269                         break;
270                 if (!map_found) {
271                         map_found = 1;
272                         idev->map_dir = kobject_create_and_add("maps",
273                                                         &idev->dev->kobj);
274                         if (!idev->map_dir)					
275                                 goto err_map;
276                 }
277                 map = kzalloc(sizeof(*map), GFP_KERNEL);			
278                 if (!map)
279                         goto err_map_kobj;
280                 kobject_init(&map->kobj, &map_attr_type);
281                 map->mem = mem;
282                 mem->map = map;
283                 ret = kobject_add(&map->kobj, idev->map_dir, "map%d", mi);
284                 if (ret)
285                         goto err_map_kobj;
286                 ret = kobject_uevent(&map->kobj, KOBJ_ADD);
287                 if (ret)
288                         goto err_map;
289         }
290 
291         for (pi = 0; pi < MAX_UIO_PORT_REGIONS; pi++) {
292                 port = &idev->info->port[pi];
293                 if (port->size == 0)
294                         break;
295                 if (!portio_found) {
296                         portio_found = 1;
297                         idev->portio_dir = kobject_create_and_add("portio",
298                                                         &idev->dev->kobj);
299                         if (!idev->portio_dir)				
300                                 goto err_portio;
301                 }
302                 portio = kzalloc(sizeof(*portio), GFP_KERNEL);
303                 if (!portio)						
304                         goto err_portio_kobj;
		......
317         return 0;
318 
319 err_portio:
320         pi--;
321 err_portio_kobj:
322         for (; pi >= 0; pi--) {
323                 port = &idev->info->port[pi];
324                 portio = port->portio;
325                 kobject_put(&portio->kobj);
326         }
327         kobject_put(idev->portio_dir);
328 err_map:
329         mi--;
330 err_map_kobj:
331         for (; mi >= 0; mi--) {
332                 mem = &idev->info->mem[mi];
333                 map = mem->map;
334                 kobject_put(&map->kobj);
335         }
336         kobject_put(idev->map_dir);
337         dev_err(idev->dev, "error creating sysfs files (%d)\n", ret);
338         return ret;
339 }	

Generally, when the call to kobject_create_and_add() fails, the return value of caller functions 
should be different from another return value set when the call to kobject_create_and_add() succeeds, 
like the following codes in another file.
kobject_create_and_add @@ arch/x86/kernel/cpu/mcheck/mce_amd.c:line 711
677 static int threshold_create_bank(unsigned int cpu, unsigned int bank)
678 {
			  ...
711         b->kobj = kobject_create_and_add(name, &dev->kobj);
712         if (!b->kobj) {
713                 err = -EINVAL;
714                 goto out_free;
715         }
			  ...
	}	
	
Generally, when the call to kzalloc() fails, the return value of caller functions 
should be different from another return value set when the call to kzalloc() succeeds, 
like the following codes in another file.
kzalloc @@ arch/x86/kernel/cpu/mcheck/mce_amd.c:line 705
677 static int threshold_create_bank(unsigned int cpu, unsigned int bank)
678 {
			  ...
705         b = kzalloc(sizeof(struct threshold_bank), GFP_KERNEL);
706         if (!b) {
707                 err = -ENOMEM;
708                 goto out;
709         }
			  ...
	}
Note You need to log in before you can comment on or make changes to this bug.