In function con_init(), the pointer variable vc_cons[currcons].d, vc and vc->vc_screenbuf is allocated a memory space via kzalloc(). And they are used in the following codes. However, when there is a memory allocation error, kzalloc() can fail. Thus null pointer (vc_cons[currcons].d, vc and vc->vc_screenbuf) dereference may happen. And it will cause the kernel to crash. Therefore, we should check return value and handle the error. Further, since the allcoation is in a loop, we should free all the allocated memory in a loop.
Signed-off-by: Gen Zhang <blackgod016...@gmail.com> Reviewed-by: Nicolas Pitre <n...@fluxnic.net> --- diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index fdd12f8..d50f68f 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -3350,10 +3350,14 @@ static int __init con_init(void) for (currcons = 0; currcons < MIN_NR_CONSOLES; currcons++) { vc_cons[currcons].d = vc = kzalloc(sizeof(struct vc_data), GFP_NOWAIT); + if (!vc) + goto fail1; INIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK); tty_port_init(&vc->port); visual_init(vc, currcons, 1); vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_NOWAIT); + if (!vc->vc_screenbuf) + goto fail2; vc_init(vc, vc->vc_rows, vc->vc_cols, currcons || !vc->vc_sw->con_save_screen); } @@ -3375,6 +3379,16 @@ static int __init con_init(void) register_console(&vt_console_driver); #endif return 0; +fail1: + while (currcons > 0) { + currcons--; + kfree(vc_cons[currcons].d->vc_screenbuf); +fail2: + kfree(vc_cons[currcons].d); + vc_cons[currcons].d = NULL; + } + console_unlock(); + return -ENOMEM; } console_initcall(con_init); ---