The devm_kmalloc() function may return NULL when memory allocation fails. In nd_pfn_probe() and nd_dax_probe(), the return values of devm_kmalloc() are not checked. If pfn_sb is NULL, it will cause a NULL pointer dereference in the subsequent calls to nd_pfn_validate().
Additionally, if the allocation fails, the devices initialized by nd_pfn_devinit() or nd_dax_devinit() are not properly released, leading to memory leaks. Fix this by checking the return value of devm_kmalloc() in both functions. If the allocation fails, use put_device() to release the initialized device and return -ENOMEM. Signed-off-by: Zhaoyang Yu <[email protected]> --- drivers/nvdimm/dax_devs.c | 4 ++++ drivers/nvdimm/pfn_devs.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/drivers/nvdimm/dax_devs.c b/drivers/nvdimm/dax_devs.c index ba4c409ede65..aa51a9022d12 100644 --- a/drivers/nvdimm/dax_devs.c +++ b/drivers/nvdimm/dax_devs.c @@ -111,6 +111,10 @@ int nd_dax_probe(struct device *dev, struct nd_namespace_common *ndns) return -ENOMEM; } pfn_sb = devm_kmalloc(dev, sizeof(*pfn_sb), GFP_KERNEL); + if (!pfn_sb) { + put_device(dax_dev); + return -ENOMEM; + } nd_pfn = &nd_dax->nd_pfn; nd_pfn->pfn_sb = pfn_sb; rc = nd_pfn_validate(nd_pfn, DAX_SIG); diff --git a/drivers/nvdimm/pfn_devs.c b/drivers/nvdimm/pfn_devs.c index 42b172fc5576..6a69d8bfeb7c 100644 --- a/drivers/nvdimm/pfn_devs.c +++ b/drivers/nvdimm/pfn_devs.c @@ -635,6 +635,10 @@ int nd_pfn_probe(struct device *dev, struct nd_namespace_common *ndns) if (!pfn_dev) return -ENOMEM; pfn_sb = devm_kmalloc(dev, sizeof(*pfn_sb), GFP_KERNEL); + if (!pfn_sb) { + put_device(pfn_dev); + return -ENOMEM; + } nd_pfn = to_nd_pfn(pfn_dev); nd_pfn->pfn_sb = pfn_sb; rc = nd_pfn_validate(nd_pfn, PFN_SIG); -- 2.34.1
