From patchwork Fri Jun 26 16:11:02 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Joerg Roedel <jroedel@suse.de>
X-Patchwork-Id: 6682511
Return-Path: <kvm-owner@kernel.org>
X-Original-To: patchwork-kvm@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 0B0589F1C1
	for <patchwork-kvm@patchwork.kernel.org>;
	Fri, 26 Jun 2015 16:11:12 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 2C7AE20666
	for <patchwork-kvm@patchwork.kernel.org>;
	Fri, 26 Jun 2015 16:11:11 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 39DE42061A
	for <patchwork-kvm@patchwork.kernel.org>;
	Fri, 26 Jun 2015 16:11:10 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752146AbbFZQLH (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Fri, 26 Jun 2015 12:11:07 -0400
Received: from cantor2.suse.de ([195.135.220.15]:42200 "EHLO mx2.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752077AbbFZQLF (ORCPT <rfc822;kvm@vger.kernel.org>);
	Fri, 26 Jun 2015 12:11:05 -0400
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254])
	by mx2.suse.de (Postfix) with ESMTP id 2E7D9AB08;
	Fri, 26 Jun 2015 16:11:04 +0000 (UTC)
Date: Fri, 26 Jun 2015 18:11:02 +0200
From: Joerg Roedel <jroedel@suse.de>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: kvm@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>,
	Gleb Natapov <gleb@kernel.org>
Subject: [PATCH] kvm: irqchip: Fix possible memory leak in
	kvm_set_irq_routing()
Message-ID: <20150626161102.GB4767@suse.de>
References: <20150626090022.GA27118@mwanda>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20150626090022.GA27118@mwanda>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Hi Dan,

On Fri, Jun 26, 2015 at 12:00:22PM +0300, Dan Carpenter wrote:
> The patch e73f61e41f3b: "kvm: irqchip: Break up high order
> allocations of kvm_irq_routing_table" from May 8, 2015, leads to the
> following static checker warning:
>    215                  r = -EINVAL;
>    216                  if (ue->flags)
>    217                          goto out;
> 				^^^^^^^^
> Leaked here.  Move in front of the allocation?

Right, this is a potential leak, thanks for the report. The patch below
should fix it:

From 14abe455d04f7208a16237a2f1321fd5e5c5d115 Mon Sep 17 00:00:00 2001
From: Joerg Roedel <jroedel@suse.de>
Date: Fri, 26 Jun 2015 18:02:47 +0200
Subject: [PATCH] kvm: irqchip: Fix possible memory leak in
 kvm_set_irq_routing()

If ue->flags field is checked after the allocation of the
kvm_kernel_irq_routing_entry, it will be leaked if the check
succeeds. Do the check before the allocation instead to
avoid this leak.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: e73f61e41f3b: "kvm: irqchip: Break up high order allocations of kvm_irq_routing_table"
Signed-off-by: Joerg Roedel <jroedel@suse.de>
---
 virt/kvm/irqchip.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/virt/kvm/irqchip.c b/virt/kvm/irqchip.c
index 21c1424..239f4ec 100644
--- a/virt/kvm/irqchip.c
+++ b/virt/kvm/irqchip.c
@@ -207,14 +207,15 @@ int kvm_set_irq_routing(struct kvm *kvm,
 	for (i = 0; i < nr; ++i) {
 		struct kvm_kernel_irq_routing_entry *e;
 
+		r = -EINVAL;
+		if (ue->flags)
+			goto out;
+
 		r = -ENOMEM;
 		e = kzalloc(sizeof(*e), GFP_KERNEL);
 		if (!e)
 			goto out;
 
-		r = -EINVAL;
-		if (ue->flags)
-			goto out;
 		r = setup_routing_entry(new, e, ue);
 		if (r)
 			goto out;