From patchwork Tue Aug 9 11:16:04 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoffer Dall X-Patchwork-Id: 9270895 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id D861660754 for ; Tue, 9 Aug 2016 11:14:29 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CACD327FAB for ; Tue, 9 Aug 2016 11:14:29 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BF811280F4; Tue, 9 Aug 2016 11:14:29 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6176027F8D for ; Tue, 9 Aug 2016 11:14:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752360AbcHILOZ (ORCPT ); Tue, 9 Aug 2016 07:14:25 -0400 Received: from mail-wm0-f46.google.com ([74.125.82.46]:36527 "EHLO mail-wm0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751591AbcHILOX (ORCPT ); Tue, 9 Aug 2016 07:14:23 -0400 Received: by mail-wm0-f46.google.com with SMTP id q128so26389034wma.1 for ; Tue, 09 Aug 2016 04:14:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=aOxzrhwepncL0kZUzqCNQPDYIU5Y9LR8ZM/B7o8l7Fg=; b=EXUqBrnlq2criXr1HlkGMYyVLRntqqBmHYCIOtY3hEHreGRj70Lc5uub07iUUPq8Nj aMRiZvb4Fyg1GyiF/qWTNYnqPtGOgmcUpgVQZcLR16KTiNmozCAtEf4M0mPV54qrCsJT hDjovLva2ck3MO/Llp6i/QEPvEksAZQEvugn4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=aOxzrhwepncL0kZUzqCNQPDYIU5Y9LR8ZM/B7o8l7Fg=; b=T/bGri1dqTn41WPuxMGkhFMEjTlueBpebb0F3v69SY5jUIvFMRSHPQSX+9XO0kNfwN uD+vncQ8G+ZP9UensAZ3g87vdivMdaroyCq5x1yB7+Q/o6JofxgyMQoZBeJllXBkydu2 yzbB3/twcvl0pdAWHzMg3G7DLNuMGjHxTmdCRE2IQf/y7WJ6sYiOaNz2rbaDuqsyyYej qORU3AUfWhry1xHcbgHQeW6/xxM8LGREqtSLEvjrsES9X5E5/2AY0cI6kr02x+dl4NVR h1P1vM3zqwjZmynY8xB1YatgnNDso0mcse3hS2Ia/7MrXYd63NdTRSgtgutI5CjmDh8f yUwA== X-Gm-Message-State: AEkoouujjUk70lU3rVq9DGDKoyFoGofCBPW+I1NwreFNg/nkwqBs0qnzvkrQokSzk9kmgT6u X-Received: by 10.194.97.73 with SMTP id dy9mr89079230wjb.132.1470741261618; Tue, 09 Aug 2016 04:14:21 -0700 (PDT) Received: from localhost.localdomain ([94.18.191.146]) by smtp.gmail.com with ESMTPSA id 190sm2796816wmk.13.2016.08.09.04.14.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 Aug 2016 04:14:20 -0700 (PDT) From: Christoffer Dall To: kvmarm@lists.cs.columbia.edu, Marc Zyngier , Andre Przywara Cc: kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Christoffer Dall Subject: [PATCH v2 1/3] KVM: arm64: vgic-its: Handle errors from vgic_add_lpi Date: Tue, 9 Aug 2016 13:16:04 +0200 Message-Id: <20160809111606.28744-2-christoffer.dall@linaro.org> X-Mailer: git-send-email 2.9.0 In-Reply-To: <20160809111606.28744-1-christoffer.dall@linaro.org> References: <20160809111606.28744-1-christoffer.dall@linaro.org> Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP During low memory conditions, we could be dereferencing a NULL pointer when vgic_add_lpi fails to allocate memory. Consider for example this call sequence: vgic_its_cmd_handle_mapi itte->irq = vgic_add_lpi(kvm, lpi_nr); update_lpi_config(kvm, itte->irq, NULL); ret = kvm_read_guest(kvm, propbase + irq->intid ^^^^ kaboom? Instead, return an error pointer from vgic_add_lpi and check the return value from its single caller. Signed-off-by: Christoffer Dall --- Notes: Changes since v1: - Stylistic changes - Use its_free_itte to free new_itte on error path virt/kvm/arm/vgic/vgic-its.c | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c index 07411cf..4e16880e 100644 --- a/virt/kvm/arm/vgic/vgic-its.c +++ b/virt/kvm/arm/vgic/vgic-its.c @@ -51,7 +51,7 @@ static struct vgic_irq *vgic_add_lpi(struct kvm *kvm, u32 intid) irq = kzalloc(sizeof(struct vgic_irq), GFP_KERNEL); if (!irq) - return NULL; + return ERR_PTR(-ENOMEM); INIT_LIST_HEAD(&irq->lpi_list); INIT_LIST_HEAD(&irq->ap_list); @@ -502,7 +502,8 @@ static void its_free_itte(struct kvm *kvm, struct its_itte *itte) list_del(&itte->itte_list); /* This put matches the get in vgic_add_lpi. */ - vgic_put_irq(kvm, itte->irq); + if (itte->irq) + vgic_put_irq(kvm, itte->irq); kfree(itte); } @@ -693,10 +694,11 @@ static int vgic_its_cmd_handle_mapi(struct kvm *kvm, struct vgic_its *its, u32 device_id = its_cmd_get_deviceid(its_cmd); u32 event_id = its_cmd_get_id(its_cmd); u32 coll_id = its_cmd_get_collection(its_cmd); - struct its_itte *itte; + struct its_itte *itte, *new_itte = NULL; struct its_device *device; struct its_collection *collection, *new_coll = NULL; int lpi_nr; + struct vgic_irq *irq; device = find_its_device(its, device_id); if (!device) @@ -727,13 +729,24 @@ static int vgic_its_cmd_handle_mapi(struct kvm *kvm, struct vgic_its *its, return -ENOMEM; } + new_itte = itte; itte->event_id = event_id; list_add_tail(&itte->itte_list, &device->itt_head); } itte->collection = collection; itte->lpi = lpi_nr; - itte->irq = vgic_add_lpi(kvm, lpi_nr); + + irq = vgic_add_lpi(kvm, lpi_nr); + if (IS_ERR(irq)) { + if (new_coll) + vgic_its_free_collection(its, coll_id); + if (new_itte) + its_free_itte(kvm, new_itte); + return PTR_ERR(irq); + } + itte->irq = irq; + update_affinity_itte(kvm, itte); /*