| Message ID | 20220225081121.18803-1-baijiaju1990@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | arch: x86: xen: check the return value of kasprintf() | expand |
On 25.02.22 09:11, Jia-Ju Bai wrote: > The function kasprintf() can fail, but there is no check of its return > value. To fix this bug, its return value should be checked with new > error handling code. > > Fixes: f87e4cac4f4e ("xen: SMP guest support") > Fixes: 83b96794e0ea ("x86/xen: split off smp_pv.c") > Fixes: d5de8841355a ("x86: split spinlock implementations out into their own files") > Reported-by: TOTE Robot <oslab@tsinghua.edu.cn> > Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> > --- > arch/x86/xen/smp.c | 2 ++ > arch/x86/xen/smp_pv.c | 2 ++ > arch/x86/xen/spinlock.c | 2 ++ > 3 files changed, 6 insertions(+) > > diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c > index c3e1f9a7d43a..91261390f8c0 100644 > --- a/arch/x86/xen/smp.c > +++ b/arch/x86/xen/smp.c > @@ -65,6 +65,8 @@ int xen_smp_intr_init(unsigned int cpu) > char *resched_name, *callfunc_name, *debug_name; > > resched_name = kasprintf(GFP_KERNEL, "resched%d", cpu); > + if (!resched_name) > + return -ENOMEM; There are 3 more instances of kasprintf() in this function. > rc = bind_ipi_to_irqhandler(XEN_RESCHEDULE_VECTOR, > cpu, > xen_reschedule_interrupt, > diff --git a/arch/x86/xen/smp_pv.c b/arch/x86/xen/smp_pv.c > index 4a6019238ee7..7d1471fd1267 100644 > --- a/arch/x86/xen/smp_pv.c > +++ b/arch/x86/xen/smp_pv.c > @@ -118,6 +118,8 @@ int xen_smp_intr_init_pv(unsigned int cpu) > char *callfunc_name, *pmu_name; > > callfunc_name = kasprintf(GFP_KERNEL, "irqwork%d", cpu); > + if (!callfunc_name) > + return -ENOMEM; And in here is another one, too. > rc = bind_ipi_to_irqhandler(XEN_IRQ_WORK_VECTOR, > cpu, > xen_irq_work_interrupt, > diff --git a/arch/x86/xen/spinlock.c b/arch/x86/xen/spinlock.c > index 043c73dfd2c9..ccdb9eddd93b 100644 > --- a/arch/x86/xen/spinlock.c > +++ b/arch/x86/xen/spinlock.c > @@ -75,6 +75,8 @@ void xen_init_lock_cpu(int cpu) > cpu, per_cpu(lock_kicker_irq, cpu)); > > name = kasprintf(GFP_KERNEL, "spinlock%d", cpu); > + if (!name) > + return; Just failing silently is not nice. > irq = bind_ipi_to_irqhandler(XEN_SPIN_UNLOCK_VECTOR, > cpu, > dummy_handler, Juergen
diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c index c3e1f9a7d43a..91261390f8c0 100644 --- a/arch/x86/xen/smp.c +++ b/arch/x86/xen/smp.c @@ -65,6 +65,8 @@ int xen_smp_intr_init(unsigned int cpu) char *resched_name, *callfunc_name, *debug_name; resched_name = kasprintf(GFP_KERNEL, "resched%d", cpu); + if (!resched_name) + return -ENOMEM; rc = bind_ipi_to_irqhandler(XEN_RESCHEDULE_VECTOR, cpu, xen_reschedule_interrupt, diff --git a/arch/x86/xen/smp_pv.c b/arch/x86/xen/smp_pv.c index 4a6019238ee7..7d1471fd1267 100644 --- a/arch/x86/xen/smp_pv.c +++ b/arch/x86/xen/smp_pv.c @@ -118,6 +118,8 @@ int xen_smp_intr_init_pv(unsigned int cpu) char *callfunc_name, *pmu_name; callfunc_name = kasprintf(GFP_KERNEL, "irqwork%d", cpu); + if (!callfunc_name) + return -ENOMEM; rc = bind_ipi_to_irqhandler(XEN_IRQ_WORK_VECTOR, cpu, xen_irq_work_interrupt, diff --git a/arch/x86/xen/spinlock.c b/arch/x86/xen/spinlock.c index 043c73dfd2c9..ccdb9eddd93b 100644 --- a/arch/x86/xen/spinlock.c +++ b/arch/x86/xen/spinlock.c @@ -75,6 +75,8 @@ void xen_init_lock_cpu(int cpu) cpu, per_cpu(lock_kicker_irq, cpu)); name = kasprintf(GFP_KERNEL, "spinlock%d", cpu); + if (!name) + return; irq = bind_ipi_to_irqhandler(XEN_SPIN_UNLOCK_VECTOR, cpu, dummy_handler,
The function kasprintf() can fail, but there is no check of its return value. To fix this bug, its return value should be checked with new error handling code. Fixes: f87e4cac4f4e ("xen: SMP guest support") Fixes: 83b96794e0ea ("x86/xen: split off smp_pv.c") Fixes: d5de8841355a ("x86: split spinlock implementations out into their own files") Reported-by: TOTE Robot <oslab@tsinghua.edu.cn> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com> --- arch/x86/xen/smp.c | 2 ++ arch/x86/xen/smp_pv.c | 2 ++ arch/x86/xen/spinlock.c | 2 ++ 3 files changed, 6 insertions(+)