From: Dan Carpenter <dan.carpenter@oracle.com>
To: kbuild@lists.01.org, Jason Gunthorpe <jgg@nvidia.com>,
David Airlie <airlied@linux.ie>,
Tony Krowiak <akrowiak@linux.ibm.com>,
Alex Williamson <alex.williamson@redhat.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Cornelia Huck <cohuck@redhat.com>,
Jonathan Corbet <corbet@lwn.net>, Daniel Vetter <daniel@ffwll.ch>,
Diana Craciun <diana.craciun@oss.nxp.com>,
dri-devel@lists.freedesktop.org,
Eric Auger <eric.auger@redhat.com>
Cc: kbuild-all@lists.01.org, lkp@intel.com
Subject: Re: [PATCH v3 02/14] vfio/mbochs: Fix missing error unwind of mbochs_used_mbytes
Date: Thu, 29 Jul 2021 12:38:12 +0300 [thread overview]
Message-ID: <202107291357.SRO9xgCa-lkp@intel.com> (raw)
In-Reply-To: <2-v3-6c9e19cc7d44+15613-vfio_reflck_jgg@nvidia.com>
Hi Jason,
url: https://github.com/0day-ci/linux/commits/Jason-Gunthorpe/Provide-core-infrastructure-for-managing-open-release/20210729-085124
base: https://github.com/awilliam/linux-vfio.git next
config: x86_64-randconfig-m001-20210728 (attached as .config)
compiler: gcc-10 (Ubuntu 10.3.0-1ubuntu1~20.04) 10.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
samples/vfio-mdev/mbochs.c:566 mbochs_probe() error: we previously assumed 'mdev_state' could be null (see line 524)
samples/vfio-mdev/mbochs.c:566 mbochs_probe() error: dereferencing freed memory 'mdev_state'
vim +/mdev_state +566 samples/vfio-mdev/mbochs.c
681c1615f89144 Jason Gunthorpe 2021-06-17 508 static int mbochs_probe(struct mdev_device *mdev)
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 509 {
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 510 int avail_mbytes = atomic_read(&mbochs_avail_mbytes);
3d3a360e570616 Jason Gunthorpe 2021-04-06 511 const struct mbochs_type *type =
3d3a360e570616 Jason Gunthorpe 2021-04-06 512 &mbochs_types[mdev_get_type_group_id(mdev)];
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 513 struct device *dev = mdev_dev(mdev);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 514 struct mdev_state *mdev_state;
681c1615f89144 Jason Gunthorpe 2021-06-17 515 int ret = -ENOMEM;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 516
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 517 do {
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 518 if (avail_mbytes < type->mbytes)
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 519 return -ENOSPC;
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 520 } while (!atomic_try_cmpxchg(&mbochs_avail_mbytes, &avail_mbytes,
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 521 avail_mbytes - type->mbytes));
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 522
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 523 mdev_state = kzalloc(sizeof(struct mdev_state), GFP_KERNEL);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 @524 if (mdev_state == NULL)
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 525 goto err_avail;
This goto leads to a NULL deref
681c1615f89144 Jason Gunthorpe 2021-06-17 526 vfio_init_group_dev(&mdev_state->vdev, &mdev->dev, &mbochs_dev_ops);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 527
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 528 mdev_state->vconfig = kzalloc(MBOCHS_CONFIG_SPACE_SIZE, GFP_KERNEL);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 529 if (mdev_state->vconfig == NULL)
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 530 goto err_mem;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 531
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 532 mdev_state->memsize = type->mbytes * 1024 * 1024;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 533 mdev_state->pagecount = mdev_state->memsize >> PAGE_SHIFT;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 534 mdev_state->pages = kcalloc(mdev_state->pagecount,
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 535 sizeof(struct page *),
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 536 GFP_KERNEL);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 537 if (!mdev_state->pages)
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 538 goto err_mem;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 539
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 540 dev_info(dev, "%s: %s, %d MB, %ld pages\n", __func__,
3d3a360e570616 Jason Gunthorpe 2021-04-06 541 type->name, type->mbytes, mdev_state->pagecount);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 542
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 543 mutex_init(&mdev_state->ops_lock);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 544 mdev_state->mdev = mdev;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 545 INIT_LIST_HEAD(&mdev_state->dmabufs);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 546 mdev_state->next_id = 1;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 547
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 548 mdev_state->type = type;
104c7405a64d93 Gerd Hoffmann 2018-09-21 549 mdev_state->edid_regs.max_xres = type->max_x;
104c7405a64d93 Gerd Hoffmann 2018-09-21 550 mdev_state->edid_regs.max_yres = type->max_y;
104c7405a64d93 Gerd Hoffmann 2018-09-21 551 mdev_state->edid_regs.edid_offset = MBOCHS_EDID_BLOB_OFFSET;
104c7405a64d93 Gerd Hoffmann 2018-09-21 552 mdev_state->edid_regs.edid_max_size = sizeof(mdev_state->edid_blob);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 553 mbochs_create_config_space(mdev_state);
681c1615f89144 Jason Gunthorpe 2021-06-17 554 mbochs_reset(mdev_state);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 555
681c1615f89144 Jason Gunthorpe 2021-06-17 556 ret = vfio_register_group_dev(&mdev_state->vdev);
681c1615f89144 Jason Gunthorpe 2021-06-17 557 if (ret)
681c1615f89144 Jason Gunthorpe 2021-06-17 558 goto err_mem;
681c1615f89144 Jason Gunthorpe 2021-06-17 559 dev_set_drvdata(&mdev->dev, mdev_state);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 560 return 0;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 561 err_mem:
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 562 kfree(mdev_state->pages);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 563 kfree(mdev_state->vconfig);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 564 kfree(mdev_state);
^^^^^^^^^^
Freed
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 565 err_avail:
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 @566 atomic_add(mdev_state->type->mbytes, &mbochs_avail_mbytes);
^^^^^^^^^^
This should just be:
atomic_add(type->mbytes, &mbochs_avail_mbytes);
681c1615f89144 Jason Gunthorpe 2021-06-17 567 return ret;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 568 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
next prev parent reply other threads:[~2021-07-29 9:38 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-29 0:49 [PATCH v3 00/14] Provide core infrastructure for managing open/release Jason Gunthorpe
2021-07-29 0:49 ` [PATCH v3 01/14] vfio/samples: Remove module get/put Jason Gunthorpe
2021-07-29 0:49 ` [PATCH v3 02/14] vfio/mbochs: Fix missing error unwind of mbochs_used_mbytes Jason Gunthorpe
2021-07-29 9:38 ` Dan Carpenter [this message]
2021-07-29 12:09 ` Jason Gunthorpe
2021-07-29 0:49 ` [PATCH v3 03/14] vfio: Introduce a vfio_uninit_group_dev() API call Jason Gunthorpe
2021-07-29 0:49 ` [PATCH v3 04/14] vfio: Provide better generic support for open/release vfio_device_ops Jason Gunthorpe
2021-07-29 0:49 ` [PATCH v3 05/14] vfio/samples: Delete useless open/close Jason Gunthorpe
2021-07-29 0:49 ` [PATCH v3 06/14] vfio/fsl: Move to the device set infrastructure Jason Gunthorpe
2021-07-29 0:49 ` [PATCH v3 07/14] vfio/platform: Use open_device() instead of open coding a refcnt scheme Jason Gunthorpe
2021-08-05 12:37 ` Eric Auger
2021-07-29 0:49 ` [PATCH v3 08/14] vfio/pci: Move to the device set infrastructure Jason Gunthorpe
2021-07-29 0:49 ` [PATCH v3 09/14] vfio/pci: Change vfio_pci_try_bus_reset() to use the dev_set Jason Gunthorpe
2021-08-03 16:34 ` Alex Williamson
2021-08-03 16:41 ` Jason Gunthorpe
2021-08-03 16:52 ` Alex Williamson
2021-08-05 11:47 ` Jason Gunthorpe
2021-08-05 17:33 ` Alex Williamson
2021-08-05 23:05 ` Jason Gunthorpe
2021-07-29 0:49 ` [PATCH v3 10/14] vfio/pci: Reorganize VFIO_DEVICE_PCI_HOT_RESET to use the device set Jason Gunthorpe
2021-07-29 0:49 ` [PATCH v3 11/14] vfio/mbochs: Fix close when multiple device FDs are open Jason Gunthorpe
2021-07-29 0:49 ` [PATCH v3 12/14] vfio/ap, ccw: Fix open/close " Jason Gunthorpe
2021-07-29 0:49 ` [PATCH v3 13/14] vfio/gvt: " Jason Gunthorpe
2021-07-29 0:49 ` [PATCH v3 14/14] vfio: Remove struct vfio_device_ops open/release Jason Gunthorpe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202107291357.SRO9xgCa-lkp@intel.com \
--to=dan.carpenter@oracle.com \
--cc=airlied@linux.ie \
--cc=akrowiak@linux.ibm.com \
--cc=alex.williamson@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=cohuck@redhat.com \
--cc=corbet@lwn.net \
--cc=daniel@ffwll.ch \
--cc=diana.craciun@oss.nxp.com \
--cc=dri-devel@lists.freedesktop.org \
--cc=eric.auger@redhat.com \
--cc=jgg@nvidia.com \
--cc=kbuild-all@lists.01.org \
--cc=kbuild@lists.01.org \
--cc=lkp@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).