* [PATCH] drivers: hv: use kmalloc_array in mshv_root_scheduler_init
@ 2026-05-20 7:16 Can Peng
2026-05-20 7:55 ` sashiko-bot
2026-05-27 22:27 ` Wei Liu
0 siblings, 2 replies; 3+ messages in thread
From: Can Peng @ 2026-05-20 7:16 UTC (permalink / raw)
To: kys, haiyangz, wei.liu, longli, decui
Cc: linux-kernel, linux-hyperv, Can Peng
Replace kmalloc() with kmalloc_array() to prevent potential
overflow, as recommended in Documentation/process/deprecated.rst.
Signed-off-by: Can Peng <pengcan@kylinos.cn>
---
drivers/hv/mshv_root_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hv/mshv_root_main.c b/drivers/hv/mshv_root_main.c
index bd1359eb58dd..146726cc4e9b 100644
--- a/drivers/hv/mshv_root_main.c
+++ b/drivers/hv/mshv_root_main.c
@@ -2241,7 +2241,7 @@ static int mshv_root_scheduler_init(unsigned int cpu)
outputarg = (void **)this_cpu_ptr(root_scheduler_output);
/* Allocate two consecutive pages. One for input, one for output. */
- p = kmalloc(2 * HV_HYP_PAGE_SIZE, GFP_KERNEL);
+ p = kmalloc_array(2, HV_HYP_PAGE_SIZE, GFP_KERNEL);
if (!p)
return -ENOMEM;
--
2.53.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] drivers: hv: use kmalloc_array in mshv_root_scheduler_init
2026-05-20 7:16 [PATCH] drivers: hv: use kmalloc_array in mshv_root_scheduler_init Can Peng
@ 2026-05-20 7:55 ` sashiko-bot
2026-05-27 22:27 ` Wei Liu
1 sibling, 0 replies; 3+ messages in thread
From: sashiko-bot @ 2026-05-20 7:55 UTC (permalink / raw)
To: Can Peng; +Cc: linux-hyperv
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] A CPU hotplug offline operation can lead to a NULL pointer dereference in `mshv_vp_dispatch` because user tasks can still execute on the offlining CPU after the per-CPU buffers have been freed.
--
commit 182b63fe189dbbf1da723a03d972eaa7cbb71f56
Author: Can Peng <pengcan@kylinos.cn>
drivers: hv: use kmalloc_array in mshv_root_scheduler_init
Replace kmalloc() with kmalloc_array() to prevent potential overflow, as
recommended in Documentation/process/deprecated.rst.
> diff --git a/drivers/hv/mshv_root_main.c b/drivers/hv/mshv_root_main.c
> index bd1359eb58dd4..146726cc4e9ba 100644
> --- a/drivers/hv/mshv_root_main.c
> +++ b/drivers/hv/mshv_root_main.c
> @@ -2241,7 +2241,7 @@ static int mshv_root_scheduler_init(unsigned int cpu)
> outputarg = (void **)this_cpu_ptr(root_scheduler_output);
>
> /* Allocate two consecutive pages. One for input, one for output. */
> - p = kmalloc(2 * HV_HYP_PAGE_SIZE, GFP_KERNEL);
> + p = kmalloc_array(2, HV_HYP_PAGE_SIZE, GFP_KERNEL);
^^^^^^^^^^^^^
[Severity: High]
This isn't a bug introduced by this patch, but is there a pre-existing
issue where a CPU hotplug offline operation can lead to a NULL pointer
dereference in mshv_vp_dispatch()?
The CPU hotplug teardown callback mshv_root_scheduler_cleanup() is registered
at CPUHP_AP_ONLINE_DYN. During a CPU offline operation, it frees the per-CPU
buffers and sets the pointers to NULL:
drivers/hv/mshv_root_main.c:mshv_root_scheduler_cleanup() {
...
*inputarg = NULL;
*outputarg = NULL;
...
}
User tasks can still execute on the offlining CPU at this high state in
the offline sequence. If a vCPU thread scheduled on the offlining CPU invokes
mshv_vp_dispatch() after the teardown callback has run, it unconditionally
dereferences the input buffer:
drivers/hv/mshv_root_main.c:mshv_vp_dispatch() {
...
preempt_disable();
input = *this_cpu_ptr(root_scheduler_input);
...
memset(input, 0, sizeof(*input));
...
}
Does this sequence result in a NULL pointer dereference if the input buffer
pointer has already been cleared by the cleanup callback?
> if (!p)
> return -ENOMEM;
>
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260520071632.557990-1-pengcan@kylinos.cn?part=1
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH] drivers: hv: use kmalloc_array in mshv_root_scheduler_init
2026-05-20 7:16 [PATCH] drivers: hv: use kmalloc_array in mshv_root_scheduler_init Can Peng
2026-05-20 7:55 ` sashiko-bot
@ 2026-05-27 22:27 ` Wei Liu
1 sibling, 0 replies; 3+ messages in thread
From: Wei Liu @ 2026-05-27 22:27 UTC (permalink / raw)
To: Can Peng
Cc: kys, haiyangz, wei.liu, longli, decui, linux-kernel, linux-hyperv
On Wed, May 20, 2026 at 03:16:32PM +0800, Can Peng wrote:
> Replace kmalloc() with kmalloc_array() to prevent potential
> overflow, as recommended in Documentation/process/deprecated.rst.
>
> Signed-off-by: Can Peng <pengcan@kylinos.cn>
> ---
> drivers/hv/mshv_root_main.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/hv/mshv_root_main.c b/drivers/hv/mshv_root_main.c
> index bd1359eb58dd..146726cc4e9b 100644
> --- a/drivers/hv/mshv_root_main.c
> +++ b/drivers/hv/mshv_root_main.c
> @@ -2241,7 +2241,7 @@ static int mshv_root_scheduler_init(unsigned int cpu)
> outputarg = (void **)this_cpu_ptr(root_scheduler_output);
>
> /* Allocate two consecutive pages. One for input, one for output. */
> - p = kmalloc(2 * HV_HYP_PAGE_SIZE, GFP_KERNEL);
> + p = kmalloc_array(2, HV_HYP_PAGE_SIZE, GFP_KERNEL);
HV_HYP_PAGE_SIZE is a constant (4096). We don't have any dynamism in code.
There is zero potential for overflow.
That being said, I'm fine with taking this patch to stay consistent with
the document.
Thanks for your contribution.
Wei
> if (!p)
> return -ENOMEM;
>
> --
> 2.53.0
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-27 22:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-20 7:16 [PATCH] drivers: hv: use kmalloc_array in mshv_root_scheduler_init Can Peng
2026-05-20 7:55 ` sashiko-bot
2026-05-27 22:27 ` Wei Liu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox