[bug report] cxl: Add guest-specific code

linuxppc-dev.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed

* [bug report] cxl: Add guest-specific code
@ 2016-07-14 21:53 Dan Carpenter
  2016-07-15  7:20 ` [PATCH] cxl: fix potential NULL dereference in free_adapter() Andrew Donnellan
  2016-07-15  7:23 ` [bug report] cxl: Add guest-specific code Andrew Donnellan
  0 siblings, 2 replies; 4+ messages in thread
From: Dan Carpenter @ 2016-07-14 21:53 UTC (permalink / raw)
  To: clombard; +Cc: linuxppc-dev

Hello Christophe Lombard,

The patch 14baf4d9c739: "cxl: Add guest-specific code" from Mar 4,
2016, leads to the following static checker warning:

	drivers/misc/cxl/guest.c:1115 cxl_guest_init_adapter()
	error: we previously assumed 'adapter->guest' could be null (see line 1114)

drivers/misc/cxl/guest.c
  1105  struct cxl *cxl_guest_init_adapter(struct device_node *np, struct platform_device *pdev)
  1106  {
  1107          struct cxl *adapter;
  1108          bool free = true;
  1109          int rc;
  1110  
  1111          if (!(adapter = cxl_alloc_adapter()))
  1112                  return ERR_PTR(-ENOMEM);
  1113  
  1114          if (!(adapter->guest = kzalloc(sizeof(struct cxl_guest), GFP_KERNEL))) {
  1115                  free_adapter(adapter);
                        ^^^^^^^^^^^^^^^^^^^^^
We can't call free_adapter() if adapter->guest is NULL.

  1116                  return ERR_PTR(-ENOMEM);
  1117          }


	drivers/misc/cxl/guest.c:919 afu_properties_look_ok()
	warn: unsigned 'afu->crs_len' is never less than zero.

drivers/misc/cxl/guest.c
   907  static int afu_properties_look_ok(struct cxl_afu *afu)
   908  {
   909          if (afu->pp_irqs < 0) {
   910                  dev_err(&afu->dev, "Unexpected per-process minimum interrupt value\n");
   911                  return -EINVAL;
   912          }
   913  
   914          if (afu->max_procs_virtualised < 1) {
   915                  dev_err(&afu->dev, "Unexpected max number of processes virtualised value\n");
   916                  return -EINVAL;
   917          }
   918  
   919          if (afu->crs_len < 0) {
                    ^^^^^^^^^^^^^^^^
Remove this test.  Unsigned is never less than zero.

   920                  dev_err(&afu->dev, "Unexpected configuration record size value\n");
   921                  return -EINVAL;
   922          }
   923  
   924          return 0;
   925  }


regards,
dan carpenter

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH] cxl: fix potential NULL dereference in free_adapter()
  2016-07-14 21:53 [bug report] cxl: Add guest-specific code Dan Carpenter
@ 2016-07-15  7:20 ` Andrew Donnellan
  2016-07-20  9:10   ` Michael Ellerman
  2016-07-15  7:23 ` [bug report] cxl: Add guest-specific code Andrew Donnellan
  1 sibling, 1 reply; 4+ messages in thread
From: Andrew Donnellan @ 2016-07-15  7:20 UTC (permalink / raw)
  To: linuxppc-dev, imunsie, clombard, fbarrat; +Cc: dan.carpenter

If kzalloc() fails when allocating adapter->guest in
cxl_guest_init_adapter(), we call free_adapter() before erroring out.
free_adapter() in turn attempts to dereference adapter->guest, which in
this case is NULL.

In free_adapter(), skip the adapter->guest cleanup if adapter->guest is
NULL.

Fixes: 14baf4d9c739 ("cxl: Add guest-specific code")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>

---

Build tested only.
---
 drivers/misc/cxl/guest.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/drivers/misc/cxl/guest.c b/drivers/misc/cxl/guest.c
index ee7148e..9aa58a7 100644
--- a/drivers/misc/cxl/guest.c
+++ b/drivers/misc/cxl/guest.c
@@ -1055,16 +1055,18 @@ static void free_adapter(struct cxl *adapter)
 	struct irq_avail *cur;
 	int i;
 
-	if (adapter->guest->irq_avail) {
-		for (i = 0; i < adapter->guest->irq_nranges; i++) {
-			cur = &adapter->guest->irq_avail[i];
-			kfree(cur->bitmap);
+	if (adapter->guest) {
+		if (adapter->guest->irq_avail) {
+			for (i = 0; i < adapter->guest->irq_nranges; i++) {
+				cur = &adapter->guest->irq_avail[i];
+				kfree(cur->bitmap);
+			}
+			kfree(adapter->guest->irq_avail);
 		}
-		kfree(adapter->guest->irq_avail);
+		kfree(adapter->guest->status);
+		kfree(adapter->guest);
 	}
-	kfree(adapter->guest->status);
 	cxl_remove_adapter_nr(adapter);
-	kfree(adapter->guest);
 	kfree(adapter);
 }
 
-- 
Andrew Donnellan              OzLabs, ADL Canberra
andrew.donnellan@au1.ibm.com  IBM Australia Limited

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [bug report] cxl: Add guest-specific code
  2016-07-14 21:53 [bug report] cxl: Add guest-specific code Dan Carpenter
  2016-07-15  7:20 ` [PATCH] cxl: fix potential NULL dereference in free_adapter() Andrew Donnellan
@ 2016-07-15  7:23 ` Andrew Donnellan
  1 sibling, 0 replies; 4+ messages in thread
From: Andrew Donnellan @ 2016-07-15  7:23 UTC (permalink / raw)
  To: Dan Carpenter, clombard
  Cc: linuxppc-dev, Ian Munsie, Frederic Barrat, Vaibhav Jain,
	Philippe Bergheaud

On 15/07/16 07:53, Dan Carpenter wrote:
>    919          if (afu->crs_len < 0) {
>                     ^^^^^^^^^^^^^^^^
> Remove this test.  Unsigned is never less than zero.

Is there another lower bound that we should be checking against here?

-- 
Andrew Donnellan              OzLabs, ADL Canberra
andrew.donnellan@au1.ibm.com  IBM Australia Limited

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: cxl: fix potential NULL dereference in free_adapter()
  2016-07-15  7:20 ` [PATCH] cxl: fix potential NULL dereference in free_adapter() Andrew Donnellan
@ 2016-07-20  9:10   ` Michael Ellerman
  0 siblings, 0 replies; 4+ messages in thread
From: Michael Ellerman @ 2016-07-20  9:10 UTC (permalink / raw)
  To: Andrew Donnellan, linuxppc-dev, imunsie, clombard, fbarrat; +Cc: dan.carpenter

On Fri, 2016-15-07 at 07:20:36 UTC, Andrew Donnellan wrote:
> If kzalloc() fails when allocating adapter->guest in
> cxl_guest_init_adapter(), we call free_adapter() before erroring out.
> free_adapter() in turn attempts to dereference adapter->guest, which in
> this case is NULL.
> 
> In free_adapter(), skip the adapter->guest cleanup if adapter->guest is
> NULL.
> 
> Fixes: 14baf4d9c739 ("cxl: Add guest-specific code")
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>

Applied to powerpc next, thanks.

https://git.kernel.org/powerpc/c/8fbaa51d43ef2c6a72849ec340

cheers

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-07-20  9:10 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-14 21:53 [bug report] cxl: Add guest-specific code Dan Carpenter
2016-07-15  7:20 ` [PATCH] cxl: fix potential NULL dereference in free_adapter() Andrew Donnellan
2016-07-20  9:10   ` Michael Ellerman
2016-07-15  7:23 ` [bug report] cxl: Add guest-specific code Andrew Donnellan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).