[PATCH] x86/xen: avoid freeing static 'name' when kasprintf() fails

[PATCH] x86/xen: avoid freeing static 'name' when kasprintf() fails

[Vitaly Kuznetsov]

In case kasprintf() fails in xen_setup_timer() we assign name to the static
string "<timer kasprintf failed>". We, however, don't check that fact before
issuing kfree() in xen_teardown_timer(), kernel is supposed to crash with
'kernel BUG at mm/slub.c:3341!'

Solve the issue by making name a fixed length string inside struct
xen_clock_event_device. 16 bytes should be enough.

The issue was discovered by Laszlo Ersek.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
---
 arch/x86/xen/time.c | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/arch/x86/xen/time.c b/arch/x86/xen/time.c
index f473d26..221ebb6 100644
--- a/arch/x86/xen/time.c
+++ b/arch/x86/xen/time.c
@@ -391,7 +391,7 @@ static const struct clock_event_device *xen_clockevent =
 
 struct xen_clock_event_device {
 	struct clock_event_device evt;
-	char *name;
+	char name[16];
 };
 static DEFINE_PER_CPU(struct xen_clock_event_device, xen_clock_events) = { .evt.irq = -1 };
 
@@ -420,14 +420,11 @@ void xen_teardown_timer(int cpu)
 	if (evt->irq >= 0) {
 		unbind_from_irqhandler(evt->irq, NULL);
 		evt->irq = -1;
-		kfree(per_cpu(xen_clock_events, cpu).name);
-		per_cpu(xen_clock_events, cpu).name = NULL;
 	}
 }
 
 void xen_setup_timer(int cpu)
 {
-	char *name;
 	struct clock_event_device *evt;
 	int irq;
 
@@ -438,21 +435,19 @@ void xen_setup_timer(int cpu)
 
 	printk(KERN_INFO "installing Xen timer for CPU %d\n", cpu);
 
-	name = kasprintf(GFP_KERNEL, "timer%d", cpu);
-	if (!name)
-		name = "<timer kasprintf failed>";
+	snprintf(per_cpu(xen_clock_events, cpu).name, 16, "timer%d", cpu);
 
 	irq = bind_virq_to_irqhandler(VIRQ_TIMER, cpu, xen_timer_interrupt,
 				      IRQF_PERCPU|IRQF_NOBALANCING|IRQF_TIMER|
 				      IRQF_FORCE_RESUME|IRQF_EARLY_RESUME,
-				      name, NULL);
+				      per_cpu(xen_clock_events, cpu).name,
+				      NULL);
 	(void)xen_set_irq_priority(irq, XEN_IRQ_PRIORITY_MAX);
 
 	memcpy(evt, xen_clockevent, sizeof(*evt));
 
 	evt->cpumask = cpumask_of(cpu);
 	evt->irq = irq;
-	per_cpu(xen_clock_events, cpu).name = name;
 }
 
 
-- 
1.9.3

Re: [Xen-devel] [PATCH] x86/xen: avoid freeing static 'name' when kasprintf() fails

[David Vrabel]

On 05/01/15 13:06, Vitaly Kuznetsov wrote:
> In case kasprintf() fails in xen_setup_timer() we assign name to the static
> string "<timer kasprintf failed>". We, however, don't check that fact before
> issuing kfree() in xen_teardown_timer(), kernel is supposed to crash with
> 'kernel BUG at mm/slub.c:3341!'
> 
> Solve the issue by making name a fixed length string inside struct
> xen_clock_event_device. 16 bytes should be enough.
> 
> The issue was discovered by Laszlo Ersek.

Add Reported-by: Laszlo ... tag perhaps?

> --- a/arch/x86/xen/time.c
> +++ b/arch/x86/xen/time.c
> @@ -391,7 +391,7 @@ static const struct clock_event_device *xen_clockevent =
>  
>  struct xen_clock_event_device {
>  	struct clock_event_device evt;
> -	char *name;
> +	char name[16];
>  };
>  static DEFINE_PER_CPU(struct xen_clock_event_device, xen_clock_events) = { .evt.irq = -1 };
>  
> @@ -420,14 +420,11 @@ void xen_teardown_timer(int cpu)
>  	if (evt->irq >= 0) {
>  		unbind_from_irqhandler(evt->irq, NULL);
>  		evt->irq = -1;
> -		kfree(per_cpu(xen_clock_events, cpu).name);
> -		per_cpu(xen_clock_events, cpu).name = NULL;
>  	}
>  }
>  
>  void xen_setup_timer(int cpu)
>  {
> -	char *name;
>  	struct clock_event_device *evt;

struct xen_clock_event_device *xevt = ...;

>  	int irq;
>  
> @@ -438,21 +435,19 @@ void xen_setup_timer(int cpu)
>  
>  	printk(KERN_INFO "installing Xen timer for CPU %d\n", cpu);
>  
> -	name = kasprintf(GFP_KERNEL, "timer%d", cpu);
> -	if (!name)
> -		name = "<timer kasprintf failed>";
> +	snprintf(per_cpu(xen_clock_events, cpu).name, 16, "timer%d", cpu);

Use sizeof(xevt->name) here.

David

Re: [Xen-devel] [PATCH] x86/xen: avoid freeing static 'name' when kasprintf() fails

[Laszlo Ersek]

On 01/05/15 14:19, David Vrabel wrote:
> On 05/01/15 13:06, Vitaly Kuznetsov wrote:
>> In case kasprintf() fails in xen_setup_timer() we assign name to the static
>> string "<timer kasprintf failed>". We, however, don't check that fact before
>> issuing kfree() in xen_teardown_timer(), kernel is supposed to crash with
>> 'kernel BUG at mm/slub.c:3341!'
>>
>> Solve the issue by making name a fixed length string inside struct
>> xen_clock_event_device. 16 bytes should be enough.
>>
>> The issue was discovered by Laszlo Ersek.
> 
> Add Reported-by: Laszlo ... tag perhaps?
> 
>> --- a/arch/x86/xen/time.c
>> +++ b/arch/x86/xen/time.c
>> @@ -391,7 +391,7 @@ static const struct clock_event_device *xen_clockevent =
>>  
>>  struct xen_clock_event_device {
>>  	struct clock_event_device evt;
>> -	char *name;
>> +	char name[16];
>>  };
>>  static DEFINE_PER_CPU(struct xen_clock_event_device, xen_clock_events) = { .evt.irq = -1 };
>>  
>> @@ -420,14 +420,11 @@ void xen_teardown_timer(int cpu)
>>  	if (evt->irq >= 0) {
>>  		unbind_from_irqhandler(evt->irq, NULL);
>>  		evt->irq = -1;
>> -		kfree(per_cpu(xen_clock_events, cpu).name);
>> -		per_cpu(xen_clock_events, cpu).name = NULL;
>>  	}
>>  }
>>  
>>  void xen_setup_timer(int cpu)
>>  {
>> -	char *name;
>>  	struct clock_event_device *evt;
> 
> struct xen_clock_event_device *xevt = ...;
> 
>>  	int irq;
>>  
>> @@ -438,21 +435,19 @@ void xen_setup_timer(int cpu)
>>  
>>  	printk(KERN_INFO "installing Xen timer for CPU %d\n", cpu);
>>  
>> -	name = kasprintf(GFP_KERNEL, "timer%d", cpu);
>> -	if (!name)
>> -		name = "<timer kasprintf failed>";
>> +	snprintf(per_cpu(xen_clock_events, cpu).name, 16, "timer%d", cpu);
> 
> Use sizeof(xevt->name) here.

Yes, I wanted to recommend sizeof too.

Also the "standard" Reported-by tag would be nice.

Thanks!
Laszlo

[PATCH v2] x86/xen: avoid freeing static 'name' when kasprintf() fails

[Vitaly Kuznetsov]

In case kasprintf() fails in xen_setup_timer() we assign name to the static
string "<timer kasprintf failed>". We, however, don't check that fact before
issuing kfree() in xen_teardown_timer(), kernel is supposed to crash with
'kernel BUG at mm/slub.c:3341!'

Solve the issue by making name a fixed length string inside struct
xen_clock_event_device. 16 bytes should be enough.

Suggested-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
---
Changes from v1 (David Vrabel):
- add 'struct xen_clock_event_device *xevt' for covenience
- sizeof(xevt->name) in snprintf() call
- Suggested-by: Laszlo Ersek
---
 arch/x86/xen/time.c | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/arch/x86/xen/time.c b/arch/x86/xen/time.c
index f473d26..9f743f4 100644
--- a/arch/x86/xen/time.c
+++ b/arch/x86/xen/time.c
@@ -391,7 +391,7 @@ static const struct clock_event_device *xen_clockevent =
 
 struct xen_clock_event_device {
 	struct clock_event_device evt;
-	char *name;
+	char name[16];
 };
 static DEFINE_PER_CPU(struct xen_clock_event_device, xen_clock_events) = { .evt.irq = -1 };
 
@@ -420,39 +420,33 @@ void xen_teardown_timer(int cpu)
 	if (evt->irq >= 0) {
 		unbind_from_irqhandler(evt->irq, NULL);
 		evt->irq = -1;
-		kfree(per_cpu(xen_clock_events, cpu).name);
-		per_cpu(xen_clock_events, cpu).name = NULL;
 	}
 }
 
 void xen_setup_timer(int cpu)
 {
-	char *name;
-	struct clock_event_device *evt;
+	struct xen_clock_event_device *xevt = &per_cpu(xen_clock_events, cpu);
+	struct clock_event_device *evt = &xevt->evt;
 	int irq;
 
-	evt = &per_cpu(xen_clock_events, cpu).evt;
 	WARN(evt->irq >= 0, "IRQ%d for CPU%d is already allocated\n", evt->irq, cpu);
 	if (evt->irq >= 0)
 		xen_teardown_timer(cpu);
 
 	printk(KERN_INFO "installing Xen timer for CPU %d\n", cpu);
 
-	name = kasprintf(GFP_KERNEL, "timer%d", cpu);
-	if (!name)
-		name = "<timer kasprintf failed>";
+	snprintf(xevt->name, sizeof(xevt->name), "timer%d", cpu);
 
 	irq = bind_virq_to_irqhandler(VIRQ_TIMER, cpu, xen_timer_interrupt,
 				      IRQF_PERCPU|IRQF_NOBALANCING|IRQF_TIMER|
 				      IRQF_FORCE_RESUME|IRQF_EARLY_RESUME,
-				      name, NULL);
+				      xevt->name, NULL);
 	(void)xen_set_irq_priority(irq, XEN_IRQ_PRIORITY_MAX);
 
 	memcpy(evt, xen_clockevent, sizeof(*evt));
 
 	evt->cpumask = cpumask_of(cpu);
 	evt->irq = irq;
-	per_cpu(xen_clock_events, cpu).name = name;
 }
 
 
-- 
1.9.3

Re: [PATCH v2] x86/xen: avoid freeing static 'name' when kasprintf() fails

[Laszlo Ersek]

On 01/05/15 16:27, Vitaly Kuznetsov wrote:
> In case kasprintf() fails in xen_setup_timer() we assign name to the static
> string "<timer kasprintf failed>". We, however, don't check that fact before
> issuing kfree() in xen_teardown_timer(), kernel is supposed to crash with
> 'kernel BUG at mm/slub.c:3341!'
> 
> Solve the issue by making name a fixed length string inside struct
> xen_clock_event_device. 16 bytes should be enough.
> 
> Suggested-by: Laszlo Ersek <lersek@redhat.com>
> Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
> ---
> Changes from v1 (David Vrabel):
> - add 'struct xen_clock_event_device *xevt' for covenience
> - sizeof(xevt->name) in snprintf() call
> - Suggested-by: Laszlo Ersek
> ---
>  arch/x86/xen/time.c | 16 +++++-----------
>  1 file changed, 5 insertions(+), 11 deletions(-)
> 
> diff --git a/arch/x86/xen/time.c b/arch/x86/xen/time.c
> index f473d26..9f743f4 100644
> --- a/arch/x86/xen/time.c
> +++ b/arch/x86/xen/time.c
> @@ -391,7 +391,7 @@ static const struct clock_event_device *xen_clockevent =
>  
>  struct xen_clock_event_device {
>  	struct clock_event_device evt;
> -	char *name;
> +	char name[16];
>  };
>  static DEFINE_PER_CPU(struct xen_clock_event_device, xen_clock_events) = { .evt.irq = -1 };
>  
> @@ -420,39 +420,33 @@ void xen_teardown_timer(int cpu)
>  	if (evt->irq >= 0) {
>  		unbind_from_irqhandler(evt->irq, NULL);
>  		evt->irq = -1;
> -		kfree(per_cpu(xen_clock_events, cpu).name);
> -		per_cpu(xen_clock_events, cpu).name = NULL;
>  	}
>  }
>  
>  void xen_setup_timer(int cpu)
>  {
> -	char *name;
> -	struct clock_event_device *evt;
> +	struct xen_clock_event_device *xevt = &per_cpu(xen_clock_events, cpu);
> +	struct clock_event_device *evt = &xevt->evt;
>  	int irq;
>  
> -	evt = &per_cpu(xen_clock_events, cpu).evt;
>  	WARN(evt->irq >= 0, "IRQ%d for CPU%d is already allocated\n", evt->irq, cpu);
>  	if (evt->irq >= 0)
>  		xen_teardown_timer(cpu);
>  
>  	printk(KERN_INFO "installing Xen timer for CPU %d\n", cpu);
>  
> -	name = kasprintf(GFP_KERNEL, "timer%d", cpu);
> -	if (!name)
> -		name = "<timer kasprintf failed>";
> +	snprintf(xevt->name, sizeof(xevt->name), "timer%d", cpu);
>  
>  	irq = bind_virq_to_irqhandler(VIRQ_TIMER, cpu, xen_timer_interrupt,
>  				      IRQF_PERCPU|IRQF_NOBALANCING|IRQF_TIMER|
>  				      IRQF_FORCE_RESUME|IRQF_EARLY_RESUME,
> -				      name, NULL);
> +				      xevt->name, NULL);
>  	(void)xen_set_irq_priority(irq, XEN_IRQ_PRIORITY_MAX);
>  
>  	memcpy(evt, xen_clockevent, sizeof(*evt));
>  
>  	evt->cpumask = cpumask_of(cpu);
>  	evt->irq = irq;
> -	per_cpu(xen_clock_events, cpu).name = name;
>  }
>  
>  
> 

Looks good to me (but I defer to Xen people of course :))

Reviewed-by: Laszlo Ersek <lersek@redhat.com>

Thanks!
Laszlo

Re: [Xen-devel] [PATCH v2] x86/xen: avoid freeing static 'name' when kasprintf() fails

[David Vrabel]

On 05/01/15 15:27, Vitaly Kuznetsov wrote:
> In case kasprintf() fails in xen_setup_timer() we assign name to the static
> string "<timer kasprintf failed>". We, however, don't check that fact before
> issuing kfree() in xen_teardown_timer(), kernel is supposed to crash with
> 'kernel BUG at mm/slub.c:3341!'
> 
> Solve the issue by making name a fixed length string inside struct
> xen_clock_event_device. 16 bytes should be enough.

Applied to stable/for-linus-3.19, thanks.

David