From patchwork Mon Aug 1 18:29:52 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoffer Dall X-Patchwork-Id: 73127 Delivered-To: patch@linaro.org Received: by 10.140.29.52 with SMTP id a49csp2838832qga; Mon, 1 Aug 2016 11:30:08 -0700 (PDT) X-Received: by 10.98.60.217 with SMTP id b86mr99027331pfk.129.1470076208015; Mon, 01 Aug 2016 11:30:08 -0700 (PDT) Return-Path: Received: from bombadil.infradead.org (bombadil.infradead.org. [2001:1868:205::9]) by mx.google.com with ESMTPS id m89si36191472pfk.254.2016.08.01.11.30.07 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 01 Aug 2016 11:30:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org designates 2001:1868:205::9 as permitted sender) client-ip=2001:1868:205::9; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org designates 2001:1868:205::9 as permitted sender) smtp.mailfrom=linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org; dmarc=fail (p=NONE dis=NONE) header.from=linaro.org Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.85_2 #1 (Red Hat Linux)) id 1bUHxH-0002dV-3E; Mon, 01 Aug 2016 18:28:47 +0000 Received: from mail-wm0-x232.google.com ([2a00:1450:400c:c09::232]) by bombadil.infradead.org with esmtps (Exim 4.85_2 #1 (Red Hat Linux)) id 1bUHxD-0002Xt-Mv for linux-arm-kernel@lists.infradead.org; Mon, 01 Aug 2016 18:28:44 +0000 Received: by mail-wm0-x232.google.com with SMTP id q128so380726956wma.1 for ; Mon, 01 Aug 2016 11:28:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=azlruBVHV7fm23SGqUPgc8yk8pYKWzh9qQPMr72z7rI=; b=AGm9tRUOrrBNu+MFUqYDG9cBBOH3a2lMT7L8owGIzego4iPnWzqkbs9mXMkosNQKKi qh+xIUJ5sp3osF+tTbDWdvSl7YW8jQRcYdweT3EdzYEoP7Jk5mP9E9/0alMkbG0VXlX1 jMWYHO34ch6C/rWtyYv9bspDI2iVQu/FIuRuc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=azlruBVHV7fm23SGqUPgc8yk8pYKWzh9qQPMr72z7rI=; b=YQ4nGutPoHcz45fqBkJ6F7o+XWVYnEpal2YfeS0oQFlwBo9WwiLZ3eJuf4MWFeHbZt wlvfcQQf71bj48vrseePCSKl48WNneJkRKTA77LC4rYyBpJtk/bIDb3o93bLjxII1Nt+ +ulNLP2u6OlIFvXdvQfJQYHPH8huoUYJn3y12z+Cmi1meEu1T5R9sj7Dv7PAwJGyGlgt OJXvKdC9K+60KuBM89VM+WrAwEN/EB+uJM0NdOo4sXn6ZKO3cYpJ7Nnj9pn8ypKeW851 MRaAsCSTyLP1mW7P4FHxHf58fA3ZLrZfd2zpjej0k0ekC2AINTs2YdIkN9ga4ynI/SYT beWQ== X-Gm-Message-State: AEkoous4xliMcCEz5zXItQ8xgsZDRPFQVO2Xgu21i7RnSXrK35HpzPiSEN9f6JbqqfIGQvYQ X-Received: by 10.194.97.73 with SMTP id dy9mr52776240wjb.132.1470076101618; Mon, 01 Aug 2016 11:28:21 -0700 (PDT) Received: from localhost.localdomain ([94.18.191.146]) by smtp.gmail.com with ESMTPSA id n6sm31756713wjj.5.2016.08.01.11.28.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 01 Aug 2016 11:28:20 -0700 (PDT) From: Christoffer Dall To: Marc Zyngier , Andre Przywara , kvmarm@lists.cs.columbia.edu Subject: [PATCH] KVM: arm64: vgic-its: Handle errors from vgic_add_lpi Date: Mon, 1 Aug 2016 20:29:52 +0200 Message-Id: <20160801182952.3005-1-christoffer.dall@linaro.org> X-Mailer: git-send-email 2.9.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20160801_112844_061429_862E3A80 X-CRM114-Status: GOOD ( 15.84 ) X-Spam-Score: -2.7 (--) X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary: Content analysis details: (-2.7 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2a00:1450:400c:c09:0:0:0:232 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Christoffer Dall , linux-arm-kernel@lists.infradead.org, kvm@vger.kernel.org MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org During low memory conditions, we could be dereferencing a NULL pointer when vgic_add_lpi fails to allocate memory. Consider for example this call sequence: vgic_its_cmd_handle_mapi itte->irq = vgic_add_lpi(kvm, lpi_nr); update_lpi_config(kvm, itte->irq, NULL); ret = kvm_read_guest(kvm, propbase + irq->intid ^^^^ kaboom? Instead, return an error pointer from vgic_add_lpi and check the return value from its single caller. Signed-off-by: Christoffer Dall --- virt/kvm/arm/vgic/vgic-its.c | 42 +++++++++++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 13 deletions(-) -- 2.9.0 _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c index 07411cf..3515bdb 100644 --- a/virt/kvm/arm/vgic/vgic-its.c +++ b/virt/kvm/arm/vgic/vgic-its.c @@ -51,7 +51,7 @@ static struct vgic_irq *vgic_add_lpi(struct kvm *kvm, u32 intid) irq = kzalloc(sizeof(struct vgic_irq), GFP_KERNEL); if (!irq) - return NULL; + return ERR_PTR(-ENOMEM); INIT_LIST_HEAD(&irq->lpi_list); INIT_LIST_HEAD(&irq->ap_list); @@ -697,24 +697,33 @@ static int vgic_its_cmd_handle_mapi(struct kvm *kvm, struct vgic_its *its, struct its_device *device; struct its_collection *collection, *new_coll = NULL; int lpi_nr; - - device = find_its_device(its, device_id); - if (!device) - return E_ITS_MAPTI_UNMAPPED_DEVICE; + struct vgic_irq *irq = NULL; + int err = 0; if (its_cmd_get_command(its_cmd) == GITS_CMD_MAPTI) lpi_nr = its_cmd_get_physical_id(its_cmd); else lpi_nr = event_id; + if (lpi_nr < GIC_LPI_OFFSET || lpi_nr >= max_lpis_propbaser(kvm->arch.vgic.propbaser)) return E_ITS_MAPTI_PHYSICALID_OOR; + irq = vgic_add_lpi(kvm, lpi_nr); + if (IS_ERR(irq)) + return PTR_ERR(irq); + + device = find_its_device(its, device_id); + if (!device) { + err = E_ITS_MAPTI_UNMAPPED_DEVICE; + goto out; + } + collection = find_collection(its, coll_id); if (!collection) { - int ret = vgic_its_alloc_collection(its, &collection, coll_id); - if (ret) - return ret; + err = vgic_its_alloc_collection(its, &collection, coll_id); + if (err) + goto out; new_coll = collection; } @@ -722,9 +731,8 @@ static int vgic_its_cmd_handle_mapi(struct kvm *kvm, struct vgic_its *its, if (!itte) { itte = kzalloc(sizeof(struct its_itte), GFP_KERNEL); if (!itte) { - if (new_coll) - vgic_its_free_collection(its, coll_id); - return -ENOMEM; + err = -ENOMEM; + goto out; } itte->event_id = event_id; @@ -733,7 +741,8 @@ static int vgic_its_cmd_handle_mapi(struct kvm *kvm, struct vgic_its *its, itte->collection = collection; itte->lpi = lpi_nr; - itte->irq = vgic_add_lpi(kvm, lpi_nr); + vgic_get_irq_kref(irq); + itte->irq = irq; update_affinity_itte(kvm, itte); /* @@ -742,8 +751,15 @@ static int vgic_its_cmd_handle_mapi(struct kvm *kvm, struct vgic_its *its, * the respective config data from memory here upon mapping the LPI. */ update_lpi_config(kvm, itte->irq, NULL); + new_coll = NULL; + irq = NULL; - return 0; +out: + if (new_coll) + vgic_its_free_collection(its, coll_id); + if (irq) + vgic_put_irq(kvm, irq); + return err; } /* Requires the its_lock to be held. */