Message ID | 20170215034004.9255-1-david@gibson.dropbear.id.au (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On Wed, Feb 15, 2017 at 02:40:04PM +1100, David Gibson wrote: > resize_hpt_release(), called once the HPT resize of a KVM guest is > completed (successfully or unsuccessfully) free()s the state structure for > the resize. It is currently not safe to call with a NULL pointer. > > However, one of the error paths in kvm_vm_ioctl_resize_hpt_commit() can > invoke it with a NULL pointer. This will occur if userspace improperly > invokes KVM_PPC_RESIZE_HPT_COMMIT without previously calling > KVM_PPC_RESIZE_HPT_PREPARE, or if it calls COMMIT twice without an > intervening PREPARE. > > To fix this potential crash bug - and maybe others like it, make it safe > (and a no-op) to call resize_hpt_release() with a NULL resize pointer. > > Found by Dan Carpenter with a static checker. > > Reported-by: Dan Carpenter <dan.carpenter@oracle.com> > Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Ping, Paul have you taken this one? > --- > arch/powerpc/kvm/book3s_64_mmu_hv.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/arch/powerpc/kvm/book3s_64_mmu_hv.c b/arch/powerpc/kvm/book3s_64_mmu_hv.c > index 013552f..72ccac2 100644 > --- a/arch/powerpc/kvm/book3s_64_mmu_hv.c > +++ b/arch/powerpc/kvm/book3s_64_mmu_hv.c > @@ -1407,6 +1407,9 @@ static void resize_hpt_release(struct kvm *kvm, struct kvm_resize_hpt *resize) > { > BUG_ON(kvm->arch.resize_hpt != resize); > > + if (!resize) > + return; > + > if (resize->hpt.virt) > kvmppc_free_hpt(&resize->hpt); >
On Tue, Feb 28, 2017 at 11:56:55AM +1100, David Gibson wrote: > On Wed, Feb 15, 2017 at 02:40:04PM +1100, David Gibson wrote: > > resize_hpt_release(), called once the HPT resize of a KVM guest is > > completed (successfully or unsuccessfully) free()s the state structure for > > the resize. It is currently not safe to call with a NULL pointer. > > > > However, one of the error paths in kvm_vm_ioctl_resize_hpt_commit() can > > invoke it with a NULL pointer. This will occur if userspace improperly > > invokes KVM_PPC_RESIZE_HPT_COMMIT without previously calling > > KVM_PPC_RESIZE_HPT_PREPARE, or if it calls COMMIT twice without an > > intervening PREPARE. > > > > To fix this potential crash bug - and maybe others like it, make it safe > > (and a no-op) to call resize_hpt_release() with a NULL resize pointer. > > > > Found by Dan Carpenter with a static checker. > > > > Reported-by: Dan Carpenter <dan.carpenter@oracle.com> > > Signed-off-by: David Gibson <david@gibson.dropbear.id.au> > > Ping, > > Paul have you taken this one? Yes, thanks, it's in Linus' tree now. Paul.
diff --git a/arch/powerpc/kvm/book3s_64_mmu_hv.c b/arch/powerpc/kvm/book3s_64_mmu_hv.c index 013552f..72ccac2 100644 --- a/arch/powerpc/kvm/book3s_64_mmu_hv.c +++ b/arch/powerpc/kvm/book3s_64_mmu_hv.c @@ -1407,6 +1407,9 @@ static void resize_hpt_release(struct kvm *kvm, struct kvm_resize_hpt *resize) { BUG_ON(kvm->arch.resize_hpt != resize); + if (!resize) + return; + if (resize->hpt.virt) kvmppc_free_hpt(&resize->hpt);
resize_hpt_release(), called once the HPT resize of a KVM guest is completed (successfully or unsuccessfully) free()s the state structure for the resize. It is currently not safe to call with a NULL pointer. However, one of the error paths in kvm_vm_ioctl_resize_hpt_commit() can invoke it with a NULL pointer. This will occur if userspace improperly invokes KVM_PPC_RESIZE_HPT_COMMIT without previously calling KVM_PPC_RESIZE_HPT_PREPARE, or if it calls COMMIT twice without an intervening PREPARE. To fix this potential crash bug - and maybe others like it, make it safe (and a no-op) to call resize_hpt_release() with a NULL resize pointer. Found by Dan Carpenter with a static checker. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David Gibson <david@gibson.dropbear.id.au> --- arch/powerpc/kvm/book3s_64_mmu_hv.c | 3 +++ 1 file changed, 3 insertions(+)