x86/xen: Fix some null pointer dereference issues in smp.c
Commit Message
kasprintf() returns a pointer to dynamically allocated memory
which can be NULL upon failure. Ensure the allocation was successful
by checking the pointer validity.
Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
---
arch/x86/xen/smp.c | 8 ++++++++
1 file changed, 8 insertions(+)
Comments
Hi Kunwu,
kernel test robot noticed the following build warnings:
[auto build test WARNING on tip/x86/core]
[also build test WARNING on linus/master v6.7 next-20240112]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Kunwu-Chan/x86-xen-Fix-some-null-pointer-dereference-issues-in-smp-c/20240115-180429
base: tip/x86/core
patch link: https://lore.kernel.org/r/20240115100138.34340-1-chentao%40kylinos.cn
patch subject: [PATCH] x86/xen: Fix some null pointer dereference issues in smp.c
config: x86_64-rhel-8.3-rust (https://download.01.org/0day-ci/archive/20240116/202401161119.iof6BQsf-lkp@intel.com/config)
compiler: ClangBuiltLinux clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20240116/202401161119.iof6BQsf-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202401161119.iof6BQsf-lkp@intel.com/
All warnings (new ones prefixed by >>):
>> arch/x86/xen/smp.c:68:6: warning: variable 'rc' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
68 | if (!resched_name)
| ^~~~~~~~~~~~~
arch/x86/xen/smp.c:127:9: note: uninitialized use occurs here
127 | return rc;
| ^~
arch/x86/xen/smp.c:68:2: note: remove the 'if' if its condition is always false
68 | if (!resched_name)
| ^~~~~~~~~~~~~~~~~~
69 | goto fail;
| ~~~~~~~~~
arch/x86/xen/smp.c:64:8: note: initialize the variable 'rc' to silence this warning
64 | int rc;
| ^
| = 0
1 warning generated.
vim +68 arch/x86/xen/smp.c
61
62 int xen_smp_intr_init(unsigned int cpu)
63 {
64 int rc;
65 char *resched_name, *callfunc_name, *debug_name;
66
67 resched_name = kasprintf(GFP_KERNEL, "resched%d", cpu);
> 68 if (!resched_name)
69 goto fail;
70 per_cpu(xen_resched_irq, cpu).name = resched_name;
71 rc = bind_ipi_to_irqhandler(XEN_RESCHEDULE_VECTOR,
72 cpu,
73 xen_reschedule_interrupt,
74 IRQF_PERCPU|IRQF_NOBALANCING,
75 resched_name,
76 NULL);
77 if (rc < 0)
78 goto fail;
79 per_cpu(xen_resched_irq, cpu).irq = rc;
80
81 callfunc_name = kasprintf(GFP_KERNEL, "callfunc%d", cpu);
82 if (!callfunc_name)
83 goto fail;
84 per_cpu(xen_callfunc_irq, cpu).name = callfunc_name;
85 rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_VECTOR,
86 cpu,
87 xen_call_function_interrupt,
88 IRQF_PERCPU|IRQF_NOBALANCING,
89 callfunc_name,
90 NULL);
91 if (rc < 0)
92 goto fail;
93 per_cpu(xen_callfunc_irq, cpu).irq = rc;
94
95 if (!xen_fifo_events) {
96 debug_name = kasprintf(GFP_KERNEL, "debug%d", cpu);
97 if (!debug_name)
98 goto fail;
99 per_cpu(xen_debug_irq, cpu).name = debug_name;
100 rc = bind_virq_to_irqhandler(VIRQ_DEBUG, cpu,
101 xen_debug_interrupt,
102 IRQF_PERCPU | IRQF_NOBALANCING,
103 debug_name, NULL);
104 if (rc < 0)
105 goto fail;
106 per_cpu(xen_debug_irq, cpu).irq = rc;
107 }
108
109 callfunc_name = kasprintf(GFP_KERNEL, "callfuncsingle%d", cpu);
110 if (!callfunc_name)
111 goto fail;
112 per_cpu(xen_callfuncsingle_irq, cpu).name = callfunc_name;
113 rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_SINGLE_VECTOR,
114 cpu,
115 xen_call_function_single_interrupt,
116 IRQF_PERCPU|IRQF_NOBALANCING,
117 callfunc_name,
118 NULL);
119 if (rc < 0)
120 goto fail;
121 per_cpu(xen_callfuncsingle_irq, cpu).irq = rc;
122
123 return 0;
124
125 fail:
126 xen_smp_intr_free(cpu);
127 return rc;
128 }
129
@@ -65,6 +65,8 @@ int xen_smp_intr_init(unsigned int cpu)
char *resched_name, *callfunc_name, *debug_name;
resched_name = kasprintf(GFP_KERNEL, "resched%d", cpu);
+ if (!resched_name)
+ goto fail;
per_cpu(xen_resched_irq, cpu).name = resched_name;
rc = bind_ipi_to_irqhandler(XEN_RESCHEDULE_VECTOR,
cpu,
@@ -77,6 +79,8 @@ int xen_smp_intr_init(unsigned int cpu)
per_cpu(xen_resched_irq, cpu).irq = rc;
callfunc_name = kasprintf(GFP_KERNEL, "callfunc%d", cpu);
+ if (!callfunc_name)
+ goto fail;
per_cpu(xen_callfunc_irq, cpu).name = callfunc_name;
rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_VECTOR,
cpu,
@@ -90,6 +94,8 @@ int xen_smp_intr_init(unsigned int cpu)
if (!xen_fifo_events) {
debug_name = kasprintf(GFP_KERNEL, "debug%d", cpu);
+ if (!debug_name)
+ goto fail;
per_cpu(xen_debug_irq, cpu).name = debug_name;
rc = bind_virq_to_irqhandler(VIRQ_DEBUG, cpu,
xen_debug_interrupt,
@@ -101,6 +107,8 @@ int xen_smp_intr_init(unsigned int cpu)
}
callfunc_name = kasprintf(GFP_KERNEL, "callfuncsingle%d", cpu);
+ if (!callfunc_name)
+ goto fail;
per_cpu(xen_callfuncsingle_irq, cpu).name = callfunc_name;
rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_SINGLE_VECTOR,
cpu,