The function kasprintf() can fail, but there is no check of its return
value. To fix this bug, its return value should be checked with new
error handling code.
Fixes: f87e4cac4f4e ("xen: SMP guest support")
Fixes: 83b96794e0ea ("x86/xen: split off smp_pv.c")
Fixes: d5de8841355a ("x86: split spinlock implementations out into their own files")
Reported-by: TOTE Robot <[email protected]>
Signed-off-by: Jia-Ju Bai <[email protected]>
---
arch/x86/xen/smp.c | 2 ++
arch/x86/xen/smp_pv.c | 2 ++
arch/x86/xen/spinlock.c | 2 ++
3 files changed, 6 insertions(+)
diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
index c3e1f9a7d43a..91261390f8c0 100644
--- a/arch/x86/xen/smp.c
+++ b/arch/x86/xen/smp.c
@@ -65,6 +65,8 @@ int xen_smp_intr_init(unsigned int cpu)
char *resched_name, *callfunc_name, *debug_name;
resched_name = kasprintf(GFP_KERNEL, "resched%d", cpu);
+ if (!resched_name)
+ return -ENOMEM;
rc = bind_ipi_to_irqhandler(XEN_RESCHEDULE_VECTOR,
cpu,
xen_reschedule_interrupt,
diff --git a/arch/x86/xen/smp_pv.c b/arch/x86/xen/smp_pv.c
index 4a6019238ee7..7d1471fd1267 100644
--- a/arch/x86/xen/smp_pv.c
+++ b/arch/x86/xen/smp_pv.c
@@ -118,6 +118,8 @@ int xen_smp_intr_init_pv(unsigned int cpu)
char *callfunc_name, *pmu_name;
callfunc_name = kasprintf(GFP_KERNEL, "irqwork%d", cpu);
+ if (!callfunc_name)
+ return -ENOMEM;
rc = bind_ipi_to_irqhandler(XEN_IRQ_WORK_VECTOR,
cpu,
xen_irq_work_interrupt,
diff --git a/arch/x86/xen/spinlock.c b/arch/x86/xen/spinlock.c
index 043c73dfd2c9..ccdb9eddd93b 100644
--- a/arch/x86/xen/spinlock.c
+++ b/arch/x86/xen/spinlock.c
@@ -75,6 +75,8 @@ void xen_init_lock_cpu(int cpu)
cpu, per_cpu(lock_kicker_irq, cpu));
name = kasprintf(GFP_KERNEL, "spinlock%d", cpu);
+ if (!name)
+ return;
irq = bind_ipi_to_irqhandler(XEN_SPIN_UNLOCK_VECTOR,
cpu,
dummy_handler,
--
2.17.1
On 25.02.22 09:11, Jia-Ju Bai wrote:
> The function kasprintf() can fail, but there is no check of its return
> value. To fix this bug, its return value should be checked with new
> error handling code.
>
> Fixes: f87e4cac4f4e ("xen: SMP guest support")
> Fixes: 83b96794e0ea ("x86/xen: split off smp_pv.c")
> Fixes: d5de8841355a ("x86: split spinlock implementations out into their own files")
> Reported-by: TOTE Robot <[email protected]>
> Signed-off-by: Jia-Ju Bai <[email protected]>
> ---
> arch/x86/xen/smp.c | 2 ++
> arch/x86/xen/smp_pv.c | 2 ++
> arch/x86/xen/spinlock.c | 2 ++
> 3 files changed, 6 insertions(+)
>
> diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
> index c3e1f9a7d43a..91261390f8c0 100644
> --- a/arch/x86/xen/smp.c
> +++ b/arch/x86/xen/smp.c
> @@ -65,6 +65,8 @@ int xen_smp_intr_init(unsigned int cpu)
> char *resched_name, *callfunc_name, *debug_name;
>
> resched_name = kasprintf(GFP_KERNEL, "resched%d", cpu);
> + if (!resched_name)
> + return -ENOMEM;
There are 3 more instances of kasprintf() in this function.
> rc = bind_ipi_to_irqhandler(XEN_RESCHEDULE_VECTOR,
> cpu,
> xen_reschedule_interrupt,
> diff --git a/arch/x86/xen/smp_pv.c b/arch/x86/xen/smp_pv.c
> index 4a6019238ee7..7d1471fd1267 100644
> --- a/arch/x86/xen/smp_pv.c
> +++ b/arch/x86/xen/smp_pv.c
> @@ -118,6 +118,8 @@ int xen_smp_intr_init_pv(unsigned int cpu)
> char *callfunc_name, *pmu_name;
>
> callfunc_name = kasprintf(GFP_KERNEL, "irqwork%d", cpu);
> + if (!callfunc_name)
> + return -ENOMEM;
And in here is another one, too.
> rc = bind_ipi_to_irqhandler(XEN_IRQ_WORK_VECTOR,
> cpu,
> xen_irq_work_interrupt,
> diff --git a/arch/x86/xen/spinlock.c b/arch/x86/xen/spinlock.c
> index 043c73dfd2c9..ccdb9eddd93b 100644
> --- a/arch/x86/xen/spinlock.c
> +++ b/arch/x86/xen/spinlock.c
> @@ -75,6 +75,8 @@ void xen_init_lock_cpu(int cpu)
> cpu, per_cpu(lock_kicker_irq, cpu));
>
> name = kasprintf(GFP_KERNEL, "spinlock%d", cpu);
> + if (!name)
> + return;
Just failing silently is not nice.
> irq = bind_ipi_to_irqhandler(XEN_SPIN_UNLOCK_VECTOR,
> cpu,
> dummy_handler,
Juergen