Hi Jason,
url:
https://github.com/0day-ci/linux/commits/Jason-Gunthorpe/Provide-core-infrastructure-for-managing-open-release/20210729-085124
base: https://github.com/awilliam/linux-vfio.git next
config: x86_64-randconfig-m001-20210728 (attached as .config)
compiler: gcc-10 (Ubuntu 10.3.0-1ubuntu1~20.04) 10.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <l...@intel.com>
Reported-by: Dan Carpenter <dan.carpen...@oracle.com>
smatch warnings:
samples/vfio-mdev/mbochs.c:566 mbochs_probe() error: we previously assumed
'mdev_state' could be null (see line 524)
samples/vfio-mdev/mbochs.c:566 mbochs_probe() error: dereferencing freed memory
'mdev_state'
vim +/mdev_state +566 samples/vfio-mdev/mbochs.c
681c1615f89144 Jason Gunthorpe 2021-06-17 508 static int mbochs_probe(struct
mdev_device *mdev)
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 509 {
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 510 int avail_mbytes =
atomic_read(&mbochs_avail_mbytes);
3d3a360e570616 Jason Gunthorpe 2021-04-06 511 const struct
mbochs_type *type =
3d3a360e570616 Jason Gunthorpe 2021-04-06 512
&mbochs_types[mdev_get_type_group_id(mdev)];
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 513 struct device *dev =
mdev_dev(mdev);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 514 struct mdev_state
*mdev_state;
681c1615f89144 Jason Gunthorpe 2021-06-17 515 int ret = -ENOMEM;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 516
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 517 do {
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 518 if
(avail_mbytes < type->mbytes)
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 519 return
-ENOSPC;
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 520 } while
(!atomic_try_cmpxchg(&mbochs_avail_mbytes, &avail_mbytes,
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 521
avail_mbytes - type->mbytes));
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 522
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 523 mdev_state =
kzalloc(sizeof(struct mdev_state), GFP_KERNEL);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 @524 if (mdev_state == NULL)
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 525 goto err_avail;
This goto leads to a NULL deref
681c1615f89144 Jason Gunthorpe 2021-06-17 526
vfio_init_group_dev(&mdev_state->vdev, &mdev->dev, &mbochs_dev_ops);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 527
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 528 mdev_state->vconfig =
kzalloc(MBOCHS_CONFIG_SPACE_SIZE, GFP_KERNEL);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 529 if (mdev_state->vconfig
== NULL)
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 530 goto err_mem;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 531
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 532 mdev_state->memsize =
type->mbytes * 1024 * 1024;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 533 mdev_state->pagecount =
mdev_state->memsize >> PAGE_SHIFT;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 534 mdev_state->pages =
kcalloc(mdev_state->pagecount,
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 535
sizeof(struct page *),
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 536
GFP_KERNEL);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 537 if (!mdev_state->pages)
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 538 goto err_mem;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 539
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 540 dev_info(dev, "%s: %s,
%d MB, %ld pages\n", __func__,
3d3a360e570616 Jason Gunthorpe 2021-04-06 541 type->name,
type->mbytes, mdev_state->pagecount);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 542
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 543
mutex_init(&mdev_state->ops_lock);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 544 mdev_state->mdev = mdev;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 545
INIT_LIST_HEAD(&mdev_state->dmabufs);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 546 mdev_state->next_id = 1;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 547
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 548 mdev_state->type = type;
104c7405a64d93 Gerd Hoffmann 2018-09-21 549
mdev_state->edid_regs.max_xres = type->max_x;
104c7405a64d93 Gerd Hoffmann 2018-09-21 550
mdev_state->edid_regs.max_yres = type->max_y;
104c7405a64d93 Gerd Hoffmann 2018-09-21 551
mdev_state->edid_regs.edid_offset = MBOCHS_EDID_BLOB_OFFSET;
104c7405a64d93 Gerd Hoffmann 2018-09-21 552
mdev_state->edid_regs.edid_max_size = sizeof(mdev_state->edid_blob);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 553
mbochs_create_config_space(mdev_state);
681c1615f89144 Jason Gunthorpe 2021-06-17 554
mbochs_reset(mdev_state);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 555
681c1615f89144 Jason Gunthorpe 2021-06-17 556 ret =
vfio_register_group_dev(&mdev_state->vdev);
681c1615f89144 Jason Gunthorpe 2021-06-17 557 if (ret)
681c1615f89144 Jason Gunthorpe 2021-06-17 558 goto err_mem;
681c1615f89144 Jason Gunthorpe 2021-06-17 559
dev_set_drvdata(&mdev->dev, mdev_state);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 560 return 0;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 561 err_mem:
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 562
kfree(mdev_state->pages);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 563
kfree(mdev_state->vconfig);
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 564 kfree(mdev_state);
^^^^^^^^^^
Freed
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 565 err_avail:
909fe1e3ec15f4 Jason Gunthorpe 2021-07-28 @566
atomic_add(mdev_state->type->mbytes, &mbochs_avail_mbytes);
^^^^^^^^^^
This should just be:
atomic_add(type->mbytes, &mbochs_avail_mbytes);
681c1615f89144 Jason Gunthorpe 2021-06-17 567 return ret;
a5e6e6505f38f7 Gerd Hoffmann 2018-05-11 568 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-...@lists.01.org
