On Wed, Feb 15, 2017 at 02:40:04PM +1100, David Gibson wrote: > resize_hpt_release(), called once the HPT resize of a KVM guest is > completed (successfully or unsuccessfully) free()s the state structure for > the resize. It is currently not safe to call with a NULL pointer. > > However, one of the error paths in kvm_vm_ioctl_resize_hpt_commit() can > invoke it with a NULL pointer. This will occur if userspace improperly > invokes KVM_PPC_RESIZE_HPT_COMMIT without previously calling > KVM_PPC_RESIZE_HPT_PREPARE, or if it calls COMMIT twice without an > intervening PREPARE. > > To fix this potential crash bug - and maybe others like it, make it safe > (and a no-op) to call resize_hpt_release() with a NULL resize pointer. > > Found by Dan Carpenter with a static checker. > > Reported-by: Dan Carpenter <[email protected]> > Signed-off-by: David Gibson <[email protected]>
Ping,
Paul have you taken this one?
> ---
> arch/powerpc/kvm/book3s_64_mmu_hv.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/arch/powerpc/kvm/book3s_64_mmu_hv.c
> b/arch/powerpc/kvm/book3s_64_mmu_hv.c
> index 013552f..72ccac2 100644
> --- a/arch/powerpc/kvm/book3s_64_mmu_hv.c
> +++ b/arch/powerpc/kvm/book3s_64_mmu_hv.c
> @@ -1407,6 +1407,9 @@ static void resize_hpt_release(struct kvm *kvm, struct
> kvm_resize_hpt *resize)
> {
> BUG_ON(kvm->arch.resize_hpt != resize);
>
> + if (!resize)
> + return;
> +
> if (resize->hpt.virt)
> kvmppc_free_hpt(&resize->hpt);
>
--
David Gibson | I'll have my music baroque, and my code
david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_
| _way_ _around_!
http://www.ozlabs.org/~dgibson
signature.asc
Description: PGP signature
