Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7be0772d authored by Vitaly Kuznetsov's avatar Vitaly Kuznetsov Committed by David Vrabel
Browse files

x86/xen: avoid freeing static 'name' when kasprintf() fails 



In case kasprintf() fails in xen_setup_timer() we assign name to the
static string "<timer kasprintf failed>". We, however, don't check
that fact before issuing kfree() in xen_teardown_timer(), kernel is
supposed to crash with 'kernel BUG at mm/slub.c:3341!'

Solve the issue by making name a fixed length string inside struct
xen_clock_event_device. 16 bytes should be enough.

Suggested-by: default avatarLaszlo Ersek <lersek@redhat.com>
Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
parent a97dae1a

arch/x86/xen/time.c

+5 −11
Original line number Diff line number Diff line
@@ -391,7 +391,7 @@ static const struct clock_event_device *xen_clockevent = 


struct xen_clock_event_device {

	struct clock_event_device evt;

	char *name;

	char name[16];

};

static DEFINE_PER_CPU(struct xen_clock_event_device, xen_clock_events) = { .evt.irq = -1 };
@@ -420,39 +420,33 @@ void xen_teardown_timer(int cpu) 
	if (evt->irq >= 0) {

		unbind_from_irqhandler(evt->irq, NULL);

		evt->irq = -1;

		kfree(per_cpu(xen_clock_events, cpu).name);

		per_cpu(xen_clock_events, cpu).name = NULL;

	}

}



void xen_setup_timer(int cpu)

{

	char *name;

	struct clock_event_device *evt;

	struct xen_clock_event_device *xevt = &per_cpu(xen_clock_events, cpu);

	struct clock_event_device *evt = &xevt->evt;

	int irq;



	evt = &per_cpu(xen_clock_events, cpu).evt;

	WARN(evt->irq >= 0, "IRQ%d for CPU%d is already allocated\n", evt->irq, cpu);

	if (evt->irq >= 0)

		xen_teardown_timer(cpu);



	printk(KERN_INFO "installing Xen timer for CPU %d\n", cpu);



	name = kasprintf(GFP_KERNEL, "timer%d", cpu);

	if (!name)

		name = "<timer kasprintf failed>";

	snprintf(xevt->name, sizeof(xevt->name), "timer%d", cpu);



	irq = bind_virq_to_irqhandler(VIRQ_TIMER, cpu, xen_timer_interrupt,

				      IRQF_PERCPU|IRQF_NOBALANCING|IRQF_TIMER|

				      IRQF_FORCE_RESUME|IRQF_EARLY_RESUME,

				      name, NULL);

				      xevt->name, NULL);

	(void)xen_set_irq_priority(irq, XEN_IRQ_PRIORITY_MAX);



	memcpy(evt, xen_clockevent, sizeof(*evt));



	evt->cpumask = cpumask_of(cpu);

	evt->irq = irq;

	per_cpu(xen_clock_events, cpu).name = name;

}