aboutsummaryrefslogtreecommitdiffstats
path: root/arch/x86/xen
diff options
context:
space:
mode:
authorVitaly Kuznetsov <vkuznets@redhat.com>2015-01-05 10:27:51 -0500
committerDavid Vrabel <david.vrabel@citrix.com>2015-01-08 08:55:25 -0500
commit7be0772d19103b3eac3c2e9ac325df2563273fdc (patch)
tree649728c76fed0d5e0a9766971d9f3376f8eea785 /arch/x86/xen
parenta97dae1a2e92e728d28515e88e8eda151f5796f5 (diff)
x86/xen: avoid freeing static 'name' when kasprintf() fails
In case kasprintf() fails in xen_setup_timer() we assign name to the static string "<timer kasprintf failed>". We, however, don't check that fact before issuing kfree() in xen_teardown_timer(), kernel is supposed to crash with 'kernel BUG at mm/slub.c:3341!' Solve the issue by making name a fixed length string inside struct xen_clock_event_device. 16 bytes should be enough. Suggested-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com> Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Diffstat (limited to 'arch/x86/xen')
-rw-r--r--arch/x86/xen/time.c16
1 files changed, 5 insertions, 11 deletions
diff --git a/arch/x86/xen/time.c b/arch/x86/xen/time.c
index 23019b483908..69087341d9ae 100644
--- a/arch/x86/xen/time.c
+++ b/arch/x86/xen/time.c
@@ -391,7 +391,7 @@ static const struct clock_event_device *xen_clockevent =
391 391
392struct xen_clock_event_device { 392struct xen_clock_event_device {
393 struct clock_event_device evt; 393 struct clock_event_device evt;
394 char *name; 394 char name[16];
395}; 395};
396static DEFINE_PER_CPU(struct xen_clock_event_device, xen_clock_events) = { .evt.irq = -1 }; 396static DEFINE_PER_CPU(struct xen_clock_event_device, xen_clock_events) = { .evt.irq = -1 };
397 397
@@ -420,39 +420,33 @@ void xen_teardown_timer(int cpu)
420 if (evt->irq >= 0) { 420 if (evt->irq >= 0) {
421 unbind_from_irqhandler(evt->irq, NULL); 421 unbind_from_irqhandler(evt->irq, NULL);
422 evt->irq = -1; 422 evt->irq = -1;
423 kfree(per_cpu(xen_clock_events, cpu).name);
424 per_cpu(xen_clock_events, cpu).name = NULL;
425 } 423 }
426} 424}
427 425
428void xen_setup_timer(int cpu) 426void xen_setup_timer(int cpu)
429{ 427{
430 char *name; 428 struct xen_clock_event_device *xevt = &per_cpu(xen_clock_events, cpu);
431 struct clock_event_device *evt; 429 struct clock_event_device *evt = &xevt->evt;
432 int irq; 430 int irq;
433 431
434 evt = &per_cpu(xen_clock_events, cpu).evt;
435 WARN(evt->irq >= 0, "IRQ%d for CPU%d is already allocated\n", evt->irq, cpu); 432 WARN(evt->irq >= 0, "IRQ%d for CPU%d is already allocated\n", evt->irq, cpu);
436 if (evt->irq >= 0) 433 if (evt->irq >= 0)
437 xen_teardown_timer(cpu); 434 xen_teardown_timer(cpu);
438 435
439 printk(KERN_INFO "installing Xen timer for CPU %d\n", cpu); 436 printk(KERN_INFO "installing Xen timer for CPU %d\n", cpu);
440 437
441 name = kasprintf(GFP_KERNEL, "timer%d", cpu); 438 snprintf(xevt->name, sizeof(xevt->name), "timer%d", cpu);
442 if (!name)
443 name = "<timer kasprintf failed>";
444 439
445 irq = bind_virq_to_irqhandler(VIRQ_TIMER, cpu, xen_timer_interrupt, 440 irq = bind_virq_to_irqhandler(VIRQ_TIMER, cpu, xen_timer_interrupt,
446 IRQF_PERCPU|IRQF_NOBALANCING|IRQF_TIMER| 441 IRQF_PERCPU|IRQF_NOBALANCING|IRQF_TIMER|
447 IRQF_FORCE_RESUME|IRQF_EARLY_RESUME, 442 IRQF_FORCE_RESUME|IRQF_EARLY_RESUME,
448 name, NULL); 443 xevt->name, NULL);
449 (void)xen_set_irq_priority(irq, XEN_IRQ_PRIORITY_MAX); 444 (void)xen_set_irq_priority(irq, XEN_IRQ_PRIORITY_MAX);
450 445
451 memcpy(evt, xen_clockevent, sizeof(*evt)); 446 memcpy(evt, xen_clockevent, sizeof(*evt));
452 447
453 evt->cpumask = cpumask_of(cpu); 448 evt->cpumask = cpumask_of(cpu);
454 evt->irq = irq; 449 evt->irq = irq;
455 per_cpu(xen_clock_events, cpu).name = name;
456} 450}
457 451
458 452
generated by cgit v1.2.2 (git 2.25.0) at 2025-02-01 20:30:41 -0500