[bug report] vhost: vhost TX zero-copy support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Michael S. Tsirkin,

The patch bab632d69ee4: "vhost: vhost TX zero-copy support" from Jul
18, 2011, leads to the following static checker warning:

	drivers/vhost/net.c:1227 vhost_net_set_backend()
	warn: 'sock' can also be NULL

drivers/vhost/net.c
  1144  static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd)
  1145  {
  1146          struct socket *sock, *oldsock;
  1147          struct vhost_virtqueue *vq;
  1148          struct vhost_net_virtqueue *nvq;
  1149          struct vhost_net_ubuf_ref *ubufs, *oldubufs = NULL;
  1150          int r;
  1151  
  1152          mutex_lock(&n->dev.mutex);
  1153          r = vhost_dev_check_owner(&n->dev);
  1154          if (r)
  1155                  goto err;
  1156  
  1157          if (index >= VHOST_NET_VQ_MAX) {
  1158                  r = -ENOBUFS;
  1159                  goto err;
  1160          }
  1161          vq = &n->vqs[index].vq;
  1162          nvq = &n->vqs[index];
  1163          mutex_lock(&vq->mutex);
  1164  
  1165          /* Verify that ring has been setup correctly. */
  1166          if (!vhost_vq_access_ok(vq)) {
  1167                  r = -EFAULT;
  1168                  goto err_vq;
  1169          }
  1170          sock = get_socket(fd);
                ^^^^^^^^^^^^^^^^^^^^^
"fd" comes from the ioctl, and if we pass -1 then sock is NULL.

  1171          if (IS_ERR(sock)) {
  1172                  r = PTR_ERR(sock);
  1173                  goto err_vq;
  1174          }
  1175  
  1176          /* start polling new socket */
  1177          oldsock = vq->private_data;
  1178          if (sock != oldsock) {
  1179                  ubufs = vhost_net_ubuf_alloc(vq,
  1180                                               sock && vhost_sock_zcopy(sock));
  1181                  if (IS_ERR(ubufs)) {
  1182                          r = PTR_ERR(ubufs);
  1183                          goto err_ubufs;
                                ^^^^^^^^^^^^^^^
It leads to a NULL dereference in the error handling code.

  1184                  }
  1185  

regards,
dan carpenter



[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux