From: Paul Mackerras <paulus@xxxxxxxxx>
In kvm_alloc_linear we were using and deferencing ri after the
list_for_each_entry had come to the end of the list. In that
situation, ri is not really defined and probably points to the
list head. This will happen every time if the free_linears list
is empty, for instance. This led to a NULL pointer dereference
crash in memset on POWER7 while trying to allocate an HPT in the
case where no HPTs were preallocated.
This fixes it by using a separate variable for the return value
from the loop iterator.
Signed-off-by: Paul Mackerras <paulus@xxxxxxxxx>
Signed-off-by: Alexander Graf <agraf@xxxxxxx>
---
arch/powerpc/kvm/book3s_hv_builtin.c | 9 +++++----
1 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/arch/powerpc/kvm/book3s_hv_builtin.c b/arch/powerpc/kvm/book3s_hv_builtin.c
index bed1279..e1b60f5 100644
--- a/arch/powerpc/kvm/book3s_hv_builtin.c
+++ b/arch/powerpc/kvm/book3s_hv_builtin.c
@@ -173,9 +173,9 @@ static void __init kvm_linear_init_one(ulong size, int count, int type)
static struct kvmppc_linear_info *kvm_alloc_linear(int type)
{
- struct kvmppc_linear_info *ri;
+ struct kvmppc_linear_info *ri, *ret;
- ri = NULL;
+ ret = NULL;
spin_lock(&linear_lock);
list_for_each_entry(ri, &free_linears, list) {
if (ri->type != type)
@@ -183,11 +183,12 @@ static struct kvmppc_linear_info *kvm_alloc_linear(int type)
list_del(&ri->list);
atomic_inc(&ri->use_count);
+ memset(ri->base_virt, 0, ri->npages << PAGE_SHIFT);
+ ret = ri;
break;
}
spin_unlock(&linear_lock);
- memset(ri->base_virt, 0, ri->npages << PAGE_SHIFT);
- return ri;
+ return ret;
}
static void kvm_release_linear(struct kvmppc_linear_info *ri)
--
1.6.0.2
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
