[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging] dt-overlay: Fix NULL pointer dereference



commit 95f2a5656e65010ee86afd2ac3ad072cdf36a97a
Author:     Michal Orzel <michal.orzel@xxxxxxx>
AuthorDate: Fri Oct 4 14:22:15 2024 +0200
Commit:     Julien Grall <jgrall@xxxxxxxxxx>
CommitDate: Thu Oct 10 16:18:56 2024 +0100

    dt-overlay: Fix NULL pointer dereference
    
    Attempt to attach an overlay (xl dt-overlay attach) to a domain without
    first adding this overlay to Xen (xl dt-overlay add) results in an
    overlay track entry being NULL in handle_attach_overlay_nodes(). This
    leads to NULL pointer dereference and the following data abort crash:
    
    (XEN) Cannot find any matching tracker with input dtbo. Operation is 
supported only for prior added dtbo.
    (XEN) Data Abort Trap. Syndrome=0x5
    (XEN) Walking Hypervisor VA 0x40 on CPU0 via TTBR 0x0000000046948000
    (XEN) 0TH[0x000] = 0x46940f7f
    (XEN) 1ST[0x000] = 0x0
    (XEN) CPU0: Unexpected Trap: Data Abort
    (XEN) ----[ Xen-4.20-unstable  arm64  debug=y  Not tainted ]----
    ...
    (XEN) Xen call trace:
    (XEN)    [<00000a0000208b30>] dt_overlay_domctl+0x304/0x370 (PC)
    (XEN)    [<00000a0000208b30>] dt_overlay_domctl+0x304/0x370 (LR)
    (XEN)    [<00000a0000274b7c>] arch_do_domctl+0x48/0x328
    
    Fixes: 4c733873b5c2 ("xen/arm: Add XEN_DOMCTL_dt_overlay and device 
attachment to domains")
    Signed-off-by: Michal Orzel <michal.orzel@xxxxxxx>
    Reviewed-by: Stefano Stabellini <sstabellini@xxxxxxxxxx>
---
 xen/common/dt-overlay.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/xen/common/dt-overlay.c b/xen/common/dt-overlay.c
index d53b4706cd..8606b14d1e 100644
--- a/xen/common/dt-overlay.c
+++ b/xen/common/dt-overlay.c
@@ -908,8 +908,11 @@ static long handle_attach_overlay_nodes(struct domain *d,
  out:
     spin_unlock(&overlay_lock);
 
-    rangeset_destroy(entry->irq_ranges);
-    rangeset_destroy(entry->iomem_ranges);
+    if ( entry )
+    {
+        rangeset_destroy(entry->irq_ranges);
+        rangeset_destroy(entry->iomem_ranges);
+    }
 
     return rc;
 }
--
generated by git-patchbot for /home/xen/git/xen.git#staging



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.