diff options
| author | Cyril Bur <cyril.bur@au1.ibm.com> | 2018-03-19 15:54:13 +1100 |
|---|---|---|
| committer | Stewart Smith <stewart@linux.vnet.ibm.com> | 2018-03-27 14:51:38 +1100 |
| commit | f4f88196aec7a4c30e190bfbfe768cfc7e69aee6 (patch) | |
| tree | 6fcd551f39f27a31001a0ba00aa98ab5222d3fc0 | |
| parent | 5630c819b3cbf37997d8b4033d142adf9c7703f5 (diff) | |
| download | skiboot-f4f88196aec7a4c30e190bfbfe768cfc7e69aee6.zip skiboot-f4f88196aec7a4c30e190bfbfe768cfc7e69aee6.tar.gz skiboot-f4f88196aec7a4c30e190bfbfe768cfc7e69aee6.tar.bz2 | |
npu2: Fix possible NULL dereference
The follow pattern exists in several npu2 functions:
struct phb *phb = pci_get_phb(phb_id);
struct npu2 *p = phb_to_npu2_nvlink(phb);
The problem is that pci_get_phb() can return NULL and
phb_to_npu2_nvlink() dereferences its parameter. Coverity says that the
return value of pci_get_phb() is checked 43 out of 46 times which
suggests we should be more careful.
Futhurmore, functions with the baddly placed call to
phb_to_npu2_nvlink() do seem to check that the return value of
pci_get_phb() isn't NULL, but this check would be too little too late.
This patch just moves the call of phb_to_npu2_nvlink() to after the
NULL check for the return value of pci_get_phb().
Affected functions are:
opal_npu_map_lpar()
opal_npu_init_context()
opal_npu_destroy_context()
Fixes: CID 264274, 264273, 264272, 264271, 264266, 264265
Signed-off-by: Cyril Bur <cyril.bur@au1.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
| -rw-r--r-- | hw/npu2.c | 9 |
1 files changed, 6 insertions, 3 deletions
@@ -1954,7 +1954,7 @@ static int64_t opal_npu_init_context(uint64_t phb_id, int pasid __unused, uint64_t msr, uint64_t bdf) { struct phb *phb = pci_get_phb(phb_id); - struct npu2 *p = phb_to_npu2_nvlink(phb); + struct npu2 *p; uint64_t xts_bdf, old_xts_bdf_pid, xts_bdf_pid; int id; @@ -1971,6 +1971,7 @@ static int64_t opal_npu_init_context(uint64_t phb_id, int pasid __unused, /* * Need to get LPARSHORT. */ + p = phb_to_npu2_nvlink(phb); lock(&p->lock); xts_bdf = SETFIELD(NPU2_XTS_BDF_MAP_BDF, 0ul, bdf); if (npu_table_search(p, NPU2_XTS_BDF_MAP, 8, NPU2_XTS_BDF_MAP_SIZE, @@ -2032,13 +2033,14 @@ static int opal_npu_destroy_context(uint64_t phb_id, uint64_t pid __unused, uint64_t bdf) { struct phb *phb = pci_get_phb(phb_id); - struct npu2 *p = phb_to_npu2_nvlink(phb); + struct npu2 *p; uint64_t xts_bdf; int rc = 0; if (!phb || phb->phb_type != phb_type_npu_v2) return OPAL_PARAMETER; + p = phb_to_npu2_nvlink(phb); lock(&p->lock); /* Need to find lparshort for this bdf */ @@ -2066,7 +2068,7 @@ static int opal_npu_map_lpar(uint64_t phb_id, uint64_t bdf, uint64_t lparid, uint64_t lpcr) { struct phb *phb = pci_get_phb(phb_id); - struct npu2 *p = phb_to_npu2_nvlink(phb); + struct npu2 *p; struct npu2_dev *ndev = NULL; uint64_t xts_bdf_lpar, rc = OPAL_SUCCESS; int i; @@ -2081,6 +2083,7 @@ static int opal_npu_map_lpar(uint64_t phb_id, uint64_t bdf, uint64_t lparid, * future. */ return OPAL_UNSUPPORTED; + p = phb_to_npu2_nvlink(phb); lock(&p->lock); /* Find any existing entries and update them */ |