Commit cc9c4f0b authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'for-linus-6.8a-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip 

Pull xen fixes from Juergen Gross:
 "Fixes and simple cleanups:

   - use a proper flexible array instead of a one-element array in order
     to avoid array-bounds sanitizer errors

   - add NULL pointer checks after allocating memory

   - use memdup_array_user() instead of open-coding it

   - fix a rare race condition in Xen event channel allocation code

   - make struct bus_type instances const

   - make kerneldoc inline comments match reality"

* tag 'for-linus-6.8a-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  xen/events: close evtchn after mapping cleanup
  xen/gntalloc: Replace UAPI 1-element array
  xen: balloon: make balloon_subsys const
  xen: pcpu: make xen_pcpu_subsys const
  xen/privcmd: Use memdup_array_user() in alloc_ioreq()
  x86/xen: Add some null pointer checking to smp.c
  xen/xenbus: document will_handle argument for xenbus_watch_path()
parents 68fb3ca0 fa765c4b

arch/x86/xen/smp.c

+12 −0
Original line number Diff line number Diff line
@@ -65,6 +65,8 @@ int xen_smp_intr_init(unsigned int cpu) 
	char *resched_name, *callfunc_name, *debug_name;



	resched_name = kasprintf(GFP_KERNEL, "resched%d", cpu);

	if (!resched_name)

		goto fail_mem;

	per_cpu(xen_resched_irq, cpu).name = resched_name;

	rc = bind_ipi_to_irqhandler(XEN_RESCHEDULE_VECTOR,

				    cpu,
@@ -77,6 +79,8 @@ int xen_smp_intr_init(unsigned int cpu) 
	per_cpu(xen_resched_irq, cpu).irq = rc;



	callfunc_name = kasprintf(GFP_KERNEL, "callfunc%d", cpu);

	if (!callfunc_name)

		goto fail_mem;

	per_cpu(xen_callfunc_irq, cpu).name = callfunc_name;

	rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_VECTOR,

				    cpu,
@@ -90,6 +94,9 @@ int xen_smp_intr_init(unsigned int cpu) 


	if (!xen_fifo_events) {

		debug_name = kasprintf(GFP_KERNEL, "debug%d", cpu);

		if (!debug_name)

			goto fail_mem;



		per_cpu(xen_debug_irq, cpu).name = debug_name;

		rc = bind_virq_to_irqhandler(VIRQ_DEBUG, cpu,

					     xen_debug_interrupt,
@@ -101,6 +108,9 @@ int xen_smp_intr_init(unsigned int cpu) 
	}



	callfunc_name = kasprintf(GFP_KERNEL, "callfuncsingle%d", cpu);

	if (!callfunc_name)

		goto fail_mem;



	per_cpu(xen_callfuncsingle_irq, cpu).name = callfunc_name;

	rc = bind_ipi_to_irqhandler(XEN_CALL_FUNCTION_SINGLE_VECTOR,

				    cpu,
@@ -114,6 +124,8 @@ int xen_smp_intr_init(unsigned int cpu) 


	return 0;



 fail_mem:

	rc = -ENOMEM;

 fail:

	xen_smp_intr_free(cpu);

	return rc;

drivers/xen/events/events_base.c

+6 −2
Original line number Diff line number Diff line
@@ -923,8 +923,8 @@ static void shutdown_pirq(struct irq_data *data) 
		return;



	do_mask(info, EVT_MASK_REASON_EXPLICIT);

	xen_evtchn_close(evtchn);

	xen_irq_info_cleanup(info);

	xen_evtchn_close(evtchn);

}



static void enable_pirq(struct irq_data *data)
@@ -956,6 +956,7 @@ EXPORT_SYMBOL_GPL(xen_irq_from_gsi); 
static void __unbind_from_irq(struct irq_info *info, unsigned int irq)

{

	evtchn_port_t evtchn;

	bool close_evtchn = false;



	if (!info) {

		xen_irq_free_desc(irq);
@@ -975,7 +976,7 @@ static void __unbind_from_irq(struct irq_info *info, unsigned int irq) 
		struct xenbus_device *dev;



		if (!info->is_static)

			xen_evtchn_close(evtchn);

			close_evtchn = true;



		switch (info->type) {

		case IRQT_VIRQ:
@@ -995,6 +996,9 @@ static void __unbind_from_irq(struct irq_info *info, unsigned int irq) 
		}



		xen_irq_info_cleanup(info);



		if (close_evtchn)

			xen_evtchn_close(evtchn);

	}



	xen_free_irq(info);

drivers/xen/gntalloc.c

+1 −1
Original line number Diff line number Diff line
@@ -317,7 +317,7 @@ static long gntalloc_ioctl_alloc(struct gntalloc_file_private_data *priv, 
		rc = -EFAULT;

		goto out_free;

	}

	if (copy_to_user(arg->gref_ids, gref_ids,

	if (copy_to_user(arg->gref_ids_flex, gref_ids,

			sizeof(gref_ids[0]) * op.count)) {

		rc = -EFAULT;

		goto out_free;

drivers/xen/pcpu.c

+1 −1
Original line number Diff line number Diff line
@@ -65,7 +65,7 @@ struct pcpu { 
	uint32_t flags;

};



static struct bus_type xen_pcpu_subsys = {

static const struct bus_type xen_pcpu_subsys = {

	.name = "xen_cpu",

	.dev_name = "xen_cpu",

};

drivers/xen/privcmd.c

+5 −10
Original line number Diff line number Diff line
@@ -1223,18 +1223,13 @@ struct privcmd_kernel_ioreq *alloc_ioreq(struct privcmd_ioeventfd *ioeventfd) 
	kioreq->ioreq = (struct ioreq *)(page_to_virt(pages[0]));

	mmap_write_unlock(mm);



	size = sizeof(*ports) * kioreq->vcpus;

	ports = kzalloc(size, GFP_KERNEL);

	if (!ports) {

		ret = -ENOMEM;

	ports = memdup_array_user(u64_to_user_ptr(ioeventfd->ports),

				  kioreq->vcpus, sizeof(*ports));

	if (IS_ERR(ports)) {

		ret = PTR_ERR(ports);

		goto error_kfree;

	}



	if (copy_from_user(ports, u64_to_user_ptr(ioeventfd->ports), size)) {

		ret = -EFAULT;

		goto error_kfree_ports;

	}



	for (i = 0; i < kioreq->vcpus; i++) {

		kioreq->ports[i].vcpu = i;

		kioreq->ports[i].port = ports[i];
@@ -1256,7 +1251,7 @@ struct privcmd_kernel_ioreq *alloc_ioreq(struct privcmd_ioeventfd *ioeventfd) 
error_unbind:

	while (--i >= 0)

		unbind_from_irqhandler(irq_from_evtchn(ports[i]), &kioreq->ports[i]);

error_kfree_ports:



	kfree(ports);

error_kfree:

	kfree(kioreq);