[Skiboot] [PATCH 2/9] npu2: Fix possible NULL dereference

Cyril Bur cyril.bur at au1.ibm.com
Mon Mar 19 15:54:13 AEDT 2018 

The follow pattern exists in several npu2 functions:
	struct phb *phb = pci_get_phb(phb_id);
	struct npu2 *p = phb_to_npu2_nvlink(phb);

The problem is that pci_get_phb() can return NULL and
phb_to_npu2_nvlink() dereferences its parameter. Coverity says that the
return value of pci_get_phb() is checked 43 out of 46 times which
suggests we should be more careful.

Futhurmore, functions with the baddly placed call to
phb_to_npu2_nvlink() do seem to check that the return value of
pci_get_phb() isn't NULL, but this check would be too little too late.

This patch just moves the call of phb_to_npu2_nvlink() to after the
NULL check for the return value of pci_get_phb().

Affected functions are:
opal_npu_map_lpar()
opal_npu_init_context()
opal_npu_destroy_context()

Fixes: CID 264274, 264273, 264272, 264271, 264266, 264265
Signed-off-by: Cyril Bur <cyril.bur at au1.ibm.com>
---
 hw/npu2.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/hw/npu2.c b/hw/npu2.c
index 83804fce..e7d76a4d 100644
--- a/hw/npu2.c
+++ b/hw/npu2.c
@@ -1966,7 +1966,7 @@ static int64_t opal_npu_init_context(uint64_t phb_id, int pasid __unused,
 				     uint64_t msr, uint64_t bdf)
 {
 	struct phb *phb = pci_get_phb(phb_id);
-	struct npu2 *p = phb_to_npu2_nvlink(phb);
+	struct npu2 *p;
 	uint64_t xts_bdf, old_xts_bdf_pid, xts_bdf_pid;
 	int id;
 
@@ -1983,6 +1983,7 @@ static int64_t opal_npu_init_context(uint64_t phb_id, int pasid __unused,
 	/*
 	 * Need to get LPARSHORT.
 	 */
+	p = phb_to_npu2_nvlink(phb);
 	lock(&p->lock);
 	xts_bdf = SETFIELD(NPU2_XTS_BDF_MAP_BDF, 0ul, bdf);
 	if (npu_table_search(p, NPU2_XTS_BDF_MAP, 8, NPU2_XTS_BDF_MAP_SIZE,
@@ -2044,13 +2045,14 @@ static int opal_npu_destroy_context(uint64_t phb_id, uint64_t pid __unused,
 				    uint64_t bdf)
 {
 	struct phb *phb = pci_get_phb(phb_id);
-	struct npu2 *p = phb_to_npu2_nvlink(phb);
+	struct npu2 *p;
 	uint64_t xts_bdf;
 	int rc = 0;
 
 	if (!phb || phb->phb_type != phb_type_npu_v2)
 		return OPAL_PARAMETER;
 
+	p = phb_to_npu2_nvlink(phb);
 	lock(&p->lock);
 
 	/* Need to find lparshort for this bdf */
@@ -2078,7 +2080,7 @@ static int opal_npu_map_lpar(uint64_t phb_id, uint64_t bdf, uint64_t lparid,
 			     uint64_t lpcr)
 {
 	struct phb *phb = pci_get_phb(phb_id);
-	struct npu2 *p = phb_to_npu2_nvlink(phb);
+	struct npu2 *p;
 	struct npu2_dev *ndev = NULL;
 	uint64_t xts_bdf_lpar, rc = OPAL_SUCCESS;
 	int i;
@@ -2093,6 +2095,7 @@ static int opal_npu_map_lpar(uint64_t phb_id, uint64_t bdf, uint64_t lparid,
 		 * future. */
 		return OPAL_UNSUPPORTED;
 
+	p = phb_to_npu2_nvlink(phb);
 	lock(&p->lock);
 
 	/* Find any existing entries and update them */
-- 
2.16.2

More information about the Skiboot mailing list