Re: [PATCH] mshv: Introduce tracing support

[Dan Carpenter]

Hi Stanislav,

kernel test robot noticed the following build warnings:

https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Stanislav-Kinsburskii/mshv-Introduce-tracing-support/20260227-031942
base:   linus/master
patch link:    https://lore.kernel.org/r/177213348504.92223.5330421592610811972.stgit%40skinsburskii-cloud-desktop.internal.cloudapp.net
patch subject: [PATCH] mshv: Introduce tracing support
config: x86_64-randconfig-161-20260227 (https://download.01.org/0day-ci/archive/20260227/202602271528.jLhA59mn-lkp@xxxxxxxxx/config)
compiler: gcc-14 (Debian 14.2.0-19) 14.2.0
smatch version: v0.5.0-8994-gd50c5a4c

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@xxxxxxxxx>
| Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
| Closes: https://lore.kernel.org/r/202602271528.jLhA59mn-lkp@xxxxxxxxx/

New smatch warnings:
drivers/hv/mshv_root_main.c:1177 mshv_partition_ioctl_create_vp() error: we previously assumed 'vp' could be null (see line 1110)
drivers/hv/mshv_root_main.c:1177 mshv_partition_ioctl_create_vp() error: dereferencing freed memory 'vp' (line 1157)

vim +/vp +1177 drivers/hv/mshv_root_main.c

621191d709b148 Nuno Das Neves        2025-03-14  1057  static long
621191d709b148 Nuno Das Neves        2025-03-14  1058  mshv_partition_ioctl_create_vp(struct mshv_partition *partition,
621191d709b148 Nuno Das Neves        2025-03-14  1059  			       void __user *arg)
621191d709b148 Nuno Das Neves        2025-03-14  1060  {
621191d709b148 Nuno Das Neves        2025-03-14  1061  	struct mshv_create_vp args;
621191d709b148 Nuno Das Neves        2025-03-14  1062  	struct mshv_vp *vp;
19c515c27cee3b Jinank Jain           2025-10-10  1063  	struct page *intercept_msg_page, *register_page, *ghcb_page;
2de4516aa8f726 Stanislav Kinsburskii 2026-01-28  1064  	struct hv_stats_page *stats_pages[2];
621191d709b148 Nuno Das Neves        2025-03-14  1065  	long ret;
621191d709b148 Nuno Das Neves        2025-03-14  1066  
621191d709b148 Nuno Das Neves        2025-03-14  1067  	if (copy_from_user(&args, arg, sizeof(args)))
621191d709b148 Nuno Das Neves        2025-03-14  1068  		return -EFAULT;
621191d709b148 Nuno Das Neves        2025-03-14  1069  
621191d709b148 Nuno Das Neves        2025-03-14  1070  	if (args.vp_index >= MSHV_MAX_VPS)
621191d709b148 Nuno Das Neves        2025-03-14  1071  		return -EINVAL;
621191d709b148 Nuno Das Neves        2025-03-14  1072  
621191d709b148 Nuno Das Neves        2025-03-14  1073  	if (partition->pt_vp_array[args.vp_index])
621191d709b148 Nuno Das Neves        2025-03-14  1074  		return -EEXIST;
621191d709b148 Nuno Das Neves        2025-03-14  1075  
621191d709b148 Nuno Das Neves        2025-03-14  1076  	ret = hv_call_create_vp(NUMA_NO_NODE, partition->pt_id, args.vp_index,
621191d709b148 Nuno Das Neves        2025-03-14  1077  				0 /* Only valid for root partition VPs */);
621191d709b148 Nuno Das Neves        2025-03-14  1078  	if (ret)
621191d709b148 Nuno Das Neves        2025-03-14  1079  		return ret;
621191d709b148 Nuno Das Neves        2025-03-14  1080  
19c515c27cee3b Jinank Jain           2025-10-10  1081  	ret = hv_map_vp_state_page(partition->pt_id, args.vp_index,
621191d709b148 Nuno Das Neves        2025-03-14  1082  				   HV_VP_STATE_PAGE_INTERCEPT_MESSAGE,
19c515c27cee3b Jinank Jain           2025-10-10  1083  				   input_vtl_zero, &intercept_msg_page);
621191d709b148 Nuno Das Neves        2025-03-14  1084  	if (ret)
621191d709b148 Nuno Das Neves        2025-03-14  1085  		goto destroy_vp;
621191d709b148 Nuno Das Neves        2025-03-14  1086  
621191d709b148 Nuno Das Neves        2025-03-14  1087  	if (!mshv_partition_encrypted(partition)) {
19c515c27cee3b Jinank Jain           2025-10-10  1088  		ret = hv_map_vp_state_page(partition->pt_id, args.vp_index,
621191d709b148 Nuno Das Neves        2025-03-14  1089  					   HV_VP_STATE_PAGE_REGISTERS,
19c515c27cee3b Jinank Jain           2025-10-10  1090  					   input_vtl_zero, &register_page);
621191d709b148 Nuno Das Neves        2025-03-14  1091  		if (ret)
621191d709b148 Nuno Das Neves        2025-03-14  1092  			goto unmap_intercept_message_page;
621191d709b148 Nuno Das Neves        2025-03-14  1093  	}
621191d709b148 Nuno Das Neves        2025-03-14  1094  
621191d709b148 Nuno Das Neves        2025-03-14  1095  	if (mshv_partition_encrypted(partition) &&
621191d709b148 Nuno Das Neves        2025-03-14  1096  	    is_ghcb_mapping_available()) {
19c515c27cee3b Jinank Jain           2025-10-10  1097  		ret = hv_map_vp_state_page(partition->pt_id, args.vp_index,
621191d709b148 Nuno Das Neves        2025-03-14  1098  					   HV_VP_STATE_PAGE_GHCB,
19c515c27cee3b Jinank Jain           2025-10-10  1099  					   input_vtl_normal, &ghcb_page);
621191d709b148 Nuno Das Neves        2025-03-14  1100  		if (ret)
621191d709b148 Nuno Das Neves        2025-03-14  1101  			goto unmap_register_page;
621191d709b148 Nuno Das Neves        2025-03-14  1102  	}
621191d709b148 Nuno Das Neves        2025-03-14  1103  
621191d709b148 Nuno Das Neves        2025-03-14  1104  	ret = mshv_vp_stats_map(partition->pt_id, args.vp_index,
621191d709b148 Nuno Das Neves        2025-03-14  1105  				stats_pages);
621191d709b148 Nuno Das Neves        2025-03-14  1106  	if (ret)
621191d709b148 Nuno Das Neves        2025-03-14  1107  		goto unmap_ghcb_page;
621191d709b148 Nuno Das Neves        2025-03-14  1108  
bf4afc53b77aea Linus Torvalds        2026-02-21  1109  	vp = kzalloc_obj(*vp);
621191d709b148 Nuno Das Neves        2025-03-14 @1110  	if (!vp)
621191d709b148 Nuno Das Neves        2025-03-14  1111  		goto unmap_stats_pages;

vp is NULL

621191d709b148 Nuno Das Neves        2025-03-14  1112  
621191d709b148 Nuno Das Neves        2025-03-14  1113  	vp->vp_partition = mshv_partition_get(partition);
621191d709b148 Nuno Das Neves        2025-03-14  1114  	if (!vp->vp_partition) {
621191d709b148 Nuno Das Neves        2025-03-14  1115  		ret = -EBADF;
621191d709b148 Nuno Das Neves        2025-03-14  1116  		goto free_vp;
621191d709b148 Nuno Das Neves        2025-03-14  1117  	}
621191d709b148 Nuno Das Neves        2025-03-14  1118  
621191d709b148 Nuno Das Neves        2025-03-14  1119  	mutex_init(&vp->vp_mutex);
621191d709b148 Nuno Das Neves        2025-03-14  1120  	init_waitqueue_head(&vp->run.vp_suspend_queue);
621191d709b148 Nuno Das Neves        2025-03-14  1121  	atomic64_set(&vp->run.vp_signaled_count, 0);
621191d709b148 Nuno Das Neves        2025-03-14  1122  
621191d709b148 Nuno Das Neves        2025-03-14  1123  	vp->vp_index = args.vp_index;
19c515c27cee3b Jinank Jain           2025-10-10  1124  	vp->vp_intercept_msg_page = page_to_virt(intercept_msg_page);
621191d709b148 Nuno Das Neves        2025-03-14  1125  	if (!mshv_partition_encrypted(partition))
621191d709b148 Nuno Das Neves        2025-03-14  1126  		vp->vp_register_page = page_to_virt(register_page);
621191d709b148 Nuno Das Neves        2025-03-14  1127  
621191d709b148 Nuno Das Neves        2025-03-14  1128  	if (mshv_partition_encrypted(partition) && is_ghcb_mapping_available())
621191d709b148 Nuno Das Neves        2025-03-14  1129  		vp->vp_ghcb_page = page_to_virt(ghcb_page);
621191d709b148 Nuno Das Neves        2025-03-14  1130  
621191d709b148 Nuno Das Neves        2025-03-14  1131  	memcpy(vp->vp_stats_pages, stats_pages, sizeof(stats_pages));
621191d709b148 Nuno Das Neves        2025-03-14  1132  
ff225ba9ad71c4 Nuno Das Neves        2026-01-28  1133  	ret = mshv_debugfs_vp_create(vp);
ff225ba9ad71c4 Nuno Das Neves        2026-01-28  1134  	if (ret)
ff225ba9ad71c4 Nuno Das Neves        2026-01-28  1135  		goto put_partition;
ff225ba9ad71c4 Nuno Das Neves        2026-01-28  1136  
621191d709b148 Nuno Das Neves        2025-03-14  1137  	/*
621191d709b148 Nuno Das Neves        2025-03-14  1138  	 * Keep anon_inode_getfd last: it installs fd in the file struct and
621191d709b148 Nuno Das Neves        2025-03-14  1139  	 * thus makes the state accessible in user space.
621191d709b148 Nuno Das Neves        2025-03-14  1140  	 */
621191d709b148 Nuno Das Neves        2025-03-14  1141  	ret = anon_inode_getfd("mshv_vp", &mshv_vp_fops, vp,
621191d709b148 Nuno Das Neves        2025-03-14  1142  			       O_RDWR | O_CLOEXEC);
621191d709b148 Nuno Das Neves        2025-03-14  1143  	if (ret < 0)
ff225ba9ad71c4 Nuno Das Neves        2026-01-28  1144  		goto remove_debugfs_vp;
621191d709b148 Nuno Das Neves        2025-03-14  1145  
621191d709b148 Nuno Das Neves        2025-03-14  1146  	/* already exclusive with the partition mutex for all ioctls */
621191d709b148 Nuno Das Neves        2025-03-14  1147  	partition->pt_vp_count++;
621191d709b148 Nuno Das Neves        2025-03-14  1148  	partition->pt_vp_array[args.vp_index] = vp;
621191d709b148 Nuno Das Neves        2025-03-14  1149  
33c08ba966cf23 Stanislav Kinsburskii 2026-02-26  1150  	goto out;
621191d709b148 Nuno Das Neves        2025-03-14  1151  
ff225ba9ad71c4 Nuno Das Neves        2026-01-28  1152  remove_debugfs_vp:
ff225ba9ad71c4 Nuno Das Neves        2026-01-28  1153  	mshv_debugfs_vp_remove(vp);
621191d709b148 Nuno Das Neves        2025-03-14  1154  put_partition:
621191d709b148 Nuno Das Neves        2025-03-14  1155  	mshv_partition_put(partition);
621191d709b148 Nuno Das Neves        2025-03-14  1156  free_vp:
621191d709b148 Nuno Das Neves        2025-03-14 @1157  	kfree(vp);
                                                              ^^
freed.

621191d709b148 Nuno Das Neves        2025-03-14  1158  unmap_stats_pages:
d62313bdf5961b Jinank Jain           2025-10-10  1159  	mshv_vp_stats_unmap(partition->pt_id, args.vp_index, stats_pages);
621191d709b148 Nuno Das Neves        2025-03-14  1160  unmap_ghcb_page:
19c515c27cee3b Jinank Jain           2025-10-10  1161  	if (mshv_partition_encrypted(partition) && is_ghcb_mapping_available())
19c515c27cee3b Jinank Jain           2025-10-10  1162  		hv_unmap_vp_state_page(partition->pt_id, args.vp_index,
19c515c27cee3b Jinank Jain           2025-10-10  1163  				       HV_VP_STATE_PAGE_GHCB, ghcb_page,
621191d709b148 Nuno Das Neves        2025-03-14  1164  				       input_vtl_normal);
621191d709b148 Nuno Das Neves        2025-03-14  1165  unmap_register_page:
19c515c27cee3b Jinank Jain           2025-10-10  1166  	if (!mshv_partition_encrypted(partition))
19c515c27cee3b Jinank Jain           2025-10-10  1167  		hv_unmap_vp_state_page(partition->pt_id, args.vp_index,
621191d709b148 Nuno Das Neves        2025-03-14  1168  				       HV_VP_STATE_PAGE_REGISTERS,
19c515c27cee3b Jinank Jain           2025-10-10  1169  				       register_page, input_vtl_zero);
621191d709b148 Nuno Das Neves        2025-03-14  1170  unmap_intercept_message_page:
19c515c27cee3b Jinank Jain           2025-10-10  1171  	hv_unmap_vp_state_page(partition->pt_id, args.vp_index,
621191d709b148 Nuno Das Neves        2025-03-14  1172  			       HV_VP_STATE_PAGE_INTERCEPT_MESSAGE,
19c515c27cee3b Jinank Jain           2025-10-10  1173  			       intercept_msg_page, input_vtl_zero);
621191d709b148 Nuno Das Neves        2025-03-14  1174  destroy_vp:
621191d709b148 Nuno Das Neves        2025-03-14  1175  	hv_call_delete_vp(partition->pt_id, args.vp_index);
33c08ba966cf23 Stanislav Kinsburskii 2026-02-26  1176  out:
33c08ba966cf23 Stanislav Kinsburskii 2026-02-26 @1177  	trace_mshv_create_vp(partition->pt_id, vp->vp_index, ret);
                                                                                               ^^^^^^^^^^^^
vp dereferenced.

621191d709b148 Nuno Das Neves        2025-03-14  1178  	return ret;
621191d709b148 Nuno Das Neves        2025-03-14  1179  }

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki