plat/xen: Fix unchecked uk_palloc() value in x86/mm.c

The return value of uk_palloc is not checked in _arch_init_p2m.

Allocation failure at that point should never happen, but it's not a
reason not to check.

At this stage, in the event of a failure, we should probably abort the
boot altogether.

This bug was detected using the following Coccinelle spatch:

    @call@
    expression ptr;
    position p;
    @@

    ptr@p = uk_palloc(...);

    @ok@
    expression ptr;
    position call.p;
    @@

    ptr@p = uk_palloc(...);
    ... when != ptr
    (
     (ptr == NULL || ...)
    |
     (ptr != NULL || ...)
    )

    @depends on !ok@
    expression ptr;
    position call.p;
    @@

    ptr@p = uk_palloc(...);
    + if (ptr == NULL) return;

Signed-off-by: Hugo Lefeuvre <hugo.lefeuvre@manchester.ac.uk>
Reviewed-by: Stefan Jumarea <stefanjumarea02@gmail.com>
Approved-by: Simon Kuenzer  <simon@unikraft.io>
Tested-by: Unikraft CI <monkey@unikraft.io>
GitHub-Closes: #839

diff --git a/plat/xen/x86/mm.c b/plat/xen/x86/mm.c
index 5c53486413a6a0c2bf45c420ffeeb22b1b4432fc..f4b7d1a09cc279ae7c31aa730a3c997c8300f1e0 100644 (file)
--- a/plat/xen/x86/mm.c
+++ b/plat/xen/x86/mm.c
@@ -651,9 +651,13 @@ void _arch_init_p2m(struct uk_alloc *a)
                UK_CRASH("Error: Too many pfns.\n");
 
        l3_list = uk_palloc(a, 1);
+       if (l3_list == NULL)
+               UK_CRASH("Error: Cannot allocate l3_list.\n");
        for (pfn = 0; pfn < max_pfn; pfn += P2M_ENTRIES) {
                if (!(pfn % (P2M_ENTRIES * P2M_ENTRIES))) {
                        l2_list = uk_palloc(a, 1);
+                       if (l2_list == NULL)
+                               UK_CRASH("Error: Cannot allocate l2_list.\n");
                        l3_list[L3_P2M_IDX(pfn)] = virt_to_mfn(l2_list);
                        l2_list_pages[L3_P2M_IDX(pfn)] = l2_list;
                }