Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp9448098ybi; Wed, 24 Jul 2019 04:18:32 -0700 (PDT) X-Google-Smtp-Source: APXvYqwfi+uXDSFlZD6i3OyVcIIJc+K/r6Kw3VCXYEyHfZ216wGCruWt0ge4nLx/D05VSPMkB09m X-Received: by 2002:a63:8ac4:: with SMTP id y187mr41075168pgd.412.1563967112383; Wed, 24 Jul 2019 04:18:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563967112; cv=none; d=google.com; s=arc-20160816; b=l5VvbOtjQsA4AK3mEuaybFmmh4QTYNPe10oacb3/MyqNcuYP1JDfmHzOCRGlMVYqH4 +245Y61z4f+mwvrbA1ZdLttJahovGDMH3OENJBcJAMQdLuCf+l0iXYDbPf6Kq0bagj2Q lKWUyMYzxReNY9ZTrSVRe3JVGOEcH7RcbGgwVpAHjmHyTedOrKXsmA24nCS2q5AM2PD8 Ja1gH6gHgTXglnID3KP04mGzTJSm5YvhEofdf8F7xcKazZGppuGGxqeozzFrIaTXrWtQ MB0gUKLICTR+xpe/CUngRUsnE/OrABasR5chzdbAY2ORIV/y4imcZVHqGaCWJkRhcPfW 5RWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=uJIkarmouOVaRZ+X4KphNKuLxkG+qea/1AZJwjDncx4=; b=sTZ9WnbyEfAm0GEOX3gPQdRFUzh7ZgjqdKNOmYZ+oEkINUzOhbIbnYisd55AbuIbF8 iK8PvJAmzGhgm7YhT4t/8xY+wkymsRzN+mTKgCQC17+ypZLfOktcZZviiNOxeeOm8caS NI7P6TyZioguwDDfTJ/F/1bDJo34L/Jq7jZnQvrM2I7UQjsC73jUwbp/DqeyitrD8r45 gydIkBNghul1qg4bIhkB5TwrCrK3ICiNlgwN3nECJ1otck4sz7nJy5UEZSIlqq6/0PDG HfEEI/5PXywaWFTDMBNEfaTQFDq7b8cyjFmRjYpcAtudUeVma9y8hwK1uIybO7BMdTnP TamQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o2si30398563pgp.288.2019.07.24.04.18.18; Wed, 24 Jul 2019 04:18:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727462AbfGXLRH (ORCPT + 99 others); Wed, 24 Jul 2019 07:17:07 -0400 Received: from Galois.linutronix.de ([193.142.43.55]:43768 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726070AbfGXLRH (ORCPT ); Wed, 24 Jul 2019 07:17:07 -0400 Received: from pd9ef1cb8.dip0.t-ipconnect.de ([217.239.28.184] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1hqFGQ-0005pp-B2; Wed, 24 Jul 2019 13:16:54 +0200 Date: Wed, 24 Jul 2019 13:16:53 +0200 (CEST) From: Thomas Gleixner To: Jia-Ju Bai cc: dave.hansen@linux.intel.com, luto@kernel.org, peterz@infradead.org, mingo@redhat.com, bp@alien8.de, hpa@zytor.com, x86@kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] x86: Fix possible null-pointer dereferences in untrack_pfn() In-Reply-To: <20190723132648.25853-1-baijiaju1990@gmail.com> Message-ID: References: <20190723132648.25853-1-baijiaju1990@gmail.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 23 Jul 2019, Jia-Ju Bai wrote: > In untrack_pfn(), there is an if statement on line 1058 to check whether > vma is NULL: > if (vma && !(vma->vm_flags & VM_PAT)) > > When vma is NULL, vma is used on line 1064: > if (follow_phys(vma, vma->vm_start, 0, &prot, &paddr)) > and line 1069: > size = vma->vm_end - vma->vm_start; > > Thus, possible null-pointer dereferences may occur. > > To fix these possible bugs, vma is checked on line 1063. > > These bugs are found by a static analysis tool STCheck written by us. In principle you are right, but that's a bit more subtle as the callers can provide a vma pointer and/or a valid pfn and size. > diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c > index d9fbd4f69920..717456e7745e 100644 > --- a/arch/x86/mm/pat.c > +++ b/arch/x86/mm/pat.c > @@ -1060,7 +1060,7 @@ void untrack_pfn(struct vm_area_struct *vma, unsigned long pfn, > > /* free the chunk starting from pfn or the whole chunk */ > paddr = (resource_size_t)pfn << PAGE_SHIFT; > - if (!paddr && !size) { > + if (vma && !paddr && !size) { > if (follow_phys(vma, vma->vm_start, 0, &prot, &paddr)) { > WARN_ON_ONCE(1); > return; So I'd rather have a sanity check in that function which does: if (WARN_ON_ONCE(!vma && !pfn && !size)) return; Thanks, tglx