Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1272120ybl; Fri, 23 Aug 2019 16:39:19 -0700 (PDT) X-Google-Smtp-Source: APXvYqzJq6LFfht3rATbf/rVExqZkes9Ub4QMR2AKic1n6FwI+j5shbRYVbDmtXAyz4yyTkv3WHs X-Received: by 2002:a17:90a:23c8:: with SMTP id g66mr7746691pje.123.1566603559182; Fri, 23 Aug 2019 16:39:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566603559; cv=none; d=google.com; s=arc-20160816; b=SOniky2YPVy68oYxFa06hAKpM/tT2ssDI2/GT3hSNMkAKuPtGxPcKp9tcR/WU9KfKS bQqEx4yZzcviFtTlKl9E+qGfAKv9hpiTltyk9ey3ZxaMIfo4XK2nZ3ZOarJrBudy8Ch0 cB5Mv0onq0A6ko1hks4stpB9SyB0X7/Rgey2bvqKiq/tVP+2ghAw3WO80Kl5VVwdZsLq aA/6XnmqocFukl2UMlue1Yo5raI92DLQrleuoAP6LQ5K8okAqJOSvi+QjJft6R4ZvCN2 KRDy6ZkVsyUdlhO8TezMC9ZTT21FUN12wJym75f7PkXB7HPuAq23NlLPitsB0Irl00vn Qf4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:dkim-signature:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=KyPc8c5coEeaWyED4oOxl50+aKdesFPM9yZHDro83x0=; b=k+zshDioWZAIyQZHT6823SH3P5CBx1MQbcWW9GfRiF5o3xP1BSqRkTM6dphRFlZy0B a5wTsij68Yywr3kbi+feAzVcxjcbWICmrTPtW1/ppZZT4Z1mJOgvEmKQT24TlPRb/rpM NyqX8njPU7aYOrmAnfYO5t1NqzKBTWsr/y7lu7GRIlOQ+L/nNmc44qPDXX9qQ9lqktkh NTZGhXnUdtkavF4ZgTD8O6Jc/5h+XrZxCzvNOoy+j0f5ZM25VCvSDleDLojxIvk7cZh0 YeQIwQrbW3/BRPq6aZfXdYSOXjGosvyNNxqjTHodQn/qGonCnrkCf7KGIidFONJwjJVK BDQg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@nvidia.com header.s=n1 header.b=Hen0jCZn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nvidia.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u190si4073466pfb.189.2019.08.23.16.39.04; Fri, 23 Aug 2019 16:39:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@nvidia.com header.s=n1 header.b=Hen0jCZn; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nvidia.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2406243AbfHWWSO (ORCPT + 99 others); Fri, 23 Aug 2019 18:18:14 -0400 Received: from hqemgate14.nvidia.com ([216.228.121.143]:10166 "EHLO hqemgate14.nvidia.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404808AbfHWWSM (ORCPT ); Fri, 23 Aug 2019 18:18:12 -0400 Received: from hqpgpgate101.nvidia.com (Not Verified[216.228.121.13]) by hqemgate14.nvidia.com (using TLS: TLSv1.2, DES-CBC3-SHA) id ; Fri, 23 Aug 2019 15:18:11 -0700 Received: from hqmail.nvidia.com ([172.20.161.6]) by hqpgpgate101.nvidia.com (PGP Universal service); Fri, 23 Aug 2019 15:18:11 -0700 X-PGP-Universal: processed; by hqpgpgate101.nvidia.com on Fri, 23 Aug 2019 15:18:11 -0700 Received: from HQMAIL110.nvidia.com (172.18.146.15) by HQMAIL105.nvidia.com (172.20.187.12) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 23 Aug 2019 22:18:10 +0000 Received: from HQMAIL105.nvidia.com (172.20.187.12) by hqmail110.nvidia.com (172.18.146.15) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 23 Aug 2019 22:18:08 +0000 Received: from hqnvemgw01.nvidia.com (172.20.150.20) by HQMAIL105.nvidia.com (172.20.187.12) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 23 Aug 2019 22:18:08 +0000 Received: from rcampbell-dev.nvidia.com (Not Verified[10.110.48.66]) by hqnvemgw01.nvidia.com with Trustwave SEG (v7,5,8,10121) id ; Fri, 23 Aug 2019 15:18:08 -0700 From: Ralph Campbell To: CC: , , , , =?UTF-8?q?J=C3=A9r=C3=B4me=20Glisse?= , Jason Gunthorpe , Andrew Morton , "Christoph Hellwig" , Ralph Campbell Subject: [PATCH 1/2] mm/hmm: hmm_range_fault() NULL pointer bug Date: Fri, 23 Aug 2019 15:17:52 -0700 Message-ID: <20190823221753.2514-2-rcampbell@nvidia.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190823221753.2514-1-rcampbell@nvidia.com> References: <20190823221753.2514-1-rcampbell@nvidia.com> MIME-Version: 1.0 X-NVConfidentiality: public Content-Transfer-Encoding: quoted-printable Content-Type: text/plain DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nvidia.com; s=n1; t=1566598691; bh=KyPc8c5coEeaWyED4oOxl50+aKdesFPM9yZHDro83x0=; h=X-PGP-Universal:From:To:CC:Subject:Date:Message-ID:X-Mailer: In-Reply-To:References:MIME-Version:X-NVConfidentiality: Content-Transfer-Encoding:Content-Type; b=Hen0jCZnlwep5U1y8LSyUogocyncUlU8ncNOkdizYSGrpz0PWiTpWbpyXqvih6gF+ 3qM1vKPirI+eZhD9UBcD2rfGfX74o53wuqQ2rhVZQESI2bl/mdp0CgojyL1mtxb5Ob ir8YSrHdcr998BKtxBB/eEKh7i1GORjBa8cuXwOmDZ/V0k9Iyw4bAWSCMlLHs4ccfk Wt5oaufB+AfvTNVTT0Pq9TclkBcHR/CNerxUzXKz8H04CUc/qNXXq93VqSEU5uK80W pCzPYHqan8YLxW66Ob9wjgncemYyfZJiszrN4yrr0WCyhls1D6yjDovJ7pYDNxAIfA +LLT4nPogr8Bg== Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Although hmm_range_fault() calls find_vma() to make sure that a vma exists before calling walk_page_range(), hmm_vma_walk_hole() can still be called with walk->vma =3D=3D NULL if the start and end address are not contained within the vma range. hmm_range_fault() /* calls find_vma() but no range check */ walk_page_range() /* calls find_vma(), sets walk->vma =3D NULL */ __walk_page_range() walk_pgd_range() walk_p4d_range() walk_pud_range() hmm_vma_walk_hole() hmm_vma_walk_hole_() hmm_vma_do_fault() handle_mm_fault(vma=3D0) Signed-off-by: Ralph Campbell --- mm/hmm.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/mm/hmm.c b/mm/hmm.c index fc05c8fe78b4..29371485fe94 100644 --- a/mm/hmm.c +++ b/mm/hmm.c @@ -229,6 +229,9 @@ static int hmm_vma_do_fault(struct mm_walk *walk, unsig= ned long addr, struct vm_area_struct *vma =3D walk->vma; vm_fault_t ret; =20 + if (!vma) + goto err; + if (hmm_vma_walk->flags & HMM_FAULT_ALLOW_RETRY) flags |=3D FAULT_FLAG_ALLOW_RETRY; if (write_fault) @@ -239,12 +242,14 @@ static int hmm_vma_do_fault(struct mm_walk *walk, uns= igned long addr, /* Note, handle_mm_fault did up_read(&mm->mmap_sem)) */ return -EAGAIN; } - if (ret & VM_FAULT_ERROR) { - *pfn =3D range->values[HMM_PFN_ERROR]; - return -EFAULT; - } + if (ret & VM_FAULT_ERROR) + goto err; =20 return -EBUSY; + +err: + *pfn =3D range->values[HMM_PFN_ERROR]; + return -EFAULT; } =20 static int hmm_pfns_bad(unsigned long addr, --=20 2.20.1