Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp4012369ybg; Tue, 29 Oct 2019 00:25:39 -0700 (PDT) X-Google-Smtp-Source: APXvYqzQAh/6ASbLRTwxlRlv1SMY7+ouQgSkmaVt0ouo1Xl5A3jgf6s/LQ9J1GSHfiFNxzlDYq9G X-Received: by 2002:aa7:cc18:: with SMTP id q24mr23741766edt.150.1572333939511; Tue, 29 Oct 2019 00:25:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572333939; cv=none; d=google.com; s=arc-20160816; b=ROUXJLeHK86ASQbLTM99a5ffxKF/e1OluMCS2Bm0xgRFNTVuD6enGPtzg69n9vq9iv tX497AJiUcWSAgbkkUNvuKWH6Swtdj66Wy6CK6DyNQi82nBAjvA8VwNQz9xWgSvsBBrm Rpc4xbq9Br2mVLpfvfbEbriWY9oxkRmVH499auFuRdjMVB7dT8lRUauQTgA+1tE3ShOY pjWEytfEJOqwOEoOGlrfEr3yVsSv9tOkewHvNh5PLoWFkIgpSkKNfelVNaN1zdJLqxhf 1TEFss6LAadPPJw6anuWRXN3t71h8nurftOtfFBtv6qN3TWDSEbFo61vJcLGRIdFEQi/ ArmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=c3O63TzVcX7THSXu4+pCSjewtlGXye+iwAFM4NzQwMI=; b=pM7q1w+88QU+hWf/moHkRl/0TRu+ajZ0/L7GV4l9KXWcizEFdcIH5FGvPkcUJm6Rhv XKtnAIGUwEq9rlotifHGC8ZpabvGPESwAvIE7aWYbAXTzsI40MXHqZ+nQVpaygJojHrh RTlz8oTjgMeso2oFq+YYA+C+sy+TybmF9mPABt3Opw0cFz6afh1Be+KMU20evKUzFwGa 7XwAFMZxp0V1/mHl4eJWC9J2YSNAvmT1ZpxU5YDL9WsMSKKSnx84C/5VakLHqHqSvvyQ 5vrbLvsUNjeNowb3f+VdWe312rzw3kS1HpVwjVXaVaduBYqvg/cdwOvk0U6ydaUMCpjm HVXA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s35si5103649edd.261.2019.10.29.00.25.16; Tue, 29 Oct 2019 00:25:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731769AbfJ2Ews (ORCPT + 99 others); Tue, 29 Oct 2019 00:52:48 -0400 Received: from mga04.intel.com ([192.55.52.120]:11232 "EHLO mga04.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728193AbfJ2Ewr (ORCPT ); Tue, 29 Oct 2019 00:52:47 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Oct 2019 21:52:47 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,242,1569308400"; d="scan'208";a="224851624" Received: from xshen14-linux.bj.intel.com ([10.238.155.181]) by fmsmga004.fm.intel.com with ESMTP; 28 Oct 2019 21:52:45 -0700 From: Xiaochen Shen To: tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, hpa@zytor.com, tony.luck@intel.com, fenghua.yu@intel.com, reinette.chatre@intel.com Cc: x86@kernel.org, linux-kernel@vger.kernel.org, pei.p.jia@intel.com, xiaochen.shen@intel.com Subject: [PATCH] x86/resctrl: Prevent NULL pointer dereference when reading mondata Date: Tue, 29 Oct 2019 13:25:02 +0800 Message-Id: <1572326702-27577-1-git-send-email-xiaochen.shen@intel.com> X-Mailer: git-send-email 1.8.3.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When a mon group is being deleted, rdtgrp->flags is set to RDT_DELETED in rdtgroup_rmdir_mon() firstly. The structure of rdtgrp will be freed until rdtgrp->waitcount is dropped to 0 in rdtgroup_kn_unlock() later. During the window of deleting a mon group, if an application calls rdtgroup_mondata_show() to read mondata under this mon group, 'rdtgrp' returned from rdtgroup_kn_lock_live() is a NULL pointer when rdtgrp->flags is RDT_DELETED. And then 'rdtgrp' is passed in this path: rdtgroup_mondata_show() --> mon_event_read() --> mon_event_count(). Thus it results in NULL pointer dereference in mon_event_count(). Add checking of 'rdtgrp' in rdtgroup_mondata_show(), and return -ENOENT immediately when reading mondata during the window of deleting a mon group. Fixes: d89b7379015f ("x86/intel_rdt/cqm: Add mon_data") Signed-off-by: Xiaochen Shen Reviewed-by: Fenghua Yu Reviewed-by: Tony Luck --- arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c index efbd54cc4e69..055c8613b531 100644 --- a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c +++ b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c @@ -522,6 +522,10 @@ int rdtgroup_mondata_show(struct seq_file *m, void *arg) int ret = 0; rdtgrp = rdtgroup_kn_lock_live(of->kn); + if (!rdtgrp) { + ret = -ENOENT; + goto out; + } md.priv = of->kn->priv; resid = md.u.rid; -- 1.8.3.1