Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp3034266ybx; Sun, 3 Nov 2019 09:14:14 -0800 (PST) X-Google-Smtp-Source: APXvYqzYMXthxbaXp/ArtIZIkDXT27Bda5DmFx8IawydDzdYC8SIDvDMWAJLvB7l5HZg4fjwQyUb X-Received: by 2002:a17:906:7e10:: with SMTP id e16mr20121372ejr.84.1572801254467; Sun, 03 Nov 2019 09:14:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1572801254; cv=none; d=google.com; s=arc-20160816; b=QlrD8mfFJxmPcWRK+mxtlLp8sEFE6+AVX3RGSQbLq672Zd6Q87Mjiwmla4PZWWIhXl Eu0PLhKpD8jArMQdZa12ksh/qi3ZIEQ1d0cUMWtO5mcG1+/sS2SzbOKn21CK/WRbpG1m TwotT8v0D6c+rrw0ke0q5sBVAvu3s//ke6TvXVopehAIz+9+gw6QRL3KLeZd5HutN3kg obqDvr8ZX3/KEaOW06/Y0yRriXuktq8i8ihJaHT8DUUa46e8Iy2CwII2kA8V+Zq87Jmd MhtO2jtofL+v8eVywfE0tqEtZ8tdcSZDR5cQcbqAfbV54RCJyI3022Q6/j03KigshNvj Ozng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :robot-unsubscribe:robot-id:message-id:mime-version:references :in-reply-to:cc:subject:to:reply-to:from:date; bh=kDwa8IMmcjdkwp/akJrn9SSmMerUHHqejF7wzheoUnQ=; b=DgW31646jjReh8ZtzYLSyZo4qvKoJK/HBmbJYbM2FRGTowszafZq3AJsysCRE6+EHf VxZlgxZ9r8kGqESfCbz1jXPNnDLVO/+8sK7sl2cpESTfY/J5ZKMLtMtS//iM8y0Aovhk NKeH00eLwblOWRi8on2/2JYiZAtVGdUHAGWUtAl6hI/sc2TuBjABirSJZdNwR5PMs5Sh X/uIW75W92Q8UpJ1UYMSkcZmmU5CF1Q0+7KnSPauIV7vAw7FUpZVl8+SHOwAZd7DiYnf S6LkHd91CyO5CPVUoSejMR+Np3p1jb5aj4aMB04GpNDRG5vaECZ498ncUTMbyiDyrF8q qSyw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id jr14si9023780ejb.316.2019.11.03.09.13.50; Sun, 03 Nov 2019 09:14:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727868AbfKCRMp (ORCPT + 99 others); Sun, 3 Nov 2019 12:12:45 -0500 Received: from Galois.linutronix.de ([193.142.43.55]:35760 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727444AbfKCRMp (ORCPT ); Sun, 3 Nov 2019 12:12:45 -0500 Received: from [5.158.153.53] (helo=tip-bot2.lab.linutronix.de) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1iRJQT-0003cs-DB; Sun, 03 Nov 2019 18:12:29 +0100 Received: from [127.0.1.1] (localhost [IPv6:::1]) by tip-bot2.lab.linutronix.de (Postfix) with ESMTP id DF7451C0018; Sun, 3 Nov 2019 18:12:28 +0100 (CET) Date: Sun, 03 Nov 2019 17:12:28 -0000 From: "tip-bot2 for Xiaochen Shen" Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: x86/urgent] x86/resctrl: Prevent NULL pointer dereference when reading mondata Cc: Xiaochen Shen , Borislav Petkov , Fenghua Yu , Tony Luck , "H. Peter Anvin" , Ingo Molnar , pei.p.jia@intel.com, Reinette Chatre , Thomas Gleixner , "x86-ml" , Ingo Molnar , Borislav Petkov , linux-kernel@vger.kernel.org In-Reply-To: <1572326702-27577-1-git-send-email-xiaochen.shen@intel.com> References: <1572326702-27577-1-git-send-email-xiaochen.shen@intel.com> MIME-Version: 1.0 Message-ID: <157280114858.29376.4595330962343256563.tip-bot2@tip-bot2> X-Mailer: tip-git-log-daemon Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The following commit has been merged into the x86/urgent branch of tip: Commit-ID: 26467b0f8407cbd628fa5b7bcfd156e772004155 Gitweb: https://git.kernel.org/tip/26467b0f8407cbd628fa5b7bcfd156e772004155 Author: Xiaochen Shen AuthorDate: Tue, 29 Oct 2019 13:25:02 +08:00 Committer: Borislav Petkov CommitterDate: Sun, 03 Nov 2019 17:51:22 +01:00 x86/resctrl: Prevent NULL pointer dereference when reading mondata When a mon group is being deleted, rdtgrp->flags is set to RDT_DELETED in rdtgroup_rmdir_mon() firstly. The structure of rdtgrp will be freed until rdtgrp->waitcount is dropped to 0 in rdtgroup_kn_unlock() later. During the window of deleting a mon group, if an application calls rdtgroup_mondata_show() to read mondata under this mon group, 'rdtgrp' returned from rdtgroup_kn_lock_live() is a NULL pointer when rdtgrp->flags is RDT_DELETED. And then 'rdtgrp' is passed in this path: rdtgroup_mondata_show() --> mon_event_read() --> mon_event_count(). Thus it results in NULL pointer dereference in mon_event_count(). Check 'rdtgrp' in rdtgroup_mondata_show(), and return -ENOENT immediately when reading mondata during the window of deleting a mon group. Fixes: d89b7379015f ("x86/intel_rdt/cqm: Add mon_data") Signed-off-by: Xiaochen Shen Signed-off-by: Borislav Petkov Reviewed-by: Fenghua Yu Reviewed-by: Tony Luck Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: pei.p.jia@intel.com Cc: Reinette Chatre Cc: Thomas Gleixner Cc: x86-ml Link: https://lkml.kernel.org/r/1572326702-27577-1-git-send-email-xiaochen.shen@intel.com --- arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c index efbd54c..055c861 100644 --- a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c +++ b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c @@ -522,6 +522,10 @@ int rdtgroup_mondata_show(struct seq_file *m, void *arg) int ret = 0; rdtgrp = rdtgroup_kn_lock_live(of->kn); + if (!rdtgrp) { + ret = -ENOENT; + goto out; + } md.priv = of->kn->priv; resid = md.u.rid;