Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp3332818ybb; Sun, 22 Mar 2020 21:53:59 -0700 (PDT) X-Google-Smtp-Source: ADFU+vvdHgAZUrtVL4avVw0511bql3bllKAh9vqT5Uzddp01gxY1VArNUlAL4qL8eXuQMfh63ShI X-Received: by 2002:a05:6830:210d:: with SMTP id i13mr17240467otc.104.1584939239260; Sun, 22 Mar 2020 21:53:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584939239; cv=none; d=google.com; s=arc-20160816; b=ZF8WnBUUgs1lvk0ORU6yeTNb6XmEfIBg+W1Rj++EcQcg4zI90iDvMqjHJspgWG6UTK /De9GIBFC9JsdYmP8e3rj8viCmd0A2kwEcFCoIca9ml7zKJzuVwjmwbSRE8El1CUh4b+ 780a9+fcZ6UIuoQVn5/wdqFN6WUspiftLIXGGQ+Vm8LfSW6KkNNd6zbCj4YQkpreY8q5 LxrUZm5fAD6VRW1wRDJFpKC82hvxGT1y1FKSqwcmTNs0lzQzqBSSkSdStJ+iIwgWmrRq AFZpWnScn4lBWksxQDNBAtLA6UYyO7PajkJb+GTyZ9N/IA726CAT2nUrkV3H35E3dJ9h y+6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=NX1Js6kn4KkBmd5hCOIP6xrjrFK7vK5BImAosH9KcEA=; b=Kdd7yUQNQVLVUVcuDQ5VyWmN4pv3mgtYEPyoCImv+w6BIMJW2m+ZI8fxbWUkkP++sF PFWt29ewPIF34Ylo2+qADok6L5aYbNXIRdgAiemAV7aHTm8sXfzLCD1muT/QBh69ETfQ gXPRsHkT43+r8MsB1LV4zF6zJntAF7o8IdTxQKh5Ng+thkizWWRAr7NVjK7yOuooT9dV q6gkudRKGzL2Y044wFyHkj7IPXmAk8vAxZ5xGK/KwXd0BiVllzh7SSEF7xvM2OCVDmO+ pVFajXjkODJdk/9bKPV51gPDfAHCWbJCP3sFryr0MwfLfRrm8cyfKuENFW6l1kWCMnR5 4nCw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c67si2004535oif.5.2020.03.22.21.53.47; Sun, 22 Mar 2020 21:53:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725903AbgCWExb (ORCPT + 99 others); Mon, 23 Mar 2020 00:53:31 -0400 Received: from mail.fudan.edu.cn ([202.120.224.10]:52373 "EHLO fudan.edu.cn" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725838AbgCWExb (ORCPT ); Mon, 23 Mar 2020 00:53:31 -0400 Received: from localhost (unknown [120.229.255.251]) by app1 (Coremail) with SMTP id XAUFCgA3PiquQHhe32kNAA--.6291S2; Mon, 23 Mar 2020 12:53:04 +0800 (CST) Date: Mon, 23 Mar 2020 12:53:02 +0800 From: Xiyu Yang To: Greg Kroah-Hartman Cc: Arnd Bergmann , Xin Tan , Alexios Zavras , Vishnu DASA , Thomas Gleixner , Allison Randal , Ira Weiny , Mike Marshall , linux-kernel@vger.kernel.org, yuanxzhang@fudan.edu.cn, kjlu@umn.edu Subject: Re: Re: [PATCH] VMCI: Fix NULL pointer dereference on context ptr Message-ID: <20200323045302.GA117440@sherlly> References: <1584426607-89366-1-git-send-email-xiyuyang19@fudan.edu.cn> <20200318110204.GB2305113@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200318110204.GB2305113@kroah.com> X-CM-TRANSID: XAUFCgA3PiquQHhe32kNAA--.6291S2 X-Coremail-Antispam: 1UD129KBjvJXoWxWrWUAFy3Jw1kArykWr45Jrb_yoW5Cw4Upr ZxGFW8AFy8JF42ya9Fva1jvFyYgw1FgFyqk34Dta45ZryayFykGr4UKa4Yvr97ZF1rAr1I vr1UtFnxuanIyFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvlb7Iv0xC_Cr1lb4IE77IF4wAFF20E14v26r4j6ryUM7CY07I2 0VC2zVCF04k26cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rw A2F7IY1VAKz4vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_tr0E3s1l84ACjcxK6xII jxv20xvEc7CjxVAFwI0_Cr1j6rxdM28EF7xvwVC2z280aVAFwI0_GcCE3s1l84ACjcxK6I 8E87Iv6xkF7I0E14v26rxl6s0DM2vYz4IE04k24VAvwVAKI4IrM2AIxVAIcxkEcVAq07x2 0xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r1j6r18Mc Ij6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IY64vIr41lFIxG xcIEc7CjxVA2Y2ka0xkIwI1l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr 1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE 14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7 IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42xK8VAvwI8IcIk0rVWrZr1j6s0DMIIF0xvE x4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvj DU0xZFpf9x07j1iihUUUUU= X-CM-SenderInfo: irzsiiysuqikmy6i3vldqovvfxof0/ Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Greg, On Wed, Mar 18, 2020 at 12:02:04PM +0100, Greg Kroah-Hartman wrote: > On Tue, Mar 17, 2020 at 02:29:57PM +0800, Xiyu Yang wrote: > > The refcount wrapper function vmci_ctx_get() may return NULL > > context ptr. Thus, we need to add a NULL pointer check > > before its dereference. > > > > Signed-off-by: Xiyu Yang > > Signed-off-by: Xin Tan > > --- > > drivers/misc/vmw_vmci/vmci_context.c | 2 ++ > > drivers/misc/vmw_vmci/vmci_queue_pair.c | 17 +++++++++++------ > > 2 files changed, 13 insertions(+), 6 deletions(-) > > > > diff --git a/drivers/misc/vmw_vmci/vmci_context.c b/drivers/misc/vmw_vmci/vmci_context.c > > index 16695366ec92..a20878fba374 100644 > > --- a/drivers/misc/vmw_vmci/vmci_context.c > > +++ b/drivers/misc/vmw_vmci/vmci_context.c > > @@ -898,6 +898,8 @@ void vmci_ctx_rcv_notifications_release(u32 context_id, > > bool success) > > { > > struct vmci_ctx *context = vmci_ctx_get(context_id); > > + if (context == NULL) > > + return; > > Same comment as on your other patch. > > And is this a v2? Thanks! Yes, this is a v2. According to our observation, vmci_ctx_rcv_notifications_release() currently is only called by vmci_host_do_recv_notifications() which guarantees a valid context object can be acquired with this context_id. However, we argue that a NULL-check here is still necessary because this function may be called by other functions in the future who may fail/forget to provide such guarantee. A NULL-check could gracely eliminiate such assumption on the callers for vmci_ctx_rcv_notifications_release() with negligible overhead. > > spin_lock(&context->lock); > > if (!success) { > > diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c > > index 8531ae781195..2ecb22d08692 100644 > > --- a/drivers/misc/vmw_vmci/vmci_queue_pair.c > > +++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c > > @@ -1575,11 +1575,14 @@ static int qp_broker_attach(struct qp_broker_entry *entry, > > */ > > > > create_context = vmci_ctx_get(entry->create_id); > > - supports_host_qp = vmci_ctx_supports_host_qp(create_context); > > - vmci_ctx_put(create_context); > > + if (!create_context) { > > + supports_host_qp = > > + vmci_ctx_supports_host_qp(create_context); > > + vmci_ctx_put(create_context); > > > > - if (!supports_host_qp) > > - return VMCI_ERROR_INVALID_RESOURCE; > > + if (!supports_host_qp) > > + return VMCI_ERROR_INVALID_RESOURCE; > > + } > > } > > > > if ((entry->qp.flags & ~VMCI_QP_ASYMM) != (flags & ~VMCI_QP_ASYMM_PEER)) > > @@ -1808,7 +1811,8 @@ static int qp_alloc_host_work(struct vmci_handle *handle, > > pr_devel("queue pair broker failed to alloc (result=%d)\n", > > result); > > } > > - vmci_ctx_put(context); > > + if (context) > > + vmci_ctx_put(context); > > can't vmci_ctx_put() take a NULL pointer? If not, fix this that way > please. > > thanks, > > greg k-h No. vmci_ctx_put() can not take a NULL pointer. Sure, we will submit a new patch to perform a NULL-check in vmci_ctx_put().