Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp1024404ybk; Wed, 13 May 2020 21:01:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyW/7IXWFq9IkMEWRlczVWANEYiUCBrKoXBqV/uR30pEjWvKx9rvK4xma+MEckzwRV1PNaD X-Received: by 2002:aa7:dd84:: with SMTP id g4mr2348247edv.257.1589428913088; Wed, 13 May 2020 21:01:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589428913; cv=none; d=google.com; s=arc-20160816; b=y361N0I4TV4F8pnC6aXK0RO9ZT91jcmXog2GDZjQafsESXw4DFVG0h73QkkC+pjJT2 iySHVXrECkU6szbJYKJ6p0kOZp/lAgSm19h0rGC8vh4azQdNGdg9IVyTKYD6eV7XDECy JkhsbBIG/8CtOiMHeVMRSdBsSNEyi40mbKCT8JzkDO34roRbkV8B4VsVLtK9dxmRhhbw HaLF/Er9B4xWXGwfjXp/3PduYAIGJ48wjs/4+KMf7thYR/1Be+6F0hrgQBrAjeCfZIAF 5Y34o6X0PLCtAthjndXRfME0ZEaIdBqR+oBOQRygs2pwk880hzrYYYFghsWVGtgC9+6v PIcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=YZN2rOoBZ7nT13bfGnDLSFWTXQ68hHNsIaIBGs4FzxA=; b=f/VdV5QleuWPO4IuXjkbd/uNww9pjvnNz5/nrCaPPrsgVZA3MFzi5ol1lDMRgPWbhN or0W4q+VcUUZb1qM6IgwJBSyBAq8zvnGQdheXJij1baFNQXjHsD5AZFUS48Ak7tb6gTn ln2JXnxzraGNOxZ5p+LQO3L5X3VJ4gWeuJDF65luqp3Bt9ftL4Zxk+t5x1rOPJvCY3qp SHiPGphE3R+OOqM+lsAg2YfSiUCSuu0etaXfF3yC45cilQ3WLj28cbPPZAY/IXJfFsKi B/Z3aM9hbljBAagBGYBAD6nwEOpwLj6rWuiIq39yQZIhBrpKj4fGeAIzv5xUSZSi1R8I lx1g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Kk55K9y+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r12si953150edm.95.2020.05.13.21.01.29; Wed, 13 May 2020 21:01:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Kk55K9y+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725967AbgEND7w (ORCPT + 99 others); Wed, 13 May 2020 23:59:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50102 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725931AbgEND7v (ORCPT ); Wed, 13 May 2020 23:59:51 -0400 Received: from mail-il1-x129.google.com (mail-il1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C52CBC061A0C for ; Wed, 13 May 2020 20:59:51 -0700 (PDT) Received: by mail-il1-x129.google.com with SMTP id e8so849535ilm.7 for ; Wed, 13 May 2020 20:59:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-transfer-encoding; bh=YZN2rOoBZ7nT13bfGnDLSFWTXQ68hHNsIaIBGs4FzxA=; b=Kk55K9y+dNoJqW1fYQute2yGbQCoNfUnfQl7TfnwNWZq/Q9Sz6vWRC9keNQ/QcwfP5 Fkd9FlUlJieCEl/lsifD2gPEewl9ggqJCUXZhReeHJHtNOw/g0nG4ITgkzuD7Crq56CQ 6ORo4Q1ovb6JzpVMSqMPGFF0EHCzB6p/liCk+Vqw6I1oBZtgo0oFdzA9hnNSzbxLB4Nt UiLv9SuD6IKby/xi9UTyeSfxYmzJ3kV1ZZia35egdO7ba1papXdqWaZC1xmf/7U4j0A5 PGSurLBcD4s89DIUmc5B86UyZER5wdtiyKVwkQFaEHPnHJ8ITsFVqSKRfmHMvVHF3lqr CBCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=YZN2rOoBZ7nT13bfGnDLSFWTXQ68hHNsIaIBGs4FzxA=; b=b5RfTBe2UdnRb54WZnsNYgsxiRSqdU54VMyqx2qI7KLvfGQZPeRp8OEVLlV5ha8baA 52EilVXANueJ1K8W7B9x+RSz9PwKmZ6Hu1XycWEpNcnLiDGu2idYvC2UujeqJGnA14cP vpXDUUfnLKYZn7mGXcLYD/IlBH0HwpkbLl3A/uqr5U66BZhPqKt/Td+o1UiKsNMyjVgh qSvIbLzwSqTeCX0Mgqdz9ea/+W01mnFATo1HW6OP/fapJPRyolcz+VdgPvY/5Qren516 3f/vioNk8jt9zCpc34n/okR9MWCfs1JYVlMbi/qJpWmlu/8TLp1KVZna2Gr9d+jCkQ0o 5Hcw== X-Gm-Message-State: AOAM532LWB8lb7KOuD0J05qk2Oe7eutSsMRgrVYXIAXmmRiVK251JOpP DJD5ptpWA2oyxIVGYVdIRCz2V3nFpiaDz1SxeCveOw== X-Received: by 2002:a92:d186:: with SMTP id z6mr2715190ilz.119.1589428789890; Wed, 13 May 2020 20:59:49 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Dongyang Zhan Date: Thu, 14 May 2020 11:59:42 +0800 Message-ID: Subject: Fwd: Possible null pointer dereference caused by vmstat_start() To: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org =E5=8F=91=E4=BB=B6=E4=BA=BA=EF=BC=9A Dongyang Zhan Date: 2020=E5=B9=B45=E6=9C=883=E6=97=A5=E5=91=A8=E6=97=A5 =E4=B8=8B=E5=8D= =881:45 Subject: Possible null pointer dereference caused by vmstat_start() To: Cc: In Linux 4.10.17, vmstat_start() stores the results of v =3D kmalloc(stat_items_size, GFP_KERNEL) in m->private =3D v before security check. If m->private is accessed, it may cause null pointer dereference. Source code link: https://elixir.bootlin.com/linux/v4.10.17/source/mm/vmstat.c#L1465 Source code; v =3D kmalloc(stat_items_size, GFP_KERNEL); m->private =3D v; //stores v before check; if (!v) return ERR_PTR(-ENOMEM); Function rdtgroup_seqfile_show() in arch/x86/kernel/cpu/intel_rdt_rdtgroup.c access this pointer without check, which is a possible bug. Link: https://elixir.bootlin.com/linux/v4.10.17/source/arch/x86/kernel/cpu/intel_= rdt_rdtgroup.c#150 Source Code static int rdtgroup_seqfile_show(struct seq_file *m, void *arg) { struct kernfs_open_file *of =3D m->private; struct rftype *rft =3D of->kn->priv; // without check; if (rft->seq_show) return rft->seq_show(of, m, arg); return 0; }