Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp1882045ybk;
        Thu, 21 May 2020 18:22:54 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyTN3rr+h5QV4kHfBQ8I/dcy4PfNIrSurH6Mmr47AWg9lWZMrqVJc6KrCeACA50hisCdg8G
X-Received: by 2002:a17:906:7083:: with SMTP id b3mr5922204ejk.57.1590110574111;
        Thu, 21 May 2020 18:22:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1590110574; cv=none;
        d=google.com; s=arc-20160816;
        b=GKxFHNlF0hJBF2D62bVBW3cW7KDhwU1ZOssk97QJ5TWWkv0wtU8Bqfd3TV2HcR8bJc
         8rcUCXKC1aYJd6gYT/TAyekHdEYcEIiYR5k8/oC8RNkKPNf2/MMuhEZvVq7y+2TrEQ+l
         yF6NJGttnVi/u4Ykd5wJKko4WkO8hsnyK641ZP0L0GXEyEhgLsbCHQ/Cc3wWuGz4bvWY
         SW8/l/hFR9BLEOWne8jntw1g9n5jljg/+870MbqTQaxCkR3hGqckdPut/VaeJfjNOGiE
         NExD6WWgDPkISMQjuNWDd6evzXULEK37bGJI3fxkxFlqx2vs/68XucumUpRufu7QvV4m
         ZB2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=Puv1BV91r6SjZkjuOU7H5cmGIu56s9jB/MY9elYkgSk=;
        b=P+X2QYuKV3SUG6hxSRBEYnVve6jsYn3jrkvcfcvYczz6epUjwpYEMfsyOf9x1H2EgG
         XUaG3xrWdExIZHvtbwK3nDC8ZEZP+w8HkYvWQkiBEe9HO7JIXhcrUhZlvea9ETizaCtc
         K4VpjKg7xchHeS5kkDFqacD8KFtxXEbgqPpYqtHILP+EXtg3mgxLHMzbz13lutJ/mgQR
         Wk9iT2XbC+Dz0Ad1P4KbFAT1WUedNl5iFvyTR69q2NFntjzlAXf2ODh8xaYNk+ggpsdZ
         5DAl71b6vQpPVpUTwMjN/VFMAWbkJM/wIlLm4a5bzCbaR9LMh2LKz6dlhv7q7NccoQnE
         oXHQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lca.pw header.s=google header.b=bCOGh4IB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id uz7si3883660ejb.93.2020.05.21.18.22.31;
        Thu, 21 May 2020 18:22:54 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lca.pw header.s=google header.b=bCOGh4IB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727050AbgEVBSm (ORCPT <rfc822;proy.cse@gmail.com> + 99 others);
        Thu, 21 May 2020 21:18:42 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43842 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726737AbgEVBSm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 21 May 2020 21:18:42 -0400
Received: from mail-qt1-x842.google.com (mail-qt1-x842.google.com [IPv6:2607:f8b0:4864:20::842])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ACA6FC05BD43
        for <linux-kernel@vger.kernel.org>; Thu, 21 May 2020 18:18:40 -0700 (PDT)
Received: by mail-qt1-x842.google.com with SMTP id m44so7136602qtm.8
        for <linux-kernel@vger.kernel.org>; Thu, 21 May 2020 18:18:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=lca.pw; s=google;
        h=from:to:cc:subject:date:message-id;
        bh=Puv1BV91r6SjZkjuOU7H5cmGIu56s9jB/MY9elYkgSk=;
        b=bCOGh4IBnzxtvHN6uHYYXFvOkvGLA05aypKg9VveLlImf/EjhsiWQEZqEaDxx0hFBw
         oS/O9Js/qJmDaoEi1Vf9HnVAjgflpNI5PzXwdpd0f6UqWPphMZ8DSMUZPdUd0fnSf90a
         G6H4rG0ew2DZu7LNTTIOriEl4v0aZi3QI5AXLz2PZxxszXiGSBiS4g+L56Yr0QIrKuLw
         ezr/H1TDBLZi3n/LG/7H206p26KCSI3+wsjmT5k/IRnUlDysOU1c57Hxfe/Cbyzp/jd7
         5t8GNCOgNNYyprLix4KNSCg3rmb8EzxhGaqXe6iqofMcf/RxC6yGeoL1L4pqHcthN8+k
         i3jg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=Puv1BV91r6SjZkjuOU7H5cmGIu56s9jB/MY9elYkgSk=;
        b=NrShtHJU6q7eWUtDNJWusVb7TzVchkHXalJiZ6RdBTTvTP53xb/7FsEuIuODBJsmpH
         3uFaP+gnsdnKGIWfWx3F978Iv/ifiTA8jYCWHxtEfPx9m3uRtNWFqn4faymAx9/RjtiG
         NwO6oCm0bIrCbjmpYTZo4sym/ccq8yw60/xmm02w3lqQu2a4SKMQQg11w9YoXkFeTOg2
         61x3ukRoADKYGz5TptWu2kSCZx4VHzOPWVOnSZEYP3tG7L/g6XIaD0yo7qt6Axxc2Pb9
         CScXjy7Efuq00boyA8vuCbSuyPCKB7mm0KM5vtBxlAn+aZiguuHPq10avq3H0fbF7sZa
         J+nQ==
X-Gm-Message-State: AOAM533mxfMTMJ3SaIUQzfK4+gevzXC7RUjvHvbg34fFGbjcSlGcQ4gW
        oSai5bDd3JZOGv5RS1EQ4YCAAg==
X-Received: by 2002:ac8:b48:: with SMTP id m8mr13649501qti.206.1590110319843;
        Thu, 21 May 2020 18:18:39 -0700 (PDT)
Received: from ovpn-112-192.phx2.redhat.com (pool-71-184-117-43.bstnma.fios.verizon.net. [71.184.117.43])
        by smtp.gmail.com with ESMTPSA id f43sm60212qte.58.2020.05.21.18.18.38
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 21 May 2020 18:18:39 -0700 (PDT)
From:   Qian Cai <cai@lca.pw>
To:     alex.williamson@redhat.com
Cc:     cohuck@redhat.com, kvm@vger.kernel.org,
        linux-kernel@vger.kernel.org, Qian Cai <cai@lca.pw>
Subject: [PATCH -next] vfio/pci: fix a null-ptr-deref in vfio_config_free()
Date:   Thu, 21 May 2020 21:18:29 -0400
Message-Id: <20200522011829.17301-1-cai@lca.pw>
X-Mailer: git-send-email 2.17.2 (Apple Git-113)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

It is possible vfio_config_init() does not call vfio_cap_len(), and then
vdev->msi_perm == NULL. Later, in vfio_config_free(), it could trigger a
null-ptr-deref.

 BUG: kernel NULL pointer dereference, address: 0000000000000000
 RIP: 0010:vfio_config_free+0x7a/0xe0 [vfio_pci]
 vfio_config_free+0x7a/0xe0:
 free_perm_bits at drivers/vfio/pci/vfio_pci_config.c:340
 (inlined by) vfio_config_free at drivers/vfio/pci/vfio_pci_config.c:1760
 Call Trace:
  vfio_pci_release+0x3a4/0x9e0 [vfio_pci]
  vfio_device_fops_release+0x50/0x80 [vfio]
  __fput+0x200/0x460
  ____fput+0xe/0x10
  task_work_run+0x127/0x1b0
  do_exit+0x782/0x10d0
  do_group_exit+0xc7/0x1c0
  __x64_sys_exit_group+0x2c/0x30
  do_syscall_64+0x64/0x350
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: bea890bdb161 ("vfio/pci: fix memory leaks in alloc_perm_bits()")
Signed-off-by: Qian Cai <cai@lca.pw>
---
 drivers/vfio/pci/vfio_pci_config.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
index d127a0c50940..8746c943247a 100644
--- a/drivers/vfio/pci/vfio_pci_config.c
+++ b/drivers/vfio/pci/vfio_pci_config.c
@@ -1757,9 +1757,11 @@ void vfio_config_free(struct vfio_pci_device *vdev)
 	vdev->vconfig = NULL;
 	kfree(vdev->pci_config_map);
 	vdev->pci_config_map = NULL;
-	free_perm_bits(vdev->msi_perm);
-	kfree(vdev->msi_perm);
-	vdev->msi_perm = NULL;
+	if (vdev->msi_perm) {
+		free_perm_bits(vdev->msi_perm);
+		kfree(vdev->msi_perm);
+		vdev->msi_perm = NULL;
+	}
 }
 
 /*
-- 
2.17.2 (Apple Git-113)