Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp2574051rwd;
        Wed, 14 Jun 2023 04:59:18 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ5U7CqGysTCVQD5IQcr7LkBeY7R/h12pVwlFjBcMeFOF448S/7t0I+uOCa1dkuZd8GPRSol
X-Received: by 2002:a17:907:7da4:b0:969:9c0c:4c97 with SMTP id oz36-20020a1709077da400b009699c0c4c97mr1300210ejc.1.1686743957838;
        Wed, 14 Jun 2023 04:59:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1686743957; cv=none;
        d=google.com; s=arc-20160816;
        b=v48845nEb9HckYq1uW0ALBqaizWXdVpUA+bePrkl1ViCBWdNoB1KnaYJ22MZ2Uq1uv
         fWPcr/blp7Nj6W3zP7O6MYMrOk9RL8ESkKrZfRbIHGRNAiRq1A8l4RS+n8RzqS2xuxp6
         0FtXu6eKnI9SODWK1zoHGdEU27CJe5RWcH5Gb78PgPYjmMlwDJEuP9W8PlIl0KwNL5z2
         tQtDPyHQu4cSK+8c/bKtQDRDai6Xw09SEWkueuprPb7geD7KAGgHkWB9Za49cU7VPD+X
         p9H+sNYhem3+ihBAG9Y0cC3ahRt58UYn4KD/7hh56BmyiTBeNy6aAkPdUp0bwKBmLdHz
         beug==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=IbztZ9tLRVL6/DOJgUmI8+AFs+8EIklKEWPZn0/Wnkk=;
        b=ljsYJ1KdkqIP6Fy8P5cS+wXpjOdf1KWldXsydllaTi4QhXHSRzE/rTlAM5KR9X6Omh
         dZpsE9qXFy3Z6dvIiRFOCIT5YL/h2KzUWdw+CzA+TQ4K/URGSwZIeq1RxEPyu4LfArOk
         QnEE1ZL9uS0e4Vhug1WTea+W+7tMvpy+9nqtCEzBN1208tjkhQWdJTEWpI8vEBp7BV4j
         IO3k8WoAzkGLdxW62e+ATMg8w4We1k8mR+AcJ+GWLVaiOJ11y/OodNa1+U/3dnVbU3/X
         fZ6Hj+kp0qaKNsQ2eBcsrQEPcfurw7FZcmw9zRVTy9qzRoEs00PeEU6bQqGP0eZHnd8G
         mphA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=hj4UVMs0;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id k8-20020a17090666c800b00977e0843714si8221610ejp.1002.2023.06.14.04.58.52;
        Wed, 14 Jun 2023 04:59:17 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=hj4UVMs0;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S244317AbjFNLxH (ORCPT <rfc822;afshin.nasser@gmail.com>
        + 99 others); Wed, 14 Jun 2023 07:53:07 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33506 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S244306AbjFNLxE (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 14 Jun 2023 07:53:04 -0400
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EFD441BEF
        for <linux-kernel@vger.kernel.org>; Wed, 14 Jun 2023 04:52:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1686743538;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:
         content-transfer-encoding:content-transfer-encoding;
        bh=IbztZ9tLRVL6/DOJgUmI8+AFs+8EIklKEWPZn0/Wnkk=;
        b=hj4UVMs0PRx/QQxxGjFkfokRx4QtaRxPDEFqzk2cNuO/UmvZhMJLafEO/YG4lENFK8HZKy
        CzG2pPR9kdFjR70LFuzTob7N/LuREm70C+vqBJQ1jOnQ3xaQBmrojZ3lyAWBCKKd3zGtw3
        sHOS7gWTPkVdDimQ/2tttK7h4nUQ4Rc=
Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com
 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-446-VIR5cu0VN8-MlefhfREMng-1; Wed, 14 Jun 2023 07:52:12 -0400
X-MC-Unique: VIR5cu0VN8-MlefhfREMng-1
Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4213D3C0F234;
        Wed, 14 Jun 2023 11:52:12 +0000 (UTC)
Received: from max-t490s.redhat.com (unknown [10.39.208.37])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 519F7492B06;
        Wed, 14 Jun 2023 11:52:09 +0000 (UTC)
From:   Maxime Coquelin <maxime.coquelin@redhat.com>
To:     xieyongji@bytedance.com, jasowang@redhat.com, mst@redhat.com,
        xuanzhuo@linux.alibaba.com
Cc:     gregkh@linuxfoundation.org, sheng.zhao@bytedance.com,
        parav@nvidia.com, virtualization@lists.linux-foundation.org,
        linux-kernel@vger.kernel.org,
        Maxime Coquelin <maxime.coquelin@redhat.com>
Subject: [PATCH] vduse: fix NULL pointer dereference
Date:   Wed, 14 Jun 2023 13:52:06 +0200
Message-Id: <20230614115206.800118-1-maxime.coquelin@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,
        T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

vduse_vdpa_set_vq_affinity callback can be called
with NULL value as cpu_mask when deleting the vduse
device.

This patch clears virtqueue's IRQ affinity mask value
instead of dereferencing NULL cpu_mask.

[ 4760.952149] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 4760.959110] #PF: supervisor read access in kernel mode
[ 4760.964247] #PF: error_code(0x0000) - not-present page
[ 4760.969385] PGD 0 P4D 0
[ 4760.971927] Oops: 0000 [#1] PREEMPT SMP PTI
[ 4760.976112] CPU: 13 PID: 2346 Comm: vdpa Not tainted 6.4.0-rc6+ #4
[ 4760.982291] Hardware name: Dell Inc. PowerEdge R640/0W23H8, BIOS 2.8.1 06/26/2020
[ 4760.989769] RIP: 0010:memcpy_orig+0xc5/0x130
[ 4760.994049] Code: 16 f8 4c 89 07 4c 89 4f 08 4c 89 54 17 f0 4c 89 5c 17 f8 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 fa 08 72 1b <4c> 8b 06 4c 8b 4c 16 f8 4c 89 07 4c 89 4c 17 f8 c3 cc cc cc cc 66
[ 4761.012793] RSP: 0018:ffffb1d565abb830 EFLAGS: 00010246
[ 4761.018020] RAX: ffff9f4bf6b27898 RBX: ffff9f4be23969c0 RCX: ffff9f4bcadf6400
[ 4761.025152] RDX: 0000000000000008 RSI: 0000000000000000 RDI: ffff9f4bf6b27898
[ 4761.032286] RBP: 0000000000000000 R08: 0000000000000008 R09: 0000000000000000
[ 4761.039416] R10: 0000000000000000 R11: 0000000000000600 R12: 0000000000000000
[ 4761.046549] R13: 0000000000000000 R14: 0000000000000080 R15: ffffb1d565abbb10
[ 4761.053680] FS:  00007f64c2ec2740(0000) GS:ffff9f635f980000(0000) knlGS:0000000000000000
[ 4761.061765] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4761.067513] CR2: 0000000000000000 CR3: 0000001875270006 CR4: 00000000007706e0
[ 4761.074645] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 4761.081775] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 4761.088909] PKRU: 55555554
[ 4761.091620] Call Trace:
[ 4761.094074]  <TASK>
[ 4761.096180]  ? __die+0x1f/0x70
[ 4761.099238]  ? page_fault_oops+0x171/0x4f0
[ 4761.103340]  ? exc_page_fault+0x7b/0x180
[ 4761.107265]  ? asm_exc_page_fault+0x22/0x30
[ 4761.111460]  ? memcpy_orig+0xc5/0x130
[ 4761.115126]  vduse_vdpa_set_vq_affinity+0x3e/0x50 [vduse]
[ 4761.120533]  virtnet_clean_affinity.part.0+0x3d/0x90 [virtio_net]
[ 4761.126635]  remove_vq_common+0x1a4/0x250 [virtio_net]
[ 4761.131781]  virtnet_remove+0x5d/0x70 [virtio_net]
[ 4761.136580]  virtio_dev_remove+0x3a/0x90
[ 4761.140509]  device_release_driver_internal+0x19b/0x200
[ 4761.145742]  bus_remove_device+0xc2/0x130
[ 4761.149755]  device_del+0x158/0x3e0
[ 4761.153245]  ? kernfs_find_ns+0x35/0xc0
[ 4761.157086]  device_unregister+0x13/0x60
[ 4761.161010]  unregister_virtio_device+0x11/0x20
[ 4761.165543]  device_release_driver_internal+0x19b/0x200
[ 4761.170770]  bus_remove_device+0xc2/0x130
[ 4761.174782]  device_del+0x158/0x3e0
[ 4761.178276]  ? __pfx_vdpa_name_match+0x10/0x10 [vdpa]
[ 4761.183336]  device_unregister+0x13/0x60
[ 4761.187260]  vdpa_nl_cmd_dev_del_set_doit+0x63/0xe0 [vdpa]

Fixes: 28f6288eb63d ("vduse: Support set_vq_affinity callback")
Cc: xieyongji@bytedance.com

Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
 drivers/vdpa/vdpa_user/vduse_dev.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/vdpa/vdpa_user/vduse_dev.c b/drivers/vdpa/vdpa_user/vduse_dev.c
index 5f5c21674fdc..cdca94e85762 100644
--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -726,7 +726,11 @@ static int vduse_vdpa_set_vq_affinity(struct vdpa_device *vdpa, u16 idx,
 {
 	struct vduse_dev *dev = vdpa_to_vduse(vdpa);
 
-	cpumask_copy(&dev->vqs[idx]->irq_affinity, cpu_mask);
+	if (cpu_mask)
+		cpumask_copy(&dev->vqs[idx]->irq_affinity, cpu_mask);
+	else
+		cpumask_clear(&dev->vqs[idx]->irq_affinity);
+
 	return 0;
 }
 
-- 
2.40.1