[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] xen/gntdev: fix gntdev_mmap() error exit path

To: Luca Fancellu <luca.fancellu@xxxxxxx>
From: Juergen Gross <jgross@xxxxxxxx>
Date: Fri, 23 Apr 2021 09:00:26 +0200
Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, stable@xxxxxxxxxxxxxxx, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
Delivery-date: Fri, 23 Apr 2021 07:00:32 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 23.04.21 08:55, Luca Fancellu wrote:

On 23 Apr 2021, at 06:40, Juergen Gross <jgross@xxxxxxxx> wrote:

Commit d3eeb1d77c5d0af ("xen/gntdev: use mmu_interval_notifier_insert")
introduced an error in gntdev_mmap(): in case the call of
mmu_interval_notifier_insert_locked() fails the exit path should not
call mmu_interval_notifier_remove(), as this might result in NULL
dereferences.

One reason for failure is e.g. a signal pending for the running
process.

Fixes: d3eeb1d77c5d0af ("xen/gntdev: use mmu_interval_notifier_insert")
Cc: stable@xxxxxxxxxxxxxxx
Reported-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
Tested-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Juergen Gross <jgross@xxxxxxxx>
---
drivers/xen/gntdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c
index f01d58c7a042..a3e7be96527d 100644
--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -1017,8 +1017,10 @@ static int gntdev_mmap(struct file *flip, struct 
vm_area_struct *vma)
                err = mmu_interval_notifier_insert_locked(
                        &map->notifier, vma->vm_mm, vma->vm_start,
                        vma->vm_end - vma->vm_start, &gntdev_mmu_ops);
-               if (err)
+               if (err) {
+                       map->vma = NULL;
                        goto out_unlock_put;
+               }
        }
        mutex_unlock(&priv->lock);

--
2.26.2


Hi Juergen,

I can see from the code that there is another path to out_unlock_put label some 
lines before:

         […]
         vma->vm_private_data = map;
        if (map->flags) {
                if ((vma->vm_flags & VM_WRITE) &&
                                (map->flags & GNTMAP_readonly))
                        goto out_unlock_put;
        } else {
                map->flags = GNTMAP_host_map;
                if (!(vma->vm_flags & VM_WRITE))
                        map->flags |= GNTMAP_readonly;
        }
         […]

Can be the case that use_ptemod is != 0 also for that path?


map->vma will be NULL in this case, so there will be no problem
resulting from that path.


Juergen

Attachment: OpenPGP_0xB0DE9DD628BF132F.asc
Description: application/pgp-keys

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Follow-Ups:
- Re: [PATCH] xen/gntdev: fix gntdev_mmap() error exit path
  - From: Luca Fancellu

References:
- [PATCH] xen/gntdev: fix gntdev_mmap() error exit path
  - From: Juergen Gross
- Re: [PATCH] xen/gntdev: fix gntdev_mmap() error exit path
  - From: Luca Fancellu

Prev by Date: Re: [PATCH] xen/gntdev: fix gntdev_mmap() error exit path
Next by Date: [qemu-mainline test] 161388: regressions - FAIL
Previous by thread: Re: [PATCH] xen/gntdev: fix gntdev_mmap() error exit path
Next by thread: Re: [PATCH] xen/gntdev: fix gntdev_mmap() error exit path
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.