Xen project Mailing List

Re: [POSSIBLE BUG] Dereferencing of NULL pointer

To: Rustam Subkhankulov <subkhankulov@xxxxxxxxx>

Date: Wed, 24 Aug 2022 15:59:44 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+gyS8vcRNt2Q2fHYVTJKCjJ6wmddKHar1KBJzE7SeP4=; b=EADJFdKeYfh27prNSXXzySymhHtDxc9J+Uu02nauGKUcCnuOhoAaZuOakNsCQIhnpf+OVe6+f8HuBpQyRVKj4nW6wCHoWCHI2kdc5dGHFamsyWPJrGv8l/7xlEHDkATTYqRJ25S7DHMc1gvTU3lXWXDA6kTDNP833o4TRJco+eFwp6V+Q1A1FAjtHW9GC8Y5XibvATOmVHVLb/4wG+zddL48E8S1uuHbf+71gWhQcgnxibV4bAr/72pznFyNvHLSl3nkmNvFrrp0OiFh1GIntVBok3gvL/jFzRAQYRCGsL+254v7nlVaxyOdfnlwH5j101R0VVUCdlKHKDpvh02tFQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=W6j4DEEBKGQBwjMUWhsCme0JAusCufS1yI4MIwc3Rr5ynugbP31vTmr40/+qXVDHGnN/HZMmDsK8lJz4P8TLCSZdNtZHdynLtA2iIaBe2k8pTXJDyFi/VQCY/9GRBpiblRDUvAfYnLYmmqjxmIUwdvSVRr4sdZJEQm0fde1BoNYOL6JK7X4gP4EQ/wyfYpCu5qrrgIH3wbt0yGldbHVG4WlcqBowvot/lAgr9K2opRxVNlqtvBZom4+oC1UvXXf0bXrS7OFsnzo9rcO4dPhr9J/Ogsay6ZCQAyzdYc69VJPZp3elRyKvPiMFz5hjinJRAzMI6luRJ7tmjUoFHM45zA==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Oleksandr Tyshchenko <oleksandr_tyshchenko@xxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, Alexey Khoroshilov <khoroshilov@xxxxxxxxx>, ldv-project@xxxxxxxxxxxxxxxx, Juergen Gross <jgross@xxxxxxxx>

Delivery-date: Wed, 24 Aug 2022 13:59:52 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 20.08.2022 19:30, Rustam Subkhankulov wrote: > Version: 6.0-rc1 > > Description: > > In function 'privcmd_ioctl_dm_op' (drivers/xen/privcmd.c: 615)return > value of 'kcalloc' with GFP_KERNEL flag is assigned to "pages" > variable. GFP_KERNEL flag does not guarantee, that the return value > will not be NULL. In that case, there is a jump to the "out" label. The problem is wider than that, because earlier errors would also lead to "out" (e.g. after copy_from_user() failed). Plus I guess unlock_pages() shouldn't be called at all (or with its 2nd arg set to zero) before lock_pages() was actually called. But I agree with the further analysis below. Would you mind sending a patch? Jan > --------------------------------------------------------------------- > 667 pages = kcalloc(nr_pages, sizeof(*pages), GFP_KERNEL); > 668 if (!pages) { > 669 rc = -ENOMEM; > 670 goto out; > 671 } > --------------------------------------------------------------------- > > Variable 'pages' is passed to function 'unpin_user_pages_dirty_lock' as > 1st parameter at [drivers/xen/privcmd.c: 695]. > > --------------------------------------------------------------------- > 694 out: > 695 unlock_pages(pages, nr_pages); > --------------------------------------------------------------------- > > Then, variable 'pages' is passed to function > 'unpin_user_pages_dirty_lock' as 1st parameter at > [drivers/xen/privcmd.c: 612]. > > --------------------------------------------------------------------- > 610 static void unlock_pages(struct page *pages[], unsigned int > nr_pages) > 611 { > 612 unpin_user_pages_dirty_lock(pages, nr_pages, true); > 613 } > --------------------------------------------------------------------- > > 'pages' and 'npages' are passed as parameters to function > 'sanity_check_pinned_pages' at [mm/gup.c: 311]. > > --------------------------------------------------------------------- > 299 void unpin_user_pages_dirty_lock(struct page **pages, unsigned > long npages, > 300 bool make_dirty) > 301 { > 302 unsigned long i; > 303 struct folio *folio; > 304 unsigned int nr; > 305 > 306 if (!make_dirty) { > 307 unpin_user_pages(pages, npages); > 308 return; > 309 } > 310 > 311 sanity_check_pinned_pages(pages, npages); > --------------------------------------------------------------------- > > In function 'sanity_check_pinned_pages', if > (IS_ENABLED(CONFIG_DEBUG_VM)) and (npages > 0), NULL pointer 'pages' is > dereferenced at [mm/gup.c: 51]. > > --------------------------------------------------------------------- > 32 static inline void sanity_check_pinned_pages(struct page > **pages, > 33 unsigned long > npages) > 34 { > 35 if (!IS_ENABLED(CONFIG_DEBUG_VM)) > 36 return; > .. > 50 for (; npages; npages--, pages++) { > 51 struct page *page = *pages; > ^^^^^^ > ^ > --------------------------------------------------------------------- > > Else if (!IS_ENABLED(CONFIG_DEBUG_VM)) and (npages > 0) function > 'gup_folio_next' is called with 'pages' and 'npages' as parameters at > [mm/gup.c: 311]. > > --------------------------------------------------------------------- > 312 for (i = 0; i < npages; i += nr) { > 313 folio = gup_folio_next(pages, npages, i, &nr); > --------------------------------------------------------------------- > > In function 'gup_folio_next' NULL pointer 'list' is dereferenced at > [mm/gup.c: 263]. > > --------------------------------------------------------------------- > 262 static inline struct folio *gup_folio_next(struct page **list, > 263 unsigned long npages, unsigned long i, > unsigned int *ntails) > 264 { > 265 struct folio *folio = page_folio(list[i]); > > ^^^^^^^^^ > --------------------------------------------------------------------- > >

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.