* [PATCH] x86/resctrl: Prevent NULL pointer dereference when reading mondata
@ 2019-10-29 5:25 Xiaochen Shen
2019-11-03 17:12 ` [tip: x86/urgent] " tip-bot2 for Xiaochen Shen
0 siblings, 1 reply; 2+ messages in thread
From: Xiaochen Shen @ 2019-10-29 5:25 UTC (permalink / raw)
To: tglx, mingo, bp, hpa, tony.luck, fenghua.yu, reinette.chatre
Cc: x86, linux-kernel, pei.p.jia, xiaochen.shen
When a mon group is being deleted, rdtgrp->flags is set to RDT_DELETED
in rdtgroup_rmdir_mon() firstly. The structure of rdtgrp will be freed
until rdtgrp->waitcount is dropped to 0 in rdtgroup_kn_unlock() later.
During the window of deleting a mon group, if an application calls
rdtgroup_mondata_show() to read mondata under this mon group,
'rdtgrp' returned from rdtgroup_kn_lock_live() is a NULL pointer when
rdtgrp->flags is RDT_DELETED. And then 'rdtgrp' is passed in this path:
rdtgroup_mondata_show() --> mon_event_read() --> mon_event_count().
Thus it results in NULL pointer dereference in mon_event_count().
Add checking of 'rdtgrp' in rdtgroup_mondata_show(), and return -ENOENT
immediately when reading mondata during the window of deleting a mon
group.
Fixes: d89b7379015f ("x86/intel_rdt/cqm: Add mon_data")
Signed-off-by: Xiaochen Shen <xiaochen.shen@intel.com>
Reviewed-by: Fenghua Yu <fenghua.yu@intel.com>
Reviewed-by: Tony Luck <tony.luck@intel.com>
---
arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c
index efbd54cc4e69..055c8613b531 100644
--- a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c
+++ b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c
@@ -522,6 +522,10 @@ int rdtgroup_mondata_show(struct seq_file *m, void *arg)
int ret = 0;
rdtgrp = rdtgroup_kn_lock_live(of->kn);
+ if (!rdtgrp) {
+ ret = -ENOENT;
+ goto out;
+ }
md.priv = of->kn->priv;
resid = md.u.rid;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 2+ messages in thread* [tip: x86/urgent] x86/resctrl: Prevent NULL pointer dereference when reading mondata
2019-10-29 5:25 [PATCH] x86/resctrl: Prevent NULL pointer dereference when reading mondata Xiaochen Shen
@ 2019-11-03 17:12 ` tip-bot2 for Xiaochen Shen
0 siblings, 0 replies; 2+ messages in thread
From: tip-bot2 for Xiaochen Shen @ 2019-11-03 17:12 UTC (permalink / raw)
To: linux-tip-commits
Cc: Xiaochen Shen, Borislav Petkov, Fenghua Yu, Tony Luck,
H. Peter Anvin, Ingo Molnar, pei.p.jia, Reinette Chatre,
Thomas Gleixner, x86-ml, Ingo Molnar, Borislav Petkov,
linux-kernel
The following commit has been merged into the x86/urgent branch of tip:
Commit-ID: 26467b0f8407cbd628fa5b7bcfd156e772004155
Gitweb: https://git.kernel.org/tip/26467b0f8407cbd628fa5b7bcfd156e772004155
Author: Xiaochen Shen <xiaochen.shen@intel.com>
AuthorDate: Tue, 29 Oct 2019 13:25:02 +08:00
Committer: Borislav Petkov <bp@suse.de>
CommitterDate: Sun, 03 Nov 2019 17:51:22 +01:00
x86/resctrl: Prevent NULL pointer dereference when reading mondata
When a mon group is being deleted, rdtgrp->flags is set to RDT_DELETED
in rdtgroup_rmdir_mon() firstly. The structure of rdtgrp will be freed
until rdtgrp->waitcount is dropped to 0 in rdtgroup_kn_unlock() later.
During the window of deleting a mon group, if an application calls
rdtgroup_mondata_show() to read mondata under this mon group,
'rdtgrp' returned from rdtgroup_kn_lock_live() is a NULL pointer when
rdtgrp->flags is RDT_DELETED. And then 'rdtgrp' is passed in this path:
rdtgroup_mondata_show() --> mon_event_read() --> mon_event_count().
Thus it results in NULL pointer dereference in mon_event_count().
Check 'rdtgrp' in rdtgroup_mondata_show(), and return -ENOENT
immediately when reading mondata during the window of deleting a mon
group.
Fixes: d89b7379015f ("x86/intel_rdt/cqm: Add mon_data")
Signed-off-by: Xiaochen Shen <xiaochen.shen@intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Fenghua Yu <fenghua.yu@intel.com>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: pei.p.jia@intel.com
Cc: Reinette Chatre <reinette.chatre@intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: x86-ml <x86@kernel.org>
Link: https://lkml.kernel.org/r/1572326702-27577-1-git-send-email-xiaochen.shen@intel.com
---
arch/x86/kernel/cpu/resctrl/ctrlmondata.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c
index efbd54c..055c861 100644
--- a/arch/x86/kernel/cpu/resctrl/ctrlmondata.c
+++ b/arch/x86/kernel/cpu/resctrl/ctrlmondata.c
@@ -522,6 +522,10 @@ int rdtgroup_mondata_show(struct seq_file *m, void *arg)
int ret = 0;
rdtgrp = rdtgroup_kn_lock_live(of->kn);
+ if (!rdtgrp) {
+ ret = -ENOENT;
+ goto out;
+ }
md.priv = of->kn->priv;
resid = md.u.rid;
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-11-03 17:13 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-29 5:25 [PATCH] x86/resctrl: Prevent NULL pointer dereference when reading mondata Xiaochen Shen
2019-11-03 17:12 ` [tip: x86/urgent] " tip-bot2 for Xiaochen Shen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.