* [PATCH -next] vfio/pci: fix a null-ptr-deref in vfio_config_free()
@ 2020-05-22 1:18 Qian Cai
2020-05-26 16:21 ` Alex Williamson
0 siblings, 1 reply; 2+ messages in thread
From: Qian Cai @ 2020-05-22 1:18 UTC (permalink / raw)
To: alex.williamson; +Cc: cohuck, kvm, linux-kernel, Qian Cai
It is possible vfio_config_init() does not call vfio_cap_len(), and then
vdev->msi_perm == NULL. Later, in vfio_config_free(), it could trigger a
null-ptr-deref.
BUG: kernel NULL pointer dereference, address: 0000000000000000
RIP: 0010:vfio_config_free+0x7a/0xe0 [vfio_pci]
vfio_config_free+0x7a/0xe0:
free_perm_bits at drivers/vfio/pci/vfio_pci_config.c:340
(inlined by) vfio_config_free at drivers/vfio/pci/vfio_pci_config.c:1760
Call Trace:
vfio_pci_release+0x3a4/0x9e0 [vfio_pci]
vfio_device_fops_release+0x50/0x80 [vfio]
__fput+0x200/0x460
____fput+0xe/0x10
task_work_run+0x127/0x1b0
do_exit+0x782/0x10d0
do_group_exit+0xc7/0x1c0
__x64_sys_exit_group+0x2c/0x30
do_syscall_64+0x64/0x350
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fixes: bea890bdb161 ("vfio/pci: fix memory leaks in alloc_perm_bits()")
Signed-off-by: Qian Cai <cai@lca.pw>
---
drivers/vfio/pci/vfio_pci_config.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
index d127a0c50940..8746c943247a 100644
--- a/drivers/vfio/pci/vfio_pci_config.c
+++ b/drivers/vfio/pci/vfio_pci_config.c
@@ -1757,9 +1757,11 @@ void vfio_config_free(struct vfio_pci_device *vdev)
vdev->vconfig = NULL;
kfree(vdev->pci_config_map);
vdev->pci_config_map = NULL;
- free_perm_bits(vdev->msi_perm);
- kfree(vdev->msi_perm);
- vdev->msi_perm = NULL;
+ if (vdev->msi_perm) {
+ free_perm_bits(vdev->msi_perm);
+ kfree(vdev->msi_perm);
+ vdev->msi_perm = NULL;
+ }
}
/*
--
2.17.2 (Apple Git-113)
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH -next] vfio/pci: fix a null-ptr-deref in vfio_config_free()
2020-05-22 1:18 [PATCH -next] vfio/pci: fix a null-ptr-deref in vfio_config_free() Qian Cai
@ 2020-05-26 16:21 ` Alex Williamson
0 siblings, 0 replies; 2+ messages in thread
From: Alex Williamson @ 2020-05-26 16:21 UTC (permalink / raw)
To: Qian Cai; +Cc: cohuck, kvm, linux-kernel
On Thu, 21 May 2020 21:18:29 -0400
Qian Cai <cai@lca.pw> wrote:
> It is possible vfio_config_init() does not call vfio_cap_len(), and then
> vdev->msi_perm == NULL. Later, in vfio_config_free(), it could trigger a
> null-ptr-deref.
>
> BUG: kernel NULL pointer dereference, address: 0000000000000000
> RIP: 0010:vfio_config_free+0x7a/0xe0 [vfio_pci]
> vfio_config_free+0x7a/0xe0:
> free_perm_bits at drivers/vfio/pci/vfio_pci_config.c:340
> (inlined by) vfio_config_free at drivers/vfio/pci/vfio_pci_config.c:1760
> Call Trace:
> vfio_pci_release+0x3a4/0x9e0 [vfio_pci]
> vfio_device_fops_release+0x50/0x80 [vfio]
> __fput+0x200/0x460
> ____fput+0xe/0x10
> task_work_run+0x127/0x1b0
> do_exit+0x782/0x10d0
> do_group_exit+0xc7/0x1c0
> __x64_sys_exit_group+0x2c/0x30
> do_syscall_64+0x64/0x350
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> Fixes: bea890bdb161 ("vfio/pci: fix memory leaks in alloc_perm_bits()")
> Signed-off-by: Qian Cai <cai@lca.pw>
> ---
> drivers/vfio/pci/vfio_pci_config.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
I may get yelled at for it, but I need to break my next branch to fix
the lockdep issue you noted in my series, so I'm going to go ahead and
roll this into your previous patch. Thanks,
Alex
> diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
> index d127a0c50940..8746c943247a 100644
> --- a/drivers/vfio/pci/vfio_pci_config.c
> +++ b/drivers/vfio/pci/vfio_pci_config.c
> @@ -1757,9 +1757,11 @@ void vfio_config_free(struct vfio_pci_device *vdev)
> vdev->vconfig = NULL;
> kfree(vdev->pci_config_map);
> vdev->pci_config_map = NULL;
> - free_perm_bits(vdev->msi_perm);
> - kfree(vdev->msi_perm);
> - vdev->msi_perm = NULL;
> + if (vdev->msi_perm) {
> + free_perm_bits(vdev->msi_perm);
> + kfree(vdev->msi_perm);
> + vdev->msi_perm = NULL;
> + }
> }
>
> /*
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-05-26 16:21 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-22 1:18 [PATCH -next] vfio/pci: fix a null-ptr-deref in vfio_config_free() Qian Cai
2020-05-26 16:21 ` Alex Williamson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).