Message ID | 20200522011829.17301-1-cai@lca.pw (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [-next] vfio/pci: fix a null-ptr-deref in vfio_config_free() | expand |
On Thu, 21 May 2020 21:18:29 -0400 Qian Cai <cai@lca.pw> wrote: > It is possible vfio_config_init() does not call vfio_cap_len(), and then > vdev->msi_perm == NULL. Later, in vfio_config_free(), it could trigger a > null-ptr-deref. > > BUG: kernel NULL pointer dereference, address: 0000000000000000 > RIP: 0010:vfio_config_free+0x7a/0xe0 [vfio_pci] > vfio_config_free+0x7a/0xe0: > free_perm_bits at drivers/vfio/pci/vfio_pci_config.c:340 > (inlined by) vfio_config_free at drivers/vfio/pci/vfio_pci_config.c:1760 > Call Trace: > vfio_pci_release+0x3a4/0x9e0 [vfio_pci] > vfio_device_fops_release+0x50/0x80 [vfio] > __fput+0x200/0x460 > ____fput+0xe/0x10 > task_work_run+0x127/0x1b0 > do_exit+0x782/0x10d0 > do_group_exit+0xc7/0x1c0 > __x64_sys_exit_group+0x2c/0x30 > do_syscall_64+0x64/0x350 > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > Fixes: bea890bdb161 ("vfio/pci: fix memory leaks in alloc_perm_bits()") > Signed-off-by: Qian Cai <cai@lca.pw> > --- > drivers/vfio/pci/vfio_pci_config.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) I may get yelled at for it, but I need to break my next branch to fix the lockdep issue you noted in my series, so I'm going to go ahead and roll this into your previous patch. Thanks, Alex > diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c > index d127a0c50940..8746c943247a 100644 > --- a/drivers/vfio/pci/vfio_pci_config.c > +++ b/drivers/vfio/pci/vfio_pci_config.c > @@ -1757,9 +1757,11 @@ void vfio_config_free(struct vfio_pci_device *vdev) > vdev->vconfig = NULL; > kfree(vdev->pci_config_map); > vdev->pci_config_map = NULL; > - free_perm_bits(vdev->msi_perm); > - kfree(vdev->msi_perm); > - vdev->msi_perm = NULL; > + if (vdev->msi_perm) { > + free_perm_bits(vdev->msi_perm); > + kfree(vdev->msi_perm); > + vdev->msi_perm = NULL; > + } > } > > /*
diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c index d127a0c50940..8746c943247a 100644 --- a/drivers/vfio/pci/vfio_pci_config.c +++ b/drivers/vfio/pci/vfio_pci_config.c @@ -1757,9 +1757,11 @@ void vfio_config_free(struct vfio_pci_device *vdev) vdev->vconfig = NULL; kfree(vdev->pci_config_map); vdev->pci_config_map = NULL; - free_perm_bits(vdev->msi_perm); - kfree(vdev->msi_perm); - vdev->msi_perm = NULL; + if (vdev->msi_perm) { + free_perm_bits(vdev->msi_perm); + kfree(vdev->msi_perm); + vdev->msi_perm = NULL; + } } /*
It is possible vfio_config_init() does not call vfio_cap_len(), and then vdev->msi_perm == NULL. Later, in vfio_config_free(), it could trigger a null-ptr-deref. BUG: kernel NULL pointer dereference, address: 0000000000000000 RIP: 0010:vfio_config_free+0x7a/0xe0 [vfio_pci] vfio_config_free+0x7a/0xe0: free_perm_bits at drivers/vfio/pci/vfio_pci_config.c:340 (inlined by) vfio_config_free at drivers/vfio/pci/vfio_pci_config.c:1760 Call Trace: vfio_pci_release+0x3a4/0x9e0 [vfio_pci] vfio_device_fops_release+0x50/0x80 [vfio] __fput+0x200/0x460 ____fput+0xe/0x10 task_work_run+0x127/0x1b0 do_exit+0x782/0x10d0 do_group_exit+0xc7/0x1c0 __x64_sys_exit_group+0x2c/0x30 do_syscall_64+0x64/0x350 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: bea890bdb161 ("vfio/pci: fix memory leaks in alloc_perm_bits()") Signed-off-by: Qian Cai <cai@lca.pw> --- drivers/vfio/pci/vfio_pci_config.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)