| Message ID | 20220527082236.78037-1-chenjun102@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | arm64/smp: check !ipi_desc[i] in arch_show_interrupts | expand |
On Fri, May 27, 2022 at 08:22:36AM +0000, Chen Jun wrote: > There is a potential dereferencing null pointer issue in > arch_show_interrupts. > > Problem 1: > int arch_show_interrupts(struct seq_file *p, int prec) > for (i = 0; i < NR_IPI; i++) { > seq_printf(p, "%10u ", irq_desc_kstat_cpu(ipi_desc[i], > cpu)); > > Only ipi_desc[0..nr_ipi - 1] are initialized in set_smp_ipi_range. > and ipi_desc[nr_ipi..NR_IPI] are NULL. > irq_desc_kstat_cpu will dereference NULL pointer. > For now, the problem can not be triggered, because NR_IPI is always > equal to nr_ipi. > > Problem 2: > If request_percpu_irq failed in set_smp_ipi_range, ipi_desc[i] > would be NULL. > irq_desc_kstat_cpu will dereference NULL pointer. > > check !ipi_desc[i] (as arm does) to avoid the problem. > > Signed-off-by: Chen Jun <chenjun102@huawei.com> > --- > arch/arm64/kernel/smp.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c > index 62ed361a4376..3d54f464428b 100644 > --- a/arch/arm64/kernel/smp.c > +++ b/arch/arm64/kernel/smp.c > @@ -781,6 +781,9 @@ int arch_show_interrupts(struct seq_file *p, int prec) > unsigned int cpu, i; > > for (i = 0; i < NR_IPI; i++) { > + if (!ipi_desc[i]) > + continue; Why not just use nr_ipi instead of NR_IPI? Will
在 2022/6/9 23:20, Will Deacon 写道: > On Fri, May 27, 2022 at 08:22:36AM +0000, Chen Jun wrote: >> There is a potential dereferencing null pointer issue in >> arch_show_interrupts. >> >> Problem 1: >> int arch_show_interrupts(struct seq_file *p, int prec) >> for (i = 0; i < NR_IPI; i++) { >> seq_printf(p, "%10u ", irq_desc_kstat_cpu(ipi_desc[i], >> cpu)); >> >> Only ipi_desc[0..nr_ipi - 1] are initialized in set_smp_ipi_range. >> and ipi_desc[nr_ipi..NR_IPI] are NULL. >> irq_desc_kstat_cpu will dereference NULL pointer. >> For now, the problem can not be triggered, because NR_IPI is always >> equal to nr_ipi. >> >> Problem 2: >> If request_percpu_irq failed in set_smp_ipi_range, ipi_desc[i] >> would be NULL. >> irq_desc_kstat_cpu will dereference NULL pointer. >> >> check !ipi_desc[i] (as arm does) to avoid the problem. >> >> Signed-off-by: Chen Jun <chenjun102@huawei.com> >> --- >> arch/arm64/kernel/smp.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c >> index 62ed361a4376..3d54f464428b 100644 >> --- a/arch/arm64/kernel/smp.c >> +++ b/arch/arm64/kernel/smp.c >> @@ -781,6 +781,9 @@ int arch_show_interrupts(struct seq_file *p, int prec) >> unsigned int cpu, i; >> >> for (i = 0; i < NR_IPI; i++) { >> + if (!ipi_desc[i]) >> + continue; > > Why not just use nr_ipi instead of NR_IPI? Yee, that is what I do at first. But I noticed that: void __init set_smp_ipi_range(int ipi_base, int n) for (i = 0; i < nr_ipi; i++) { err = request_percpu_irq(ipi_base + i, ipi_handler, "IPI", &cpu_number); WARN_ON(err); ipi_desc[i] = irq_to_desc(ipi_base + i); If request_percpu_irq return a error, I not sure if ipi_desc[i] makes sense. > > Will >
diff --git a/arch/arm64/kernel/smp.c b/arch/arm64/kernel/smp.c index 62ed361a4376..3d54f464428b 100644 --- a/arch/arm64/kernel/smp.c +++ b/arch/arm64/kernel/smp.c @@ -781,6 +781,9 @@ int arch_show_interrupts(struct seq_file *p, int prec) unsigned int cpu, i; for (i = 0; i < NR_IPI; i++) { + if (!ipi_desc[i]) + continue; + seq_printf(p, "%*s%u:%s", prec - 1, "IPI", i, prec >= 4 ? " " : ""); for_each_online_cpu(cpu)
There is a potential dereferencing null pointer issue in arch_show_interrupts. Problem 1: int arch_show_interrupts(struct seq_file *p, int prec) for (i = 0; i < NR_IPI; i++) { seq_printf(p, "%10u ", irq_desc_kstat_cpu(ipi_desc[i], cpu)); Only ipi_desc[0..nr_ipi - 1] are initialized in set_smp_ipi_range. and ipi_desc[nr_ipi..NR_IPI] are NULL. irq_desc_kstat_cpu will dereference NULL pointer. For now, the problem can not be triggered, because NR_IPI is always equal to nr_ipi. Problem 2: If request_percpu_irq failed in set_smp_ipi_range, ipi_desc[i] would be NULL. irq_desc_kstat_cpu will dereference NULL pointer. check !ipi_desc[i] (as arm does) to avoid the problem. Signed-off-by: Chen Jun <chenjun102@huawei.com> --- arch/arm64/kernel/smp.c | 3 +++ 1 file changed, 3 insertions(+)