[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20190307163606.25212-1-mgamal@redhat.com>
Date: Thu, 7 Mar 2019 18:36:06 +0200
From: Mohammed Gamal <mgamal@...hat.com>
To: linux-hyperv@...r.kernel.org, mikelley@...rosoft.com,
kimbrownkd@...il.com
Cc: Alexander.Levin@...rosoft.com, decui@...rosoft.com,
sthemmin@...rosoft.com, longli@...rosoft.com, kys@...rosoft.com,
haiyangz@...rosoft.com, vkuznets@...hat.com,
linux-kernel@...r.kernel.org, Mohammed Gamal <mgamal@...hat.com>
Subject: [PATCH] hyper-v: Check for ring buffer in hv_get_bytes_to_read/write
This patch adds a check for the presence of the ring buffer in
hv_get_bytes_to_read/write() to avoid possible NULL pointer dereferences.
If the ring buffer is not yet allocated, return 0 bytes to be read/written.
The root cause is that code that accesses the ring buffer including
hv_get_bytes_to_read/write() could be vulnerable to the race condition
discussed in https://lkml.org/lkml/2018/10/18/779
This race is being addressed by the patch series by Kimberly Brown in
https://lkml.org/lkml/2019/2/21/1236 which is not final yet
Signed-off-by: Mohammed Gamal <mgamal@...hat.com>
---
include/linux/hyperv.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h
index 64698ec8f2ac..7b2f566250b2 100644
--- a/include/linux/hyperv.h
+++ b/include/linux/hyperv.h
@@ -148,6 +148,9 @@ static inline u32 hv_get_bytes_to_read(const struct hv_ring_buffer_info *rbi)
{
u32 read_loc, write_loc, dsize, read;
+ if (!rbi->ring_buffer)
+ return 0;
+
dsize = rbi->ring_datasize;
read_loc = rbi->ring_buffer->read_index;
write_loc = READ_ONCE(rbi->ring_buffer->write_index);
@@ -162,6 +165,9 @@ static inline u32 hv_get_bytes_to_write(const struct hv_ring_buffer_info *rbi)
{
u32 read_loc, write_loc, dsize, write;
+ if (!rbi->ring_buffer)
+ return 0;
+
dsize = rbi->ring_datasize;
read_loc = READ_ONCE(rbi->ring_buffer->read_index);
write_loc = rbi->ring_buffer->write_index;
--
2.18.1
Powered by blists - more mailing lists