Message-ID: <CAK8P3a3B373YcmZncnE-wJz12B+3A5QC9CUrDd72qSw+65MwQg@mail.gmail.com>
Date:   Mon, 23 Mar 2020 10:16:50 +0100
From:   Arnd Bergmann <arnd@...db.de>
To:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:     Xiyu Yang <xiyuyang19@...an.edu.cn>,
        Alexios Zavras <alexios.zavras@...el.com>,
        Allison Randal <allison@...utok.net>,
        Adit Ranadive <aditr@...are.com>,
        Jorgen Hansen <jhansen@...are.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Vishnu DASA <vdasa@...are.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        yuanxzhang@...an.edu.cn, kjlu@....edu,
        Xin Tan <tanxin.ctf@...il.com>
Subject: Re: [PATCH v2] VMCI: Fix NULL pointer dereference on context ptr

On Mon, Mar 23, 2020 at 9:52 AM Greg Kroah-Hartman
<gregkh@...uxfoundation.org> wrote:
>
> On Mon, Mar 23, 2020 at 04:22:33PM +0800, Xiyu Yang wrote:
> > A NULL vmci_ctx object may pass to vmci_ctx_put() from its callers.
>
> Are you sure this can happen?
>
> > Add a NULL check to prevent NULL pointer dereference.

It looks like this could happen if vmci_ctx_get() returns NULL, which is
not checked for consistently. Maybe add better error handling to the
callers that currently don't check for that, to catch problems such as

void vmci_ctx_rcv_notifications_release(...)
{
        struct vmci_ctx *context = vmci_ctx_get(context_id); /* may be NULL */
       ...
       context->pending_doorbell_array = db_handle_array;
       ...
       vmci_ctx_put(context);
}

Checking only in vmci_ctx_put() is too late.

     Arnd

Powered by blists - more mailing lists