[PATCH] x86/tsc: Prevent NULL pointer deref in calibrate_delay_is_known()

[PATCH] x86/tsc: Prevent NULL pointer deref in calibrate_delay_is_known()

[Thomas Gleixner]

Subject: x86/tsc: Prevent NULL pointer deref in calibrate_delay_is_known()
From: Thomas Gleixner <tglx@linutronix.de>
Date: Fri, 18 Mar 2016 08:35:29 +0100

The topology_core_cpumask is used to find a neighbour cpu in
calibrate_delay_is_known(). It might not be allocated at the first invocation
of that function on the boot cpu, when CONFIG_CPUMASK_OFFSTACK is set.

The mask is allocated later in native_smp_prepare_cpus. As a consequence the
underlying find_next_bit() call dereferences a NULL pointer.

Add a proper check to prevent this.

Reported-by: Richard W.M. Jones <rjones@redhat.com>
Fixes: c25323c07345 "x86/tsc: Use topology functions"
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
---
 arch/x86/kernel/tsc.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/arch/x86/kernel/tsc.c
+++ b/arch/x86/kernel/tsc.c
@@ -1306,11 +1306,15 @@ void __init tsc_init(void)
 unsigned long calibrate_delay_is_known(void)
 {
 	int sibling, cpu = smp_processor_id();
+	struct cpumask *mask = topology_core_cpumask(cpu);
 
 	if (!tsc_disabled && !cpu_has(&cpu_data(cpu), X86_FEATURE_CONSTANT_TSC))
 		return 0;
 
-	sibling = cpumask_any_but(topology_core_cpumask(cpu), cpu);
+	if (!mask)
+		return 0;
+
+	sibling = cpumask_any_but(mask, cpu);
 	if (sibling < nr_cpu_ids)
 		return cpu_data(sibling).loops_per_jiffy;
 	return 0;

Re: [PATCH] x86/tsc: Prevent NULL pointer deref in calibrate_delay_is_known()

[Richard W.M. Jones]

On Fri, Mar 18, 2016 at 08:48:06AM +0100, Thomas Gleixner wrote:
> Subject: x86/tsc: Prevent NULL pointer deref in calibrate_delay_is_known()
> From: Thomas Gleixner <tglx@linutronix.de>
> Date: Fri, 18 Mar 2016 08:35:29 +0100
> 
> The topology_core_cpumask is used to find a neighbour cpu in
> calibrate_delay_is_known(). It might not be allocated at the first invocation
> of that function on the boot cpu, when CONFIG_CPUMASK_OFFSTACK is set.
> 
> The mask is allocated later in native_smp_prepare_cpus. As a consequence the
> underlying find_next_bit() call dereferences a NULL pointer.
> 
> Add a proper check to prevent this.
> 
> Reported-by: Richard W.M. Jones <rjones@redhat.com>
> Fixes: c25323c07345 "x86/tsc: Use topology functions"
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> Cc: Josh Boyer <jwboyer@fedoraproject.org>

I have tested the current upstream kernel (9dffdb38d) and was able to
reproduce the bug.  I then added this patch on top and it fixes the
problem for me.  Therefore:

Tested-by: Richard W.M. Jones <rjones@redhat.com>

Thanks, Rich.

> ---
>  arch/x86/kernel/tsc.c |    6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> --- a/arch/x86/kernel/tsc.c
> +++ b/arch/x86/kernel/tsc.c
> @@ -1306,11 +1306,15 @@ void __init tsc_init(void)
>  unsigned long calibrate_delay_is_known(void)
>  {
>  	int sibling, cpu = smp_processor_id();
> +	struct cpumask *mask = topology_core_cpumask(cpu);
>  
>  	if (!tsc_disabled && !cpu_has(&cpu_data(cpu), X86_FEATURE_CONSTANT_TSC))
>  		return 0;
>  
> -	sibling = cpumask_any_but(topology_core_cpumask(cpu), cpu);
> +	if (!mask)
> +		return 0;
> +
> +	sibling = cpumask_any_but(mask, cpu);
>  	if (sibling < nr_cpu_ids)
>  		return cpu_data(sibling).loops_per_jiffy;
>  	return 0;

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-builder quickly builds VMs from scratch
http://libguestfs.org/virt-builder.1.html

[tip:x86/urgent] x86/tsc: Prevent NULL pointer deref in calibrate_delay_is_known()

[tip-bot for Thomas Gleixner]

Commit-ID:  f508a5ba7a4570418df6cfd68fe663ffdef2be63
Gitweb:     http://git.kernel.org/tip/f508a5ba7a4570418df6cfd68fe663ffdef2be63
Author:     Thomas Gleixner <tglx@linutronix.de>
AuthorDate: Fri, 18 Mar 2016 08:35:29 +0100
Committer:  Thomas Gleixner <tglx@linutronix.de>
CommitDate: Fri, 18 Mar 2016 14:51:06 +0100

x86/tsc: Prevent NULL pointer deref in calibrate_delay_is_known()

The topology_core_cpumask is used to find a neighbour cpu in
calibrate_delay_is_known(). It might not be allocated at the first invocation
of that function on the boot cpu, when CONFIG_CPUMASK_OFFSTACK is set.

The mask is allocated later in native_smp_prepare_cpus. As a consequence the
underlying find_next_bit() call dereferences a NULL pointer.

Add a proper check to prevent this.

Fixes: c25323c07345 "x86/tsc: Use topology functions"
Reported-and-tested-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1603180843270.3978@nanos
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

---
 arch/x86/kernel/tsc.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
index 5e19d25..c9c4c7c 100644
--- a/arch/x86/kernel/tsc.c
+++ b/arch/x86/kernel/tsc.c
@@ -1306,11 +1306,15 @@ void __init tsc_init(void)
 unsigned long calibrate_delay_is_known(void)
 {
 	int sibling, cpu = smp_processor_id();
+	struct cpumask *mask = topology_core_cpumask(cpu);
 
 	if (!tsc_disabled && !cpu_has(&cpu_data(cpu), X86_FEATURE_CONSTANT_TSC))
 		return 0;
 
-	sibling = cpumask_any_but(topology_core_cpumask(cpu), cpu);
+	if (!mask)
+		return 0;
+
+	sibling = cpumask_any_but(mask, cpu);
 	if (sibling < nr_cpu_ids)
 		return cpu_data(sibling).loops_per_jiffy;
 	return 0;