From: "David Hildenbrand (Arm)" <david@kernel.org>
To: "Michael Neuling" <mikey@neuling.org>,
"Björn Töpel" <bjorn@rivosinc.com>,
"Mike Rapoport (Microsoft)" <rppt@kernel.org>,
"Vishal Moola (Oracle)" <vishal.moola@gmail.com>,
"Albert Ou" <aou@eecs.berkeley.edu>,
"Aleksa Paunovic" <aleksa.paunovic@htecgroup.com>,
"Aleksandar Rikalo" <arikalo@gmail.com>,
"Alexandre Ghiti" <alex@ghiti.fr>,
"Andrew Jones" <ajones@ventanamicro.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Arnd Bergmann" <arnd@arndb.de>,
"Djordje Todorovic" <djordje.todorovic@htecgroup.com>,
"Guo Ren" <guoren@kernel.org>,
"Junhui Liu" <junhui.liu@pigmoral.tech>,
"Kevin Brodsky" <kevin.brodsky@arm.com>,
"Lorenzo Stoakes" <ljs@kernel.org>,
"Nam Cao" <namcao@linutronix.de>,
"Oleg Nesterov" <oleg@redhat.com>,
"Oscar Salvador" <osalvador@suse.de>,
"Palmer Dabbelt" <palmer@dabbelt.com>,
"Paul Walmsley" <pjw@kernel.org>,
"Qinglin Pan" <panqinglin2020@iscas.ac.cn>,
"Raj Vishwanathan4" <rvishwanathan@mips.com>,
linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org
Subject: Re: [PATCH 3/5] riscv: mm: Fix NULL pointer dereference in __set_memory
Date: Thu, 9 Apr 2026 14:37:59 +0200 [thread overview]
Message-ID: <b3466f28-0d0f-4ff8-8542-e53216cf3667@kernel.org> (raw)
In-Reply-To: <20260409091143.1348853-4-mikey@neuling.org>
On 4/9/26 11:11, Michael Neuling wrote:
> find_vm_area() can return NULL if no vm_struct covers the given address.
> The code immediately dereferences area->addr without a NULL check.
> While is_vmalloc_or_module_addr() confirms the address falls within the
> vmalloc/module address range, it does not guarantee the address belongs
> to an active allocation, so find_vm_area() may still return NULL.
>
> Add the missing NULL check.
>
> Fixes: 311cd2f6e2 ("riscv: Fix set_memory_XX() and set_direct_map_XX() by splitting huge linear mappings")
> Signed-off-by: Michael Neuling <mikey@neuling.org>
> Assisted-by: Cursor:claude-4.6-opus-high-thinking
> ---
> arch/riscv/mm/pageattr.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/arch/riscv/mm/pageattr.c b/arch/riscv/mm/pageattr.c
> index 3f76db3d27..46a999c86b 100644
> --- a/arch/riscv/mm/pageattr.c
> +++ b/arch/riscv/mm/pageattr.c
> @@ -289,6 +289,10 @@ static int __set_memory(unsigned long addr, int numpages, pgprot_t set_mask,
> int i, page_start;
>
> area = find_vm_area((void *)start);
> + if (!area) {
> + ret = -EINVAL;
> + goto unlock;
> + }
> page_start = (start - (unsigned long)area->addr) >> PAGE_SHIFT;
>
> for (i = page_start; i < page_start + numpages; ++i) {
Which caller would end up calling __set_memory() in such a way?
--
Cheers,
David
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
WARNING: multiple messages have this Message-ID (diff)
From: "David Hildenbrand (Arm)" <david@kernel.org>
To: "Michael Neuling" <mikey@neuling.org>,
"Björn Töpel" <bjorn@rivosinc.com>,
"Mike Rapoport (Microsoft)" <rppt@kernel.org>,
"Vishal Moola (Oracle)" <vishal.moola@gmail.com>,
"Albert Ou" <aou@eecs.berkeley.edu>,
"Aleksa Paunovic" <aleksa.paunovic@htecgroup.com>,
"Aleksandar Rikalo" <arikalo@gmail.com>,
"Alexandre Ghiti" <alex@ghiti.fr>,
"Andrew Jones" <ajones@ventanamicro.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Arnd Bergmann" <arnd@arndb.de>,
"Djordje Todorovic" <djordje.todorovic@htecgroup.com>,
"Guo Ren" <guoren@kernel.org>,
"Junhui Liu" <junhui.liu@pigmoral.tech>,
"Kevin Brodsky" <kevin.brodsky@arm.com>,
"Lorenzo Stoakes" <ljs@kernel.org>,
"Nam Cao" <namcao@linutronix.de>,
"Oleg Nesterov" <oleg@redhat.com>,
"Oscar Salvador" <osalvador@suse.de>,
"Palmer Dabbelt" <palmer@dabbelt.com>,
"Paul Walmsley" <pjw@kernel.org>,
"Qinglin Pan" <panqinglin2020@iscas.ac.cn>,
"Raj Vishwanathan4" <rvishwanathan@mips.com>,
linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org
Subject: Re: [PATCH 3/5] riscv: mm: Fix NULL pointer dereference in __set_memory
Date: Thu, 9 Apr 2026 14:37:59 +0200 [thread overview]
Message-ID: <b3466f28-0d0f-4ff8-8542-e53216cf3667@kernel.org> (raw)
In-Reply-To: <20260409091143.1348853-4-mikey@neuling.org>
On 4/9/26 11:11, Michael Neuling wrote:
> find_vm_area() can return NULL if no vm_struct covers the given address.
> The code immediately dereferences area->addr without a NULL check.
> While is_vmalloc_or_module_addr() confirms the address falls within the
> vmalloc/module address range, it does not guarantee the address belongs
> to an active allocation, so find_vm_area() may still return NULL.
>
> Add the missing NULL check.
>
> Fixes: 311cd2f6e2 ("riscv: Fix set_memory_XX() and set_direct_map_XX() by splitting huge linear mappings")
> Signed-off-by: Michael Neuling <mikey@neuling.org>
> Assisted-by: Cursor:claude-4.6-opus-high-thinking
> ---
> arch/riscv/mm/pageattr.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/arch/riscv/mm/pageattr.c b/arch/riscv/mm/pageattr.c
> index 3f76db3d27..46a999c86b 100644
> --- a/arch/riscv/mm/pageattr.c
> +++ b/arch/riscv/mm/pageattr.c
> @@ -289,6 +289,10 @@ static int __set_memory(unsigned long addr, int numpages, pgprot_t set_mask,
> int i, page_start;
>
> area = find_vm_area((void *)start);
> + if (!area) {
> + ret = -EINVAL;
> + goto unlock;
> + }
> page_start = (start - (unsigned long)area->addr) >> PAGE_SHIFT;
>
> for (i = page_start; i < page_start + numpages; ++i) {
Which caller would end up calling __set_memory() in such a way?
--
Cheers,
David
next prev parent reply other threads:[~2026-04-09 12:38 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-09 9:11 [PATCH 0/5] riscv: Assorted bug fixes Michael Neuling
2026-04-09 9:11 ` Michael Neuling
2026-04-09 9:11 ` [PATCH 1/5] riscv: errata: Fix bitwise vs logical AND in MIPS errata patching Michael Neuling
2026-04-09 9:11 ` Michael Neuling
2026-05-01 2:08 ` Paul Walmsley
2026-05-01 2:08 ` Paul Walmsley
2026-04-09 9:11 ` [PATCH 2/5] riscv: ptrace: Fix register corruption in compat_riscv_gpr_set on error Michael Neuling
2026-04-09 9:11 ` Michael Neuling
2026-05-01 2:05 ` Paul Walmsley
2026-05-01 2:05 ` Paul Walmsley
2026-05-01 6:21 ` Michael Neuling
2026-05-01 6:21 ` Michael Neuling
2026-05-01 6:23 ` [PATCH v2] riscv: Fix register corruption from uninitialized cregs " Michael Neuling
2026-05-01 6:23 ` Michael Neuling
2026-05-02 3:14 ` Paul Walmsley
2026-05-02 3:14 ` Paul Walmsley
2026-04-09 9:11 ` [PATCH 3/5] riscv: mm: Fix NULL pointer dereference in __set_memory Michael Neuling
2026-04-09 9:11 ` Michael Neuling
2026-04-09 12:37 ` David Hildenbrand (Arm) [this message]
2026-04-09 12:37 ` David Hildenbrand (Arm)
2026-04-10 6:23 ` Michael Neuling
2026-04-10 6:23 ` Michael Neuling
2026-04-10 7:42 ` David Hildenbrand (Arm)
2026-04-10 7:42 ` David Hildenbrand (Arm)
2026-04-10 7:53 ` Mike Rapoport
2026-04-10 7:53 ` Mike Rapoport
2026-04-10 7:59 ` David Hildenbrand (Arm)
2026-04-10 7:59 ` David Hildenbrand (Arm)
2026-04-10 8:55 ` Michael Neuling
2026-04-10 8:55 ` Michael Neuling
2026-04-09 9:11 ` [PATCH 4/5] riscv: mm: Fix NULL dereferences in napot hugetlb functions Michael Neuling
2026-04-09 9:11 ` Michael Neuling
2026-04-09 12:36 ` David Hildenbrand (Arm)
2026-04-09 12:36 ` David Hildenbrand (Arm)
2026-04-09 9:11 ` [PATCH 5/5] riscv: mm: Fix TOCTOU race in remove_pte_mapping Michael Neuling
2026-04-09 9:11 ` Michael Neuling
2026-04-09 12:32 ` David Hildenbrand (Arm)
2026-04-09 12:32 ` David Hildenbrand (Arm)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b3466f28-0d0f-4ff8-8542-e53216cf3667@kernel.org \
--to=david@kernel.org \
--cc=ajones@ventanamicro.com \
--cc=akpm@linux-foundation.org \
--cc=aleksa.paunovic@htecgroup.com \
--cc=alex@ghiti.fr \
--cc=aou@eecs.berkeley.edu \
--cc=arikalo@gmail.com \
--cc=arnd@arndb.de \
--cc=bjorn@rivosinc.com \
--cc=djordje.todorovic@htecgroup.com \
--cc=guoren@kernel.org \
--cc=junhui.liu@pigmoral.tech \
--cc=kevin.brodsky@arm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=ljs@kernel.org \
--cc=mikey@neuling.org \
--cc=namcao@linutronix.de \
--cc=oleg@redhat.com \
--cc=osalvador@suse.de \
--cc=palmer@dabbelt.com \
--cc=panqinglin2020@iscas.ac.cn \
--cc=pjw@kernel.org \
--cc=rppt@kernel.org \
--cc=rvishwanathan@mips.com \
--cc=vishal.moola@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.