[PATCH] vfio: Fix NULL pointer dereference caused by uninitialized group->iommufd

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] vfio: Fix NULL pointer dereference caused by uninitialized group->iommufd
@ 2023-02-22  7:49 Yan Zhao
  2023-02-22  9:18 ` Miko Larsson
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Yan Zhao @ 2023-02-22  7:49 UTC (permalink / raw)
  To: alex.williamson, jgg, kevin.tian; +Cc: yi.l.liu, kvm, linux-kernel, Yan Zhao

group->iommufd is not initialized for the iommufd_ctx_put()

[20018.331541] BUG: kernel NULL pointer dereference, address: 0000000000000000
[20018.377508] RIP: 0010:iommufd_ctx_put+0x5/0x10 [iommufd]
...
[20018.476483] Call Trace:
[20018.479214]  <TASK>
[20018.481555]  vfio_group_fops_unl_ioctl+0x506/0x690 [vfio]
[20018.487586]  __x64_sys_ioctl+0x6a/0xb0
[20018.491773]  ? trace_hardirqs_on+0xc5/0xe0
[20018.496347]  do_syscall_64+0x67/0x90
[20018.500340]  entry_SYSCALL_64_after_hwframe+0x4b/0xb5

Fixes: 9eefba8002c2 ("vfio: Move vfio group specific code into group.c")
Signed-off-by: Yan Zhao <yan.y.zhao@intel.com>
---
 drivers/vfio/group.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/vfio/group.c b/drivers/vfio/group.c
index 57ebe5e1a7e6..8649f85f3be4 100644
--- a/drivers/vfio/group.c
+++ b/drivers/vfio/group.c
@@ -137,7 +137,7 @@ static int vfio_group_ioctl_set_container(struct vfio_group *group,
 
 		ret = iommufd_vfio_compat_ioas_id(iommufd, &ioas_id);
 		if (ret) {
-			iommufd_ctx_put(group->iommufd);
+			iommufd_ctx_put(iommufd);
 			goto out_unlock;
 		}
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] vfio: Fix NULL pointer dereference caused by uninitialized group->iommufd
  2023-02-22  7:49 [PATCH] vfio: Fix NULL pointer dereference caused by uninitialized group->iommufd Yan Zhao
@ 2023-02-22  9:18 ` Miko Larsson
  2023-02-22  9:25 ` Liu, Yi L
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Miko Larsson @ 2023-02-22  9:18 UTC (permalink / raw)
  To: Yan Zhao, alex.williamson, jgg, kevin.tian; +Cc: yi.l.liu, kvm, linux-kernel

On Wed, 2023-02-22 at 15:49 +0800, Yan Zhao wrote:
> group->iommufd is not initialized for the iommufd_ctx_put()
> 
> [20018.331541] BUG: kernel NULL pointer dereference, address:
> 0000000000000000
> [20018.377508] RIP: 0010:iommufd_ctx_put+0x5/0x10 [iommufd]
> ...
> [20018.476483] Call Trace:
> [20018.479214]  <TASK>
> [20018.481555]  vfio_group_fops_unl_ioctl+0x506/0x690 [vfio]
> [20018.487586]  __x64_sys_ioctl+0x6a/0xb0
> [20018.491773]  ? trace_hardirqs_on+0xc5/0xe0
> [20018.496347]  do_syscall_64+0x67/0x90
> [20018.500340]  entry_SYSCALL_64_after_hwframe+0x4b/0xb5
> 
> Fixes: 9eefba8002c2 ("vfio: Move vfio group specific code into
> group.c")
> Signed-off-by: Yan Zhao <yan.y.zhao@intel.com>
> ---
>  drivers/vfio/group.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/vfio/group.c b/drivers/vfio/group.c
> index 57ebe5e1a7e6..8649f85f3be4 100644
> --- a/drivers/vfio/group.c
> +++ b/drivers/vfio/group.c
> @@ -137,7 +137,7 @@ static int vfio_group_ioctl_set_container(struct
> vfio_group *group,
>  
>                 ret = iommufd_vfio_compat_ioas_id(iommufd, &ioas_id);
>                 if (ret) {
> -                       iommufd_ctx_put(group->iommufd);
> +                       iommufd_ctx_put(iommufd);
>                         goto out_unlock;
>                 }
>  

Might want to Cc this to the stable mailing list.
-- 
~miko

^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: [PATCH] vfio: Fix NULL pointer dereference caused by uninitialized group->iommufd
  2023-02-22  7:49 [PATCH] vfio: Fix NULL pointer dereference caused by uninitialized group->iommufd Yan Zhao
  2023-02-22  9:18 ` Miko Larsson
@ 2023-02-22  9:25 ` Liu, Yi L
  2023-02-22 12:58 ` Jason Gunthorpe
  2023-02-22 17:59 ` Alex Williamson
  3 siblings, 0 replies; 5+ messages in thread
From: Liu, Yi L @ 2023-02-22  9:25 UTC (permalink / raw)
  To: Zhao, Yan Y, alex.williamson@redhat.com, jgg@nvidia.com,
	Tian, Kevin
  Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org

> From: Zhao, Yan Y <yan.y.zhao@intel.com>
> Sent: Wednesday, February 22, 2023 3:50 PM
> group->iommufd is not initialized for the iommufd_ctx_put()
> 
> [20018.331541] BUG: kernel NULL pointer dereference, address:
> 0000000000000000
> [20018.377508] RIP: 0010:iommufd_ctx_put+0x5/0x10 [iommufd]
> ...
> [20018.476483] Call Trace:
> [20018.479214]  <TASK>
> [20018.481555]  vfio_group_fops_unl_ioctl+0x506/0x690 [vfio]
> [20018.487586]  __x64_sys_ioctl+0x6a/0xb0
> [20018.491773]  ? trace_hardirqs_on+0xc5/0xe0
> [20018.496347]  do_syscall_64+0x67/0x90
> [20018.500340]  entry_SYSCALL_64_after_hwframe+0x4b/0xb5
> 
> Fixes: 9eefba8002c2 ("vfio: Move vfio group specific code into group.c")
> Signed-off-by: Yan Zhao <yan.y.zhao@intel.com>

Reviewed-by: Yi Liu <yi.l.liu@intel.com>

> ---
>  drivers/vfio/group.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/vfio/group.c b/drivers/vfio/group.c
> index 57ebe5e1a7e6..8649f85f3be4 100644
> --- a/drivers/vfio/group.c
> +++ b/drivers/vfio/group.c
> @@ -137,7 +137,7 @@ static int vfio_group_ioctl_set_container(struct
> vfio_group *group,
> 
>  		ret = iommufd_vfio_compat_ioas_id(iommufd, &ioas_id);
>  		if (ret) {
> -			iommufd_ctx_put(group->iommufd);
> +			iommufd_ctx_put(iommufd);
>  			goto out_unlock;
>  		}
> 
> --
> 2.17.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] vfio: Fix NULL pointer dereference caused by uninitialized group->iommufd
  2023-02-22  7:49 [PATCH] vfio: Fix NULL pointer dereference caused by uninitialized group->iommufd Yan Zhao
  2023-02-22  9:18 ` Miko Larsson
  2023-02-22  9:25 ` Liu, Yi L
@ 2023-02-22 12:58 ` Jason Gunthorpe
  2023-02-22 17:59 ` Alex Williamson
  3 siblings, 0 replies; 5+ messages in thread
From: Jason Gunthorpe @ 2023-02-22 12:58 UTC (permalink / raw)
  To: Yan Zhao; +Cc: alex.williamson, kevin.tian, yi.l.liu, kvm, linux-kernel

On Wed, Feb 22, 2023 at 03:49:38PM +0800, Yan Zhao wrote:
> group->iommufd is not initialized for the iommufd_ctx_put()
> 
> [20018.331541] BUG: kernel NULL pointer dereference, address: 0000000000000000
> [20018.377508] RIP: 0010:iommufd_ctx_put+0x5/0x10 [iommufd]
> ...
> [20018.476483] Call Trace:
> [20018.479214]  <TASK>
> [20018.481555]  vfio_group_fops_unl_ioctl+0x506/0x690 [vfio]
> [20018.487586]  __x64_sys_ioctl+0x6a/0xb0
> [20018.491773]  ? trace_hardirqs_on+0xc5/0xe0
> [20018.496347]  do_syscall_64+0x67/0x90
> [20018.500340]  entry_SYSCALL_64_after_hwframe+0x4b/0xb5
> 
> Fixes: 9eefba8002c2 ("vfio: Move vfio group specific code into group.c")
> Signed-off-by: Yan Zhao <yan.y.zhao@intel.com>
> ---
>  drivers/vfio/group.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>

Jason

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] vfio: Fix NULL pointer dereference caused by uninitialized group->iommufd
  2023-02-22  7:49 [PATCH] vfio: Fix NULL pointer dereference caused by uninitialized group->iommufd Yan Zhao
                   ` (2 preceding siblings ...)
  2023-02-22 12:58 ` Jason Gunthorpe
@ 2023-02-22 17:59 ` Alex Williamson
  3 siblings, 0 replies; 5+ messages in thread
From: Alex Williamson @ 2023-02-22 17:59 UTC (permalink / raw)
  To: Yan Zhao; +Cc: jgg, kevin.tian, yi.l.liu, kvm, linux-kernel

On Wed, 22 Feb 2023 15:49:38 +0800
Yan Zhao <yan.y.zhao@intel.com> wrote:

> group->iommufd is not initialized for the iommufd_ctx_put()
> 
> [20018.331541] BUG: kernel NULL pointer dereference, address: 0000000000000000
> [20018.377508] RIP: 0010:iommufd_ctx_put+0x5/0x10 [iommufd]
> ...
> [20018.476483] Call Trace:
> [20018.479214]  <TASK>
> [20018.481555]  vfio_group_fops_unl_ioctl+0x506/0x690 [vfio]
> [20018.487586]  __x64_sys_ioctl+0x6a/0xb0
> [20018.491773]  ? trace_hardirqs_on+0xc5/0xe0
> [20018.496347]  do_syscall_64+0x67/0x90
> [20018.500340]  entry_SYSCALL_64_after_hwframe+0x4b/0xb5
> 
> Fixes: 9eefba8002c2 ("vfio: Move vfio group specific code into group.c")
> Signed-off-by: Yan Zhao <yan.y.zhao@intel.com>
> ---
>  drivers/vfio/group.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/vfio/group.c b/drivers/vfio/group.c
> index 57ebe5e1a7e6..8649f85f3be4 100644
> --- a/drivers/vfio/group.c
> +++ b/drivers/vfio/group.c
> @@ -137,7 +137,7 @@ static int vfio_group_ioctl_set_container(struct vfio_group *group,
>  
>  		ret = iommufd_vfio_compat_ioas_id(iommufd, &ioas_id);
>  		if (ret) {
> -			iommufd_ctx_put(group->iommufd);
> +			iommufd_ctx_put(iommufd);
>  			goto out_unlock;
>  		}
>  

Applied to vfio next branch for v6.3 and added a stable cc.  Thanks,

Alex


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2023-02-22 18:00 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-02-22  7:49 [PATCH] vfio: Fix NULL pointer dereference caused by uninitialized group->iommufd Yan Zhao
2023-02-22  9:18 ` Miko Larsson
2023-02-22  9:25 ` Liu, Yi L
2023-02-22 12:58 ` Jason Gunthorpe
2023-02-22 17:59 ` Alex Williamson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox