From: Thorsten Blum <thorsten.blum@linux.dev>
To: Borislav Petkov <bp@alien8.de>
Cc: Thomas Gleixner <tglx@kernel.org>, Ingo Molnar <mingo@redhat.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
"Mike Rapoport (Microsoft)" <rppt@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Changyuan Lyu <changyuanl@google.com>,
Alexander Graf <graf@amazon.com>, Baoquan He <bhe@redhat.com>,
stable@vger.kernel.org, Ingo Molnar <mingo@kernel.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] x86/boot: Fix NULL dereference for missing hugepagesz/hugepages value
Date: Thu, 9 Apr 2026 13:07:20 +0200 [thread overview]
Message-ID: <adeIaDdxslGShgq8@linux.dev> (raw)
In-Reply-To: <20260313204243.GIabR2w3PqVcFxg66B@fat_crate.local>
On Fri, Mar 13, 2026 at 09:42:43PM +0100, Borislav Petkov wrote:
> On Mon, Mar 02, 2026 at 09:58:59PM +0100, Thorsten Blum wrote:
> > In parse_gb_huge_pages(), 'val' can be NULL if '=' is missing from the
> > boot parameter. The code passes 'val' to memparse() and
> > simple_strtoull(), which can dereference NULL.
> >
> > Reject 'hugepagesz' and 'hugepages' when no value has been provided and
> > log a warning.
> >
> > Fixes: 9b912485e0e7 ("x86/boot/KASLR: Add two new functions for 1GB huge pages handling")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
> > ---
> > arch/x86/boot/compressed/kaslr.c | 10 ++++++++++
> > 1 file changed, 10 insertions(+)
> >
> > diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
> > index 3b0948ad449f..88ccc3b2c5aa 100644
> > --- a/arch/x86/boot/compressed/kaslr.c
> > +++ b/arch/x86/boot/compressed/kaslr.c
> > @@ -205,6 +205,11 @@ static void parse_gb_huge_pages(char *param, char *val)
> > char *p;
> >
> > if (!strcmp(param, "hugepagesz")) {
> > + if (!val) {
> > + warn("Missing value in hugepagesz= boot parameter\n");
> > + return;
> > + }
> > +
> > p = val;
> > if (memparse(p, &p) != PUD_SIZE) {
> > gbpage_sz = false;
> > @@ -218,6 +223,11 @@ static void parse_gb_huge_pages(char *param, char *val)
> > }
> >
> > if (!strcmp(param, "hugepages") && gbpage_sz) {
> > + if (!val) {
> > + warn("Missing value in hugepages= boot parameter\n");
> > + return;
> > + }
> > +
> > p = val;
> > max_gb_huge_pages = simple_strtoull(p, &p, 0);
> > return;
>
> The intent is good even if it is not working fully yet, see below.
I fixed this with [*], which prevents parse_gb_huge_pages() from being
called with a NULL pointer in the first place. Please drop this patch.
> [...]
Thanks,
Thorsten
[*] https://lore.kernel.org/lkml/20260409105437.108686-4-thorsten.blum@linux.dev/
prev parent reply other threads:[~2026-04-09 11:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-02 20:58 [PATCH] x86/boot: Fix NULL dereference for missing hugepagesz/hugepages value Thorsten Blum
2026-03-13 20:42 ` Borislav Petkov
2026-04-09 11:07 ` Thorsten Blum [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=adeIaDdxslGShgq8@linux.dev \
--to=thorsten.blum@linux.dev \
--cc=akpm@linux-foundation.org \
--cc=bhe@redhat.com \
--cc=bp@alien8.de \
--cc=changyuanl@google.com \
--cc=dave.hansen@linux.intel.com \
--cc=graf@amazon.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=rppt@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tglx@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox