linux/drivers
Wang Hai a30dc6cf0d VMCI: fix NULL pointer dereference when unmapping queue pair
I got a NULL pointer dereference report when doing fuzz test:

Call Trace:
  qp_release_pages+0xae/0x130
  qp_host_unregister_user_memory.isra.25+0x2d/0x80
  vmci_qp_broker_unmap+0x191/0x320
  ? vmci_host_do_alloc_queuepair.isra.9+0x1c0/0x1c0
  vmci_host_unlocked_ioctl+0x59f/0xd50
  ? do_vfs_ioctl+0x14b/0xa10
  ? tomoyo_file_ioctl+0x28/0x30
  ? vmci_host_do_alloc_queuepair.isra.9+0x1c0/0x1c0
  __x64_sys_ioctl+0xea/0x120
  do_syscall_64+0x34/0xb0
  entry_SYSCALL_64_after_hwframe+0x44/0xae

When a queue pair is created by the following call, it will not
register the user memory if the page_store is NULL, and the
entry->state will be set to VMCIQPB_CREATED_NO_MEM.

vmci_host_unlocked_ioctl
  vmci_host_do_alloc_queuepair
    vmci_qp_broker_alloc
      qp_broker_alloc
        qp_broker_create // set entry->state = VMCIQPB_CREATED_NO_MEM;

When unmapping this queue pair, qp_host_unregister_user_memory() will
be called to unregister the non-existent user memory, which will
result in a null pointer reference. It will also change
VMCIQPB_CREATED_NO_MEM to VMCIQPB_CREATED_MEM, which should not be
present in this operation.

Only when the qp broker has mem, it can unregister the user
memory when unmapping the qp broker.

Only when the qp broker has no mem, it can register the user
memory when mapping the qp broker.

Fixes: 06164d2b72 ("VMCI: queue pairs implementation.")
Cc: stable <stable@vger.kernel.org>
Reported-by: Hulk Robot <hulkci@huawei.com>
Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
Signed-off-by: Wang Hai <wanghai38@huawei.com>
Link: https://lore.kernel.org/r/20210818124845.488312-1-wanghai38@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-08-27 16:21:59 +02:00
..
accessibility speakup: replace sprintf() by scnprintf() 2021-07-21 13:46:03 +02:00
acpi Merge branch 'acpi-pm' 2021-08-20 21:11:43 +02:00
amba
android binder: Add invalid handle info in user error log 2021-08-03 16:29:25 +02:00
ata libata-5.14-2021-07-30 2021-07-30 10:56:47 -07:00
atm Networking changes for 5.14. 2021-06-30 15:51:09 -07:00
auxdisplay
base PCI/MSI: Protect msi_desc::masked for multi-MSI 2021-08-10 10:59:20 +02:00
bcma
block virtio,vhost,vdpa: bugfixes 2021-08-16 06:16:25 -10:00
bluetooth TTY / Serial patches for 5.14-rc1 2021-07-05 14:08:24 -07:00
bus Merge 5.14-rc7 into char-misc-next 2021-08-24 15:24:21 +02:00
cdrom block: remove REQ_OP_SCSI_{IN,OUT} 2021-06-30 15:34:19 -06:00
char char: mware: fix returnvar.cocci warnings 2021-08-27 16:20:37 +02:00
clk Two clk driver fixes 2021-08-21 11:27:16 -07:00
clocksource This round has a diffstat dominated by Qualcomm clk drivers. Honestly though 2021-07-01 13:26:16 -07:00
comedi Staging / IIO driver patches for 5.14-rc1 2021-07-05 14:01:53 -07:00
connector
counter
cpufreq Merge branch 'cpufreq/arm/fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vireshk/pm 2021-08-17 20:52:07 +02:00
cpuidle cpuidle: teo: Rename two local variables in teo_select() 2021-08-03 15:18:57 +02:00
crypto ARM: SoC changes for 5.14 2021-07-10 09:22:44 -07:00
cxl cxl/pci: Rename CXL REGLOC ID 2021-06-17 17:37:18 -07:00
dax Merge branch 'for-5.14/dax' into libnvdimm-fixes 2021-08-11 12:04:43 -07:00
dca
devfreq PM / devfreq: passive: Fix get_target_freq when not using required-opp 2021-06-24 10:37:35 +09:00
dio dio: return -ENOMEM when kzalloc() fails 2021-07-21 15:53:24 +02:00
dma dmaengine fixes for v5.14 2021-08-06 11:08:24 -07:00
dma-buf Short summary of fixes pull: 2021-07-13 15:15:17 +02:00
edac EDAC/igen6: fix core dependency AGAIN 2021-07-15 11:59:59 -07:00
eisa
extcon Char / Misc driver updates for 5.14-rc1 2021-07-05 13:42:16 -07:00
firewire Char / Misc driver updates for 5.14-rc1 2021-07-05 13:42:16 -07:00
firmware Merge 5.14-rc7 into char-misc-next 2021-08-24 15:24:21 +02:00
fpga Merge 5.14-rc5 into char-misc-next 2021-08-09 08:57:03 +02:00
fsi
gnss
gpio gpio: tqmx86: really make IRQ optional 2021-08-02 17:17:27 +02:00
gpu Merge tag 'amd-drm-fixes-5.14-2021-08-18' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes 2021-08-20 15:13:56 +10:00
greybus
hid HID: ft260: fix device removal due to USB disconnect 2021-07-29 12:38:32 +02:00
hsi
hv Drivers: hv: vmbus: Fix duplicate CPU assignments within a device 2021-07-19 09:26:31 +00:00
hwmon Char / Misc driver updates for 5.14-rc1 2021-07-05 13:42:16 -07:00
hwspinlock
hwtracing coresight: Replace deprecated CPU-hotplug functions. 2021-08-18 22:33:28 +02:00
i2c i2c: dev: zero out array used for i2c reads from userspace 2021-08-10 22:54:10 +02:00
i3c I3C for 5.14 2021-07-10 11:53:06 -07:00
idle
iio iio: adc: Fix incorrect exit of for-loop 2021-07-31 14:46:05 +01:00
infiniband Networking fixes for 5.14-rc6, including fixes from netfilter, bpf, 2021-08-12 16:24:03 -10:00
input This pull request contains the following changes for UML: 2021-07-09 10:19:13 -07:00
interconnect interconnect changes for 5.15 2021-08-24 15:33:04 +02:00
iommu iommu/vt-d: Fix incomplete cache flush in intel_pasid_tear_down_entry() 2021-08-18 13:15:58 +02:00
ipack ipack: tpci200: fix memory leak in the tpci200_register 2021-08-13 10:24:37 +02:00
irqchip irqchip fixes for 5.14, take #1 2021-07-09 15:35:13 +02:00
isdn TTY / Serial patches for 5.14-rc1 2021-07-05 14:08:24 -07:00
leds This contains quite a lot of fixes, with more fixes in my inbox that 2021-07-03 11:57:42 -07:00
lightnvm
macintosh
mailbox mbox: add polarfire soc system controller mailbox 2021-06-26 12:06:48 -05:00
mcb mcb: Use DEFINE_RES_MEM() helper macro and fix the end address 2021-06-24 15:56:25 +02:00
md block-5.14-2021-08-07 2021-08-07 10:26:21 -07:00
media media fixes for v5.14-rc5 2021-08-03 09:33:05 -07:00
memory Memory controller drivers for v5.14 - Tegra SoC, part two 2021-06-16 17:36:30 -07:00
memstick for-5.14/block-2021-06-29 2021-06-30 12:12:56 -07:00
message scsi: message: mptfc: Switch from pci_ to dma_ API 2021-06-22 23:00:01 -04:00
mfd Driver core changes for 5.14-rc1 2021-07-05 13:51:41 -07:00
misc VMCI: fix NULL pointer dereference when unmapping queue pair 2021-08-27 16:21:59 +02:00
mmc mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on BCM2711 2021-08-16 12:12:05 +02:00
most MOST: cdev: rename 'mod_init' & 'mod_exit' functions to be module-specific 2021-07-21 15:46:22 +02:00
mtd MTD core fixes: 2021-08-16 06:36:01 -10:00
mux
net Merge 5.14-rc7 into char-misc-next 2021-08-24 15:24:21 +02:00
nfc nfc: nfcsim: fix use after free during module unload 2021-07-28 10:20:16 +01:00
ntb
nubus
nvdimm libnvdimm/region: Fix label activation vs errors 2021-08-11 11:54:43 -07:00
nvme block-5.14-2021-07-24 2021-07-24 12:57:06 -07:00
nvmem nvmem: nintendo-otp: Add new driver for the Wii and Wii U OTP 2021-08-13 10:27:20 +02:00
of Devicetree updates for v5.14: 2021-07-03 10:54:08 -07:00
opp opp: Drop empty-table checks from _put functions 2021-08-16 09:42:08 +05:30
parisc kernel.h: split out panic and oops helpers 2021-07-01 11:06:04 -07:00
parport parport: remove non-zero check on count 2021-08-27 16:18:42 +02:00
pci pci-v5.14-fixes-2 2021-08-20 12:51:37 -07:00
pcmcia pcmcia: i82092: fix a null pointer dereference bug 2021-07-23 08:08:54 +02:00
perf drivers/perf: fix the missed ida_simple_remove() in ddr_perf_probe() 2021-06-17 19:45:24 +01:00
phy phy: qcom-qmp: Add support for SM6115 UFS phy 2021-08-23 11:12:30 +05:30
pinctrl pinctrl: amd: Fix an issue with shutdown when system set to s0ix 2021-08-12 11:16:40 +02:00
platform platform/x86: gigabyte-wmi: add support for B450M S2H V2 2021-08-18 19:39:31 +02:00
pnp Char / Misc driver updates for 5.14-rc1 2021-07-05 13:42:16 -07:00
power power: supply: Fix fall-through warnings for Clang 2021-07-13 14:50:47 -05:00
powercap
pps pps: clients: parport: Switch to use module_parport_driver() 2021-07-29 17:29:14 +02:00
ps3
ptp ptp_pch: Restore dependency on PCI 2021-08-16 11:11:06 +01:00
pwm pwm: ep93xx: Ensure configuring period and duty_cycle isn't wrongly skipped 2021-07-08 16:09:30 +02:00
rapidio
ras
regulator regulator: Fixes for v5.14 2021-07-21 12:37:49 -07:00
remoteproc remoteproc updates for v5.14 2021-07-07 10:50:03 -07:00
reset ARM: Drivers for 5.14 2021-07-10 09:46:20 -07:00
rpmsg rpmsg: core: Add driver_data for rpmsg_device_id 2021-06-18 13:13:40 -07:00
rtc RTC for 5.14 2021-07-10 16:19:10 -07:00
s390 Networking fixes for 5.14-rc6, including fixes from netfilter, bpf, 2021-08-12 16:24:03 -10:00
sbus
scsi SCSI fixes on 20210814 2021-08-14 19:51:58 -10:00
sh
siox siox: Simplify error handling via dev_err_probe() 2021-06-24 15:46:34 +02:00
slimbus slimbus: ngd: reset dma setup during runtime pm 2021-08-13 10:22:30 +02:00
soc NXP/FSL SoC driver fixes for v5.14 2021-08-16 22:42:02 +02:00
soundwire soundwire: cadence: do not extend reset delay 2021-08-23 17:40:34 +05:30
spi Merge 5.14-rc5 into char-misc-next 2021-08-09 08:57:03 +02:00
spmi spmi: hisi-spmi-controller: move driver from staging 2021-06-25 10:02:05 +02:00
ssb ssb: use DEVICE_ATTR_ADMIN_RW() helper macro 2021-06-15 13:11:56 +03:00
staging staging: mt7621-pci: avoid to re-disable clock for those pcies not in use 2021-07-27 15:48:43 +02:00
target scsi: target: Fix NULL dereference on XCOPY completion 2021-07-20 23:18:22 -04:00
tc
tee tee: Correct inappropriate usage of TEE_SHM_DMA_BUF flag 2021-07-21 07:55:50 +02:00
thermal - Add rk3568 sensor support (Finley Xiao) 2021-07-10 11:43:25 -07:00
thunderbolt Revert "thunderbolt: Hide authorized attribute if router does not support PCIe tunnels" 2021-07-27 18:14:25 +02:00
tty serial: 8250_pci: Avoid irq sharing for MSI(-X) interrupts. 2021-07-30 13:06:19 +02:00
uio
usb usb: typec: tcpm: Fix VDMs sometimes not being forwarded to alt-mode drivers 2021-08-18 15:59:23 +02:00
vdpa virtio,vhost,vdpa: bugfixes 2021-08-16 06:16:25 -10:00
vfio VFIO update for v5.14-rc1 2021-07-03 11:49:33 -07:00
vhost vringh: Use wiov->used to check for read/write desc order 2021-08-11 06:44:24 -04:00
video drm fixes for 5.14-rc2 2021-07-16 11:14:54 -07:00
virt virt: acrn: Do hcall_destroy_vm() before resource release 2021-07-27 16:48:45 +02:00
virtio virtio_ring: pull in spinlock header 2021-08-11 06:44:24 -04:00
visorbus
vlynq
vme
w1
watchdog linux-watchdog 5.14-rc1 tag 2021-07-07 12:57:46 -07:00
xen xen: branch for v5.14-rc6 2021-08-14 06:31:22 -10:00
zorro
Kconfig ide: remove the legacy ide driver 2021-06-16 08:53:58 -06:00
Makefile hyperv-next for 5.14 2021-06-29 11:21:35 -07:00