linux/drivers/misc
Wang Hai a30dc6cf0d VMCI: fix NULL pointer dereference when unmapping queue pair
I got a NULL pointer dereference report when doing fuzz test:

Call Trace:
  qp_release_pages+0xae/0x130
  qp_host_unregister_user_memory.isra.25+0x2d/0x80
  vmci_qp_broker_unmap+0x191/0x320
  ? vmci_host_do_alloc_queuepair.isra.9+0x1c0/0x1c0
  vmci_host_unlocked_ioctl+0x59f/0xd50
  ? do_vfs_ioctl+0x14b/0xa10
  ? tomoyo_file_ioctl+0x28/0x30
  ? vmci_host_do_alloc_queuepair.isra.9+0x1c0/0x1c0
  __x64_sys_ioctl+0xea/0x120
  do_syscall_64+0x34/0xb0
  entry_SYSCALL_64_after_hwframe+0x44/0xae

When a queue pair is created by the following call, it will not
register the user memory if the page_store is NULL, and the
entry->state will be set to VMCIQPB_CREATED_NO_MEM.

vmci_host_unlocked_ioctl
  vmci_host_do_alloc_queuepair
    vmci_qp_broker_alloc
      qp_broker_alloc
        qp_broker_create // set entry->state = VMCIQPB_CREATED_NO_MEM;

When unmapping this queue pair, qp_host_unregister_user_memory() will
be called to unregister the non-existent user memory, which will
result in a null pointer reference. It will also change
VMCIQPB_CREATED_NO_MEM to VMCIQPB_CREATED_MEM, which should not be
present in this operation.

Only when the qp broker has mem, it can unregister the user
memory when unmapping the qp broker.

Only when the qp broker has no mem, it can register the user
memory when mapping the qp broker.

Fixes: 06164d2b72 ("VMCI: queue pairs implementation.")
Cc: stable <stable@vger.kernel.org>
Reported-by: Hulk Robot <hulkci@huawei.com>
Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
Signed-off-by: Wang Hai <wanghai38@huawei.com>
Link: https://lore.kernel.org/r/20210818124845.488312-1-wanghai38@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-08-27 16:21:59 +02:00
..
altera-stapl altera-stapl: remove the unreached switch case 2020-12-09 19:53:03 +01:00
bcm-vk TTY / Serial patches for 5.14-rc1 2021-07-05 14:08:24 -07:00
c2port misc: c2port: core: Make copying name from userspace more secure 2020-11-03 10:12:10 +01:00
cardreader Linux 5.13-rc6 2021-06-14 08:59:06 +02:00
cb710 misc: cb710: sgbuf2: Add missing documentation for cb710_sg_dwiter_write_next_block()'s 'data' arg 2020-06-29 18:45:53 +02:00
cxl cxl: Fix an error message 2021-05-14 13:43:26 +02:00
echo char: Replace HTTP links with HTTPS ones 2020-07-23 09:44:15 +02:00
eeprom Merge tag 'at24-fixes-for-v5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux into i2c/for-current 2021-07-20 22:28:56 +02:00
genwqe misc: genwqe: Rudimentary typo fixes 2021-03-28 14:39:40 +02:00
habanalabs habanalabs/gaudi: refactor hard-reset related code 2021-06-21 10:21:51 +03:00
ibmasm Char / Misc driver updates for 5.14-rc1 2021-07-05 13:42:16 -07:00
lis3lv02d platform/x86: hp_accel: Avoid invoking _INI to speed up resume 2021-05-11 13:44:18 +02:00
lkdtm lkdtm: remove IDE_CORE_CP crashpoint 2021-08-19 07:40:22 +02:00
mei mei: constify passed buffers and structures 2021-07-29 17:08:04 +02:00
ocxl ocxl: use DEFINE_MUTEX() for mutex lock 2021-01-30 11:39:21 +11:00
pvpanic misc/pvpanic-pci: Allow automatic loading 2021-07-21 14:57:58 +02:00
sgi-gru misc: sgi-gru: Convert from atomic_t to refcount_t on gru_thread_state->ts_refcnt 2021-07-21 13:50:54 +02:00
sgi-xp sgi-xpc: Replace deprecated CPU-hotplug functions. 2021-08-03 16:30:36 +02:00
ti-st ti-st: use tty_write_room 2021-05-13 17:03:20 +02:00
uacce uacce: add print information if not enable sva 2021-06-09 18:53:29 +02:00
vmw_vmci VMCI: fix NULL pointer dereference when unmapping queue pair 2021-08-27 16:21:59 +02:00
ad525x_dpot-i2c.c
ad525x_dpot-spi.c
ad525x_dpot.c drivers: misc: ad525x_dpot: Add missing check in dpot_read_spi 2021-03-10 09:21:02 +01:00
ad525x_dpot.h
apds990x.c
apds9802als.c
atmel-ssc.c misc: atmel-ssc: lock with mutex instead of spinlock 2020-06-29 19:10:51 +02:00
bh1770glc.c
cs5535-mfgpt.c
ds1682.c
dummy-irq.c
dw-xdata-pcie.c misc: Add Synopsys DesignWare xData IP driver 2021-04-05 13:15:52 +02:00
enclosure.c misc: enclosure: Update enclosure_remove_device() documentation to match reality 2020-07-01 15:05:37 +02:00
fastrpc.c misc: fastrpc: restrict user apps from sending kernel RPC messages 2021-03-10 17:01:29 +01:00
gehc-achc.c misc: gehc-achc: Fix spelling mistake "Verfication" -> "Verification" 2021-08-16 19:02:11 +02:00
hisi_hikey_usb.c misc: hisi_hikey_usb: use PTR_ERR_OR_ZERO 2020-10-29 08:37:29 +01:00
hmc6352.c
hpilo.c misc: hpilo: map iLO shared memory by PCI revision id 2021-06-04 15:28:23 +02:00
hpilo.h misc: hpilo: map iLO shared memory by PCI revision id 2021-06-04 15:28:23 +02:00
ibmvmc.c vio: make remove callback return void 2021-03-02 22:41:23 +11:00
ibmvmc.h
ics932s401.c ics932s401: fix broken handling of errors when word reading fails 2021-05-13 17:21:54 +02:00
isl29003.c misc: isl29003: Fix typo for get/set mode 2020-12-09 19:35:34 +01:00
isl29020.c
Kconfig misc: gehc-achc: new driver 2021-08-05 14:29:27 +02:00
kgdbts.c kgdb: fix gcc-11 warnings harder 2021-05-21 15:05:08 +02:00
lattice-ecp3-config.c firmware: replace HOTPLUG with UEVENT in FW_ACTION defines 2021-05-13 16:14:45 +02:00
Makefile misc: gehc-achc: new driver 2021-08-05 14:29:27 +02:00
pch_phub.c misc: pch_phub: Remove superfluous descriptions to non-existent args 'offset_address' 2020-07-01 15:05:37 +02:00
pci_endpoint_test.c misc: pci_endpoint_test: Ensure relationship between miscdev and PCI 2021-07-21 15:54:39 +02:00
phantom.c misc/phantom.c: use generic power management 2020-06-29 18:43:42 +02:00
qcom-coincell.c
sram-exec.c char: Replace HTTP links with HTTPS ones 2020-07-23 09:44:15 +02:00
sram.c misc: sram: Only map reserved areas in Tegra SYSRAM 2021-08-05 14:27:46 +02:00
sram.h misc: sram: Only map reserved areas in Tegra SYSRAM 2021-08-05 14:27:46 +02:00
tifm_7xx1.c misc/tifm_7xx1.c: use generic power management 2020-06-29 18:43:42 +02:00
tifm_core.c
tsl2550.c
vmw_balloon.c drivers: vmw_balloon: remove dentry pointer for debugfs 2021-03-10 09:21:02 +01:00
xilinx_sdfec.c misc: xilinx-sdfec: Drop unnecessary NULL check after container_of 2021-05-21 22:14:48 +02:00