Commit 5682f391 authored Aug 05, 2024 by Waiman Long Committed by Tong Tiangen Aug 05, 2024

mm: prevent derefencing NULL ptr in pfn_section_valid()

stable inclusion
from stable-v5.10.222
commit 0100aeb8a12d51950418e685f879cc80cb8e5982
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEL6
CVE: CVE-2024-41055

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0100aeb8a12d51950418e685f879cc80cb8e5982

---------------------------

[ Upstream commit 82f0b6f041fad768c28b4ad05a683065412c226e ]

Commit 5ec8e8ea8b77 ("mm/sparsemem: fix race in accessing
memory_section->usage") changed pfn_section_valid() to add a READ_ONCE()
call around "ms->usage" to fix a race with section_deactivate() where
ms->usage can be cleared.  The READ_ONCE() call, by itself, is not enough
to prevent NULL pointer dereference.  We need to check its value before
dereferencing it.

Link: https://lkml.kernel.org/r/20240626001639.1350646-1-longman@redhat.com


Fixes: 5ec8e8ea8b77 ("mm/sparsemem: fix race in accessing memory_section->usage")
Signed-off-by: Waiman Long <longman@redhat.com>
Cc: Charan Teja Kalla <quic_charante@quicinc.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Tong Tiangen <tongtiangen@huawei.com>

parent 2630e077

include/linux/mmzone.h

+2 −1

Original line number	Diff line number	Diff line
		@@ -1391,8 +1391,9 @@ static inline int subsection_map_index(unsigned long pfn)
		static inline int pfn_section_valid(struct mem_section *ms, unsigned long pfn)
		{
		int idx = subsection_map_index(pfn);
		struct mem_section_usage *usage = READ_ONCE(ms->usage);

		return test_bit(idx, READ_ONCE(ms->usage)->subsection_map);
		return usage ? test_bit(idx, usage->subsection_map) : 0;
		}
		#else
		static inline int pfn_section_valid(struct mem_section *ms, unsigned long pfn)