Excerpts from Colin King's message of March 19, 2021 1:59 am:
> From: Colin Ian King <colin.king@xxxxxxxxxxxxx>
>
> There is a corner case where the sanity check of variable size fails
> and branches to label fail and shift can be less than PAGE_SHIFT
> causing area to never be assigned. This was picked up by static
> analysis as follows:
>
> 1. var_decl: Declaring variable area without initializer.
> struct vm_struct *area;
>
> ...
>
> 2. Condition !size, taking true branch.
> if (!size || (size >> PAGE_SHIFT) > totalram_pages())
> 3. Jumping to label fail.
> goto fail;
>
> ...
>
> 4. Condition shift > 12, taking false branch.
> fail:
> if (shift > PAGE_SHIFT) {
> shift = PAGE_SHIFT;
> align = real_align;
> size = real_size;
> goto again;
> }
>
> Uninitialized pointer read (UNINIT)
> 5. uninit_use: Using uninitialized value area.
> if (!area) {
> ...
> }
>
> Fix this by setting area to NULL to avoid the uninitialized read
> of area.
>
> Addresses-Coverity: ("Uninitialized pointer read")
> Fixes: 92db9fec381b ("mm/vmalloc: hugepage vmalloc mappings")
> Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
Looks good to me.
Acked-by: Nicholas Piggin <npiggin@xxxxxxxxx>
Thanks,
Nick
> ---
> mm/vmalloc.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/mm/vmalloc.c b/mm/vmalloc.c
> index 96444d64129a..4b415b4bb7ae 100644
> --- a/mm/vmalloc.c
> +++ b/mm/vmalloc.c
> @@ -2888,8 +2888,10 @@ void *__vmalloc_node_range(unsigned long size, unsigned long align,
> unsigned long real_align = align;
> unsigned int shift = PAGE_SHIFT;
>
> - if (!size || (size >> PAGE_SHIFT) > totalram_pages())
> + if (!size || (size >> PAGE_SHIFT) > totalram_pages()) {
> + area = NULL;
> goto fail;
> + }
>
> if (vmap_allow_huge && !(vm_flags & VM_NO_HUGE_VMAP) &&
> arch_vmap_pmd_supported(prot)) {
> --
> 2.30.2
>
>
