Patch "genirq/ipi: Fix NULL pointer deref in irq_data_get_affinity_mask()" has been added to the 6.2-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 10 Mar 2023 05:37:36 -0500

This is a note to let you know that I've just added the patch titled

    genirq/ipi: Fix NULL pointer deref in irq_data_get_affinity_mask()

to the 6.2-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     genirq-ipi-fix-null-pointer-deref-in-irq_data_get_af.patch
and it can be found in the queue-6.2 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 62bbbf9d3ddaaf22a38d243e3178ded087e87a93
Author: Sergey Shtylyov <s.shtylyov@xxxxxx>
Date:   Wed Aug 17 23:00:45 2022 +0300

    genirq/ipi: Fix NULL pointer deref in irq_data_get_affinity_mask()
    
    [ Upstream commit feabecaff5902f896531dde90646ca5dfa9d4f7d ]
    
    If ipi_send_{mask|single}() is called with an invalid interrupt number, all
    the local variables there will be NULL. ipi_send_verify() which is invoked
    from these functions does verify its 'data' parameter, resulting in a
    kernel oops in irq_data_get_affinity_mask() as the passed NULL pointer gets
    dereferenced.
    
    Add a missing NULL pointer check in ipi_send_verify()...
    
    Found by Linux Verification Center (linuxtesting.org) with the SVACE static
    analysis tool.
    
    Fixes: 3b8e29a82dd1 ("genirq: Implement ipi_send_mask/single()")
    Signed-off-by: Sergey Shtylyov <s.shtylyov@xxxxxx>
    Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/b541232d-c2b6-1fe9-79b4-a7129459e4d0@xxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/kernel/irq/ipi.c b/kernel/irq/ipi.c
index bbd945bacef08..961d4af76af37 100644
--- a/kernel/irq/ipi.c
+++ b/kernel/irq/ipi.c
@@ -188,9 +188,9 @@ EXPORT_SYMBOL_GPL(ipi_get_hwirq);
 static int ipi_send_verify(struct irq_chip *chip, struct irq_data *data,
 			   const struct cpumask *dest, unsigned int cpu)
 {
-	const struct cpumask *ipimask = irq_data_get_affinity_mask(data);
+	const struct cpumask *ipimask;
 
-	if (!chip || !ipimask)
+	if (!chip || !data)
 		return -EINVAL;
 
 	if (!chip->ipi_send_single && !chip->ipi_send_mask)
@@ -199,6 +199,10 @@ static int ipi_send_verify(struct irq_chip *chip, struct irq_data *data,
 	if (cpu >= nr_cpu_ids)
 		return -EINVAL;
 
+	ipimask = irq_data_get_affinity_mask(data);
+	if (!ipimask)
+		return -EINVAL;
+
 	if (dest) {
 		if (!cpumask_subset(dest, ipimask))
 			return -EINVAL;






