[PATCH 3/5] riscv: mm: Fix NULL pointer dereference in __set_memory
David Hildenbrand (Arm)
david at kernel.org
Thu Apr 9 05:37:59 PDT 2026
On 4/9/26 11:11, Michael Neuling wrote:
> find_vm_area() can return NULL if no vm_struct covers the given address.
> The code immediately dereferences area->addr without a NULL check.
> While is_vmalloc_or_module_addr() confirms the address falls within the
> vmalloc/module address range, it does not guarantee the address belongs
> to an active allocation, so find_vm_area() may still return NULL.
>
> Add the missing NULL check.
>
> Fixes: 311cd2f6e2 ("riscv: Fix set_memory_XX() and set_direct_map_XX() by splitting huge linear mappings")
> Signed-off-by: Michael Neuling <mikey at neuling.org>
> Assisted-by: Cursor:claude-4.6-opus-high-thinking
> ---
> arch/riscv/mm/pageattr.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/arch/riscv/mm/pageattr.c b/arch/riscv/mm/pageattr.c
> index 3f76db3d27..46a999c86b 100644
> --- a/arch/riscv/mm/pageattr.c
> +++ b/arch/riscv/mm/pageattr.c
> @@ -289,6 +289,10 @@ static int __set_memory(unsigned long addr, int numpages, pgprot_t set_mask,
> int i, page_start;
>
> area = find_vm_area((void *)start);
> + if (!area) {
> + ret = -EINVAL;
> + goto unlock;
> + }
> page_start = (start - (unsigned long)area->addr) >> PAGE_SHIFT;
>
> for (i = page_start; i < page_start + numpages; ++i) {
Which caller would end up calling __set_memory() in such a way?
--
Cheers,
David
More information about the linux-riscv
mailing list