[PATCH 3/5] riscv: mm: Fix NULL pointer dereference in __set_memory

Next message: Jon Hunter: "Re: [PATCH 6.12 000/242] 6.12.81-rc1 review"
Previous message: Jon Hunter: "Re: [PATCH 6.6 000/160] 6.6.134-rc1 review"
In reply to: Michael Neuling: "[PATCH 0/5] riscv: Assorted bug fixes"
Next in thread: David Hildenbrand (Arm): "Re: [PATCH 3/5] riscv: mm: Fix NULL pointer dereference in __set_memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Michael Neuling

Date: Thu Apr 09 2026 - 05:13:17 EST

find_vm_area() can return NULL if no vm_struct covers the given address.
The code immediately dereferences area->addr without a NULL check.
While is_vmalloc_or_module_addr() confirms the address falls within the
vmalloc/module address range, it does not guarantee the address belongs
to an active allocation, so find_vm_area() may still return NULL.

Add the missing NULL check.

Fixes: 311cd2f6e2 ("riscv: Fix set_memory_XX() and set_direct_map_XX() by splitting huge linear mappings")
Signed-off-by: Michael Neuling <mikey@xxxxxxxxxxx>
Assisted-by: Cursor:claude-4.6-opus-high-thinking
---
arch/riscv/mm/pageattr.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/arch/riscv/mm/pageattr.c b/arch/riscv/mm/pageattr.c
index 3f76db3d27..46a999c86b 100644
--- a/arch/riscv/mm/pageattr.c
+++ b/arch/riscv/mm/pageattr.c
@@ -289,6 +289,10 @@ static int __set_memory(unsigned long addr, int numpages, pgprot_t set_mask,
int i, page_start;

area = find_vm_area((void *)start);
+ if (!area) {
+ ret = -EINVAL;
+ goto unlock;
+ }
page_start = (start - (unsigned long)area->addr) >> PAGE_SHIFT;

for (i = page_start; i < page_start + numpages; ++i) {
--
2.43.0