Re: [PATCH] x86/boot: Fix NULL dereference for missing hugepagesz/hugepages value
From: Thorsten Blum
Date: Thu Apr 09 2026 - 07:08:36 EST
On Fri, Mar 13, 2026 at 09:42:43PM +0100, Borislav Petkov wrote:
> On Mon, Mar 02, 2026 at 09:58:59PM +0100, Thorsten Blum wrote:
> > In parse_gb_huge_pages(), 'val' can be NULL if '=' is missing from the
> > boot parameter. The code passes 'val' to memparse() and
> > simple_strtoull(), which can dereference NULL.
> >
> > Reject 'hugepagesz' and 'hugepages' when no value has been provided and
> > log a warning.
> >
> > Fixes: 9b912485e0e7 ("x86/boot/KASLR: Add two new functions for 1GB huge pages handling")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Thorsten Blum <thorsten.blum@xxxxxxxxx>
> > ---
> > arch/x86/boot/compressed/kaslr.c | 10 ++++++++++
> > 1 file changed, 10 insertions(+)
> >
> > diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
> > index 3b0948ad449f..88ccc3b2c5aa 100644
> > --- a/arch/x86/boot/compressed/kaslr.c
> > +++ b/arch/x86/boot/compressed/kaslr.c
> > @@ -205,6 +205,11 @@ static void parse_gb_huge_pages(char *param, char *val)
> > char *p;
> >
> > if (!strcmp(param, "hugepagesz")) {
> > + if (!val) {
> > + warn("Missing value in hugepagesz= boot parameter\n");
> > + return;
> > + }
> > +
> > p = val;
> > if (memparse(p, &p) != PUD_SIZE) {
> > gbpage_sz = false;
> > @@ -218,6 +223,11 @@ static void parse_gb_huge_pages(char *param, char *val)
> > }
> >
> > if (!strcmp(param, "hugepages") && gbpage_sz) {
> > + if (!val) {
> > + warn("Missing value in hugepages= boot parameter\n");
> > + return;
> > + }
> > +
> > p = val;
> > max_gb_huge_pages = simple_strtoull(p, &p, 0);
> > return;
>
> The intent is good even if it is not working fully yet, see below.
I fixed this with [*], which prevents parse_gb_huge_pages() from being
called with a NULL pointer in the first place. Please drop this patch.
> [...]
Thanks,
Thorsten
[*] https://lore.kernel.org/lkml/20260409105437.108686-4-thorsten.blum@xxxxxxxxx/