In parse_gb_huge_pages(), 'val' can be NULL if '=' is missing from the
boot parameter. The code passes 'val' to memparse() and
simple_strtoull(), which can dereference NULL.

Reject 'hugepagesz' and 'hugepages' when no value has been provided and
log a warning.

Fixes: 9b912485e0e7 ("x86/boot/KASLR: Add two new functions for 1GB huge pages handling")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
 arch/x86/boot/compressed/kaslr.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 3b0948ad449f..88ccc3b2c5aa 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -205,6 +205,11 @@ static void parse_gb_huge_pages(char *param, char *val)
 	char *p;
 
 	if (!strcmp(param, "hugepagesz")) {
+		if (!val) {
+			warn("Missing value in hugepagesz= boot parameter\n");
+			return;
+		}
+
 		p = val;
 		if (memparse(p, &p) != PUD_SIZE) {
 			gbpage_sz = false;
@@ -218,6 +223,11 @@ static void parse_gb_huge_pages(char *param, char *val)
 	}
 
 	if (!strcmp(param, "hugepages") && gbpage_sz) {
+		if (!val) {
+			warn("Missing value in hugepages= boot parameter\n");
+			return;
+		}
+
 		p = val;
 		max_gb_huge_pages = simple_strtoull(p, &p, 0);
 		return;
-- 
Thorsten Blum <thorsten.blum@linux.dev>
GPG: 1D60 735E 8AEF 3BE4 73B6  9D84 7336 78FD 8DFE EAD4