From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 630C2CE835D for ; Mon, 30 Sep 2024 17:02:41 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E3DA96B00EF; Mon, 30 Sep 2024 13:02:40 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id DEE316B0106; Mon, 30 Sep 2024 13:02:40 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CB50A6B0108; Mon, 30 Sep 2024 13:02:40 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 9E57C6B00EF for ; Mon, 30 Sep 2024 13:02:40 -0400 (EDT) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 41E71808DC for ; Mon, 30 Sep 2024 17:02:40 +0000 (UTC) X-FDA: 82622023680.24.79818AA Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf10.hostedemail.com (Postfix) with ESMTP id 6FD23C0018 for ; Mon, 30 Sep 2024 17:02:36 +0000 (UTC) Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=korg header.b=GJ6XjISy; dmarc=none; spf=pass (imf10.hostedemail.com: domain of akpm@linux-foundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1727715718; a=rsa-sha256; cv=none; b=JHE9qsk+9jOL6stHqsQVmaobF8ltKD/TyB3zr0PGQBkXFScn6OR3v/TMPIdJ1VbKVlerfJ w16SltaeJB8NyfKth1WX4Hu+Al9GkHGygeqwTU+c2H8wbSqNlQKNNkU1dt9fVFMRk+Yk3r TR7vtIIluydX5m75G9gl5upBy4q6o7M= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=korg header.b=GJ6XjISy; dmarc=none; spf=pass (imf10.hostedemail.com: domain of akpm@linux-foundation.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1727715718; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=jKzheckuiDnepDz5h3jDnwUWwwPa1uX1zgjfA2cJTjI=; b=J3tFfuKMAVAb9/EMuwdKp9QzmwrftJ02xDnUCPHz8iXEIXR6oWybZH4kbhPO5/RzwaLt21 Or7rXfigF3szUhifa/6R1DkE3dNX+EM3oKqipLfWsvqEkkqCt6vjUsE82mLYo/fJSI2Taa 1ILFChfmYArEiZGlCmZBeM2t6f5CU5s= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 293525C501F; Mon, 30 Sep 2024 17:02:31 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B54ADC4CECF; Mon, 30 Sep 2024 17:02:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1727715755; bh=JfHd3X4HlZBDMgDERyAbbeCgTP8rWRA21aXzyD+GkP0=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=GJ6XjISyC67KIwsL0CH4wM7oesvXpWGYyDcdcBTTfT6Grigd2vSGp4YveebenE5Qa Z337DNbYuBSU7LPhsBdWNWpdV0Pvu4NUvgpNeerBTRu0ZWygao6rhyCbid2INK7awl +8S8/ASh3NQaMBJWlZXSlmBlFKeyhAe9usVAdmSc= Date: Mon, 30 Sep 2024 10:02:34 -0700 From: Andrew Morton To: Gianfranco Trad Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, skhan@linuxfoundation.org, syzbot+4089e577072948ac5531@syzkaller.appspotmail.com, willy@infradead.org Subject: Re: [PATCH v2] Fix NULL pointer dereference in read_cache_folio Message-Id: <20240930100234.f7e91af05adeea036e0be8cc@linux-foundation.org> In-Reply-To: <20240930090225.28517-2-gianf.trad@gmail.com> References: <20240929230548.370027-3-gianf.trad@gmail.com> <20240930090225.28517-2-gianf.trad@gmail.com> X-Mailer: Sylpheed 3.8.0beta1 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspam-User: X-Rspamd-Queue-Id: 6FD23C0018 X-Rspamd-Server: rspam01 X-Stat-Signature: 9rb73txiexmym1ijr6wzbxspo7qssirr X-HE-Tag: 1727715756-35436 X-HE-Meta: U2FsdGVkX1+pPkpJaYSRkVBOeP+LQAiIkkYq8dzjhQlR8mWG8Pw47FH1n62NIZb2rh/AjSxwM4pRiSnK7jSpQwP00QsVilZ9dP5XlYFl0FbcTTWTVVkQR3b7kS70IRYtJzgG17yZy5cIgZPnJh2n6RzCsMqLuNktmQo4ZeNYx3waJJ87xXmmo6UqrlSgob9Pp0q6wytfT1UnwyIWQb5jJTeKhiBjPHiObZ2Qdpic38zJThWciio4t5pHWOE44pRYLqujGwcccbMEuyDU87oG4EZGD+vmynwjQbXJz+T3Dxw0ZtdSv2Cngz3sGCUJWhvZ8KlcYHqP/GhRlaFfGyyxaokUdTRcKg5HxHu275lZwVJfPwgdTdxcYURBP1w0RJEagHpTBkv8VDo5tFjQdu5/5vutslwgZKB0nM7afo0KvTkGjenvBgwuk00ADoeV5HhBF62Aw8Ch6WdP+059bxpWHsGwxhqPYOYxEkXtqWpzf1dHuWez73UD0z6zvfRMJKjeHQMi6yvrXGL+EFRJOTI3UbWjKPejofxBOoMKiDALvRvQFY3hP6GWDARwYPOidprYxoT9DNvPkWg419DPhVjH4UwBlEvIJBcAlVDCRz9olSFupmeNKvGLoEOODuYPHXIwMuxUPZtpev+O8nOVdAlAU63jCVC+bklqYR/U6WFrC2JBosZuhi1UbDpSQFA1lBPdppVObdd1Q0BYR6a/E2zja+TgxzBbWCogb3EeuZIW7Gfz+fw1q7teyMtg3GrmESV2OP+3/h37t5sj73bcwL4LVMHYmtetB5hlHwH3+Ahk5iG4uacIYZ7dU0lk3+KKpqegApX/Rrz7285OhaQEM2uqrLmoU7m0/n3SlkV5eVADpRXvRGyeNZcQ9vJtOEELXMfQziYaTQW0zXxELDuzA1v78/DJOU30esjbxZA3ph/toxOKKK1OOZJCwTgHD9XR2rTV0wKpVFc+P2n32+1ItvM jb/+XSJ3 PW1sfRWNEDeDghyKB+aZ4RHttodxPQx+cqVtsLPCoGYbUqpunSPkkjBalX1aleb//3++i0UT4MftYtmujllNi0FZmH1CqeetUTPwmdfcQo9NNMGxl8lRi2be2xrrqwHnaMxVId9tuYy/e+/Tizf5L03e3AYkdVAruzQWgGqkCSFE7cnHf5JyazrgisJShKyPfX5i7PK5Oer5z8vpPo5vCVTuyRJ9BW3xm8pPFrh/ShFHMT2LqfuKFy5zW94KzuOY+GXQ4Po2ZnDjjvuBMFJLqmlE3THV0IcRNCpN2gq2qPc+7nNKw4RgsUPhiQh1JdbBwjd2aXTRjKuC177DU+TeL99+Y6Pa1Dmbg2ovSPY0w6i5ehQX9wR9aIebd3SDnOFsWz9nYj9mkvug246WI93mM6SRSWOvuvuEAc+twj00e1iDrZqMRMz+rGosaOK3Qstz/eYkT2nZz5tZDYi+QH42mw3ThoSO+cwR3oDhC X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, 30 Sep 2024 11:02:26 +0200 Gianfranco Trad wrote: > Add check on filler to prevent NULL pointer dereference condition in > read_cache_folio[1]. > > [1] https://syzkaller.appspot.com/bug?extid=4089e577072948ac5531 Test case https://syzkaller.appspot.com/x/repro.c?x=10a0d880580000 > diff --git a/mm/filemap.c b/mm/filemap.c > index 4f3753f0a158..88de8029133c 100644 > --- a/mm/filemap.c > +++ b/mm/filemap.c > @@ -2360,6 +2360,8 @@ static int filemap_read_folio(struct file *file, filler_t filler, > /* Start the actual read. The read will unlock the page. */ > if (unlikely(workingset)) > psi_memstall_enter(&pflags); > + if (!filler) > + return -EIO; > error = filler(file, folio); > if (unlikely(workingset)) > psi_memstall_leave(&pflags); do_read_cache_folio() already handles a NULL filler (from freader_get_folio()'s read_cache_folio() call). if (!filler) filler = mapping->a_ops->read_folio; so I'm suspecting that an appropriate fix is to teach the underlying address_space_operations (appears to be from /proc/pid/maps) to implement ->read_folio().