From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 54FCAC0218A for ; Mon, 27 Jan 2025 22:42:17 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id AC78A2801BA; Mon, 27 Jan 2025 17:42:16 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id A76A62801B8; Mon, 27 Jan 2025 17:42:16 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 966202801BA; Mon, 27 Jan 2025 17:42:16 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 7858C2801B8 for ; Mon, 27 Jan 2025 17:42:16 -0500 (EST) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 19956160854 for ; Mon, 27 Jan 2025 22:42:16 +0000 (UTC) X-FDA: 83054706672.24.C54BBAB Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf03.hostedemail.com (Postfix) with ESMTP id 2877120004 for ; Mon, 27 Jan 2025 22:42:11 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=Pzx9bTV+; spf=none (imf03.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1738017734; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=fvTV6GRHFA1yNunQZ8XKl3h6+X1UTLByrlLleBsLMpI=; b=sEE9jtBTE6P5CnQUaLxMcdM+ht7brVovt9Ek7gRPTHNwVYHE+v7p+9IhJGnlNsrjrSZHhA siwrwH3iBG1fnNbmstnAw1zh6p7/saylJRG+DqO4UPWjk/+nX0Eyd2iEtVRkXprW6CXQbR UMPCjkRYY6p0dmIjrs/nZAeH6ZkVBwc= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1738017734; a=rsa-sha256; cv=none; b=eONS6JXJXFFg+3xDM5zF0U8yPT+PSMF4ok5zTKoVZKcrxmNHLF5MDnnH5WYHkofgIcODFG Mhz9KhwPp2eLJV+54BPOVtAC6S1xx5yO2Rw9qxxGhqfMC2lPfO7S/VpKZkSi0b35bgsgb4 Rk2UxLmnM1P1YGVll3PrhlKwabDnTYc= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=Pzx9bTV+; spf=none (imf03.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=fvTV6GRHFA1yNunQZ8XKl3h6+X1UTLByrlLleBsLMpI=; b=Pzx9bTV+Ba8go1laZ7cpPaoTMl Jds9LMurr+qu1v/8ZFEKLn2BoWOPHzIRyTC0Ig/LD8GWAQBJHwe/ewO3b5ef9VU9wcEAMuAbeGTwh m/jV9uGTaKyEH0/JtKfWSCbCTd9o7Ko21CNrm4sGGX+n3wBsjDIqV6QvrNNJY7u9ffu+s063Yb9Ox odOGss5snFv2dFzW2rOP4JbhkxqBQ662oX07OF7XE4j2S9tfzUCU0fuJSBW8uk6TX+2LoS57Kl+JM lQjvoW0D67w4inLQnKJGunHRGCFFWRKUtkf/m0Ic1H5v7Ejm03epGcdBXxYBruI2PBA6nW9KCnpkz PjH9CVvw==; Received: from willy by casper.infradead.org with local (Exim 4.98 #2 (Red Hat Linux)) id 1tcXo2-00000009xyU-10IP; Mon, 27 Jan 2025 22:42:10 +0000 Date: Mon, 27 Jan 2025 22:42:10 +0000 From: Matthew Wilcox To: sooraj Cc: linux-mm@kvack.org Subject: Re: [PATCH] mm/nommu: Fix NULL mm dereference in __vmalloc_user_flags Message-ID: References: <20250128072252.10259-1-sooraj20636@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20250128072252.10259-1-sooraj20636@gmail.com> X-Stat-Signature: e8j7uxwi44dejmerbo64b3rrzprsecxg X-Rspam-User: X-Rspamd-Queue-Id: 2877120004 X-Rspamd-Server: rspam03 X-HE-Tag: 1738017731-251501 X-HE-Meta: U2FsdGVkX1+B1OM5X0m+M9J+nEdWDlbT8eHCh6iXHrbOkJXf/2Ok0qvGH6ea5mdBT6qDLWh6ezh6TzcotEGp8RtsqeY5nRRYzuIFw2dVtkQ7b0IlmabT/jdpFc0mKNubv0/Ju36Lpwq7toIUu5cQPUdJ8w19wgbO+YyyjW2i3KpzO3j93yOfgidXiQWvk3UlKeNPlI1qzbcNldbsNIfT1Ahc0KWvx5nIMPjPKwJv9uoAKF+rJ2mRY5G7Mft+M90O28FSaXP/cFIETnN3R1gQNSXqKVyWSNDrmu6lVzGPXGUk3GlBwqao2QO8rs+0vEEp81JFUPdBP3G0z2Tpb7fFkaM1/rcSVTHf39VlRmc5ATCOZjGUmHmNJJ9PWDCyoBfSIHBdfwXCjVrB6yJkAPs1V0fiH707rC22D1YXyvt5kgNgjv+T+O5avu9e5xHHCiBbh1WHfrA+nig4mCLsYg4IN7pI2g/cUvInSRJ4PBWpqHG8TqHm4vIFH4XS4At4lFfkgqEqjB2m/QLdp6GvAU/tGCo67z9pG5dUs9Rk3GjQyOgEgvUG9pT2O1U5uXXrHQTc/Zn272B+oqOD85IoQSHMUxgokCPEIO+Ba1WtCO1I7DCDhymrWHSy9GzDzrNCWCQohonFSQ0BAR120kZTmgbry6L0qkl/xSHFLNJjhszaEBCovi9XOpcM6fQjgGm6nTr2m+pBAAMkRD8Z+R3j1tRx1Kr+HSc3P3P7uaq7mk5mzz6e56vFSOLfG7gAcihq9OA9bl+ByPEkFIGBuov+NoPRcwnQeKnNijxBs0dtSkEPRKY+TLdSY1/1q4dBHGJ77OarH3dbvXgFSWjRM4PEzmTbpmVXY/p4qsLEIv0fnunjfBUipH7MAXHLkLFNxHHO/Wc+7PdwpjCKXR7Pw1Oj/ncLmnDN5Huj8n5ZTEAfUpT8DQbMKNIHjoiSg04Vzck8zsbiHKqQYWAQX7gDeyUNVRN AKaBZ4cK NdKOL9j5u/5WcRFVlaEuNBIDvc3edVYAlYSulbYGzAkj4xeegPFRR4XTvJHc/tSgqJi9ldZuOZNncomVnj/qGh3+vRoWvhbdFC/Ah3bYAt7G0SKKunSfRN3HAunLRK5lFNgP4Lr+b7JMjHZfYMYIVpjGp5+zImPpQlI+UaF8nObG86N7pnAffCphdaOoxz4fm/u1Mzj7MqP/TeOuxa23edyhYDrXkFZXjDEZ8d/0eTUVtwCLvJ1xt7duCxYsHR5utWz3F8zh1O7VKDANaEcZixnhkLfbSycCvF53NuGs26hsxP28= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, Jan 28, 2025 at 02:22:52AM -0500, sooraj wrote: > Problem: > The __vmalloc_user_flags() function attempts to acquire mmap_lock > via current->mm without checking if the mm context exists. This causes > a NULL pointer dereference when called from kernel threads (where > current->mm == NULL), such as during filesystem operations. I'm having a hard time thinking of a case where this could happen. Could you provide a backtrace showing an example? > Fix: > Add a NULL check for current->mm before attempting mmap_lock operations. > Kernel threads don't have user memory mappings, so VM_USERMAP flag > setting can be safely skipped in this context. > > Signed-off-by: sooraj Do you sign cheques as 'sooraj'? You need to use your real, legal name. > + struct mm_struct *mm = current->mm; > + > + if(!mm){ > + goto out; > + } All kinds of whitespace problems here. It should be: if (!mm) goto out; > mmap_write_lock(current->mm); > vma = find_vma(current->mm, (unsigned long)ret); And since you've gone to the trouble of loading current->mm into a local variable, you should use it throughout the function. > @@ -160,6 +165,7 @@ static void *__vmalloc_user_flags(unsigned long size, gfp_t flags) > mmap_write_unlock(current->mm); > } > > + out: and this should not be indented. > return ret;