From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B8FB2CF34C1 for ; Thu, 3 Oct 2024 20:31:26 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 516966B03F5; Thu, 3 Oct 2024 16:31:26 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4C6796B0441; Thu, 3 Oct 2024 16:31:26 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 38E036B0442; Thu, 3 Oct 2024 16:31:26 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 1B5076B03F5 for ; Thu, 3 Oct 2024 16:31:26 -0400 (EDT) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id B64DA409D3 for ; Thu, 3 Oct 2024 20:31:25 +0000 (UTC) X-FDA: 82633436130.27.92E8FB5 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf16.hostedemail.com (Postfix) with ESMTP id 6FFAC180002 for ; Thu, 3 Oct 2024 20:31:22 +0000 (UTC) Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=dCvxBh9N; spf=none (imf16.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1727987354; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Y93QfhMbNUGJ3Zi7gxrPO0Kcu0rDQNeWR7L7Fu7eqS0=; b=mvqQzNeEfbv2Rh1omaIuK6CG2iB1jED/VQWKJRiftXEJ/rIoxVQPs7qTCQNkBMWmVLHmws J0QGHj3k0Frc2kVSk3IvTteNxazrRfVvaheQVhjzT3RvjsSIsBicQvpy7jTbj3jDRg+Xn1 cdiXW8cPFvkWexg1FQZnlbkRh9CvVLw= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1727987354; a=rsa-sha256; cv=none; b=2q/ABn9zvn3lxnxUY//HpcvDWU7IqiSI9UH/FxKTNYdc6o1gn4+bn9nNCNceKXoR9jfVrV 25u3nmr9gnY9oOekQfYRFgHsZlEuTbrfdE70/J6p/BPPAJdBMq68+Eu5txrPmwxpyEiOYS 1auiMaUF10mDD1ekY8NK8R3k/y4TQ3A= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=dCvxBh9N; spf=none (imf16.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=Y93QfhMbNUGJ3Zi7gxrPO0Kcu0rDQNeWR7L7Fu7eqS0=; b=dCvxBh9NAQBMVql/1THdU8AoG+ 9FxX7GTA8uQSRxxHesgCFjWVNKVEOI+6oKure5aiksOi8oxE8v9hw8ODqPdymetzQJT2BIzvvxsUl 2B8RNXRnSPpJGMvQ90NjiciorOiWa1T+mcYaoOp12GtrkAnYxCaYuQsQ2ghlmWQEQ84y2b1UBNPBP kPhAatbZmCav9z8RE7nUJSUmvpxOVJ2lq0ZDLuzvyrr9SVbEYy8oCTZH4BO5WqBA5kXW3XFgiJxqC NHJUkBNOP7civYbf0aMZ47Uc5OSxnwkk0XaFvTIJMww5H4YkDxZAr1YFbqfJ6imjE9elCwkkmkGl/ jZgy0pww==; Received: from willy by casper.infradead.org with local (Exim 4.98 #2 (Red Hat Linux)) id 1swSTl-00000008gio-3lsn; Thu, 03 Oct 2024 20:31:17 +0000 Date: Thu, 3 Oct 2024 21:31:17 +0100 From: Matthew Wilcox To: manas18244@iiitd.ac.in Cc: Andrew Morton , Peter Xu , Shuah Khan , Anup Sharma , linux-mm@kvack.org, linux-kernel@vger.kernel.org, syzbot+093d096417e7038a689b@syzkaller.appspotmail.com Subject: Re: [PATCH] Fixes: null pointer dereference in pfnmap_lockdep_assert Message-ID: References: <20241003-fix-null-deref-v1-1-0a45df9d016a@iiitd.ac.in> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20241003-fix-null-deref-v1-1-0a45df9d016a@iiitd.ac.in> X-Rspamd-Queue-Id: 6FFAC180002 X-Stat-Signature: ipncipwrg5pfj8kakcusxjpakzm53hie X-Rspamd-Server: rspam09 X-Rspam-User: X-HE-Tag: 1727987482-821418 X-HE-Meta: U2FsdGVkX197S6e+9zuszgyCZMYZKV+xhjo0QKsFlW01zEe6NQiflIIdGlxID97ur735QxK7i9s5oH65xHGqDSq6W+hTmJpeCuKJGRuFekmUQHCYpl03kmDmdjK9bHRgk+owukSLbwNpOP8xZ5rdbyJzx4VaZKeyLDzT2H6xg3SYHTn5T4NVO/Lp/Ygb/KjAQGrqrlpfYO4k+g9XCze4BiiKT6N9RCqKdCIRVDN2AZQ93tjO2tQsYwL8zMV3fEPy7Vu3hZOj4YZjAzIT7tQJbo/cuBzIKtZXIr9gnyghPdcvwGRUSKu/9pUpPvjitAbO1bZOvs1txIQjROxlRlko0vwjiGwAgu35+IM+LqP4LbPAUwfNX7Y0IcbmdqbfFTYEeNAQAC+8a5bTREc8GQ4T6fY6PTExggA/CDZTh6iPNLVKpt6mjyEnHYNYs2nxJM/kEX1RFOeUaBfoe2WSEf2u1zNtHgxqT2Khvm+QhtqKPTxLHaJgg6CcwHnhZEdjvu4uGNQwZb/9EV/WcXsBl0aJpHcwBXbxjwVkNdAw0t2eIdSEHvbmuzqIBsukFM4oi3lrsxShpXv8TRzBz+oOoSnhyYa8hiv355u1Xg6qUq19QLpJleJCgG8+OxxqjF6/qoTeCJw27IgZRFfObk+OU3Y1iMGHXJzKt02fzxVkqV4Pn+FySqnPmibwqITwHVkgHJu+B0nyhOB90iYa4qg+daXyPNCOqLVwIyaPcJFAw+WUDfFMLLYFriAsBjo3jkxk0UOUJ0m4LGerkT6gGpTsJmhRx305RpgE4kYOJtihOS3kbfGBzbyk/3QLCCVCFaXSZmjGccmPkg8D7z2WgAVOspj21wRwZjIJ9aJc3EKVMKEhHmiVm0rgbgo7UeAx7YP37bodu81RJuaLPSC00RwX14REi05wgy6IjTx9nFQj4MPI59wH1HBogNEUaUQ4Ct3zJcPlqZcTt5z51JGI3m9Drj8 mASF7QVb WKz647X+fp5vLobZTfOmNbB95D+HuW8vDAITFHDa3iQDR403/DPlHALDYKDYGa6DAZCqw4ERQS80DQlxshhuCvadU1B4tVPC2K809T8cEzmqmA6omBKzCs2bFOl4l9j8HfilNBODsTfw0AKMPElbqysmCo3q/YQbIMjkg7Uotgte6pN8OhSYuSKI+fPMpuXGMeb02hb5FDnita9TIT+iOyyADe9j/bGPLSZISIxyjOSwNP7S7dtL4ff7EmsKfmrCOChyHfb0qtkS7poZ7iMRVRzVdT/0szHocz0osWbAlaS3wY58YjGVBkBc6cffByZxkQn23FRkMD+OAnsgF5/LfKZLh5UOG2xX4WBDTCsKT3DWwp/jE2nRrcGJ9DOE+rzmIuk2yurMIBRSCS2NhO1j+nK2O9W6TdG3IXuJNaVyhjyluIvaxEkcrhCU2+vkIcr/Deh3fn/upimUKi5XTcECkRu0xo7Jq7ARv/xJimZvJyDeo14k= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Oct 03, 2024 at 09:31:06PM +0530, Manas via B4 Relay wrote: > From: Manas > > syzbot has pointed to a possible null pointer dereference in > pfnmap_lockdep_assert. vm_file member of vm_area_struct is being > dereferenced without any checks. > > This fix returns if vm_file member in vm_area_struct is NULL. This seems like the wrong fix. It's mmap'ing a file, so vm_file should not be NULL. Or have I forgotten something very important about how the MM works? > Reported-by: syzbot+093d096417e7038a689b@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=093d096417e7038a689b > --- > This bug[1] triggers a general protection fault in follow_pfnmap_start > function. An assertion pfnmap_lockdep_assert inside this function > dereferences vm_file member of vm_area_struct. And panic gets triggered > when vm_file is NULL. > > This patch returns from the assertion pfnmap_lockdep_assert if vm_file > is found to be NULL. > > [1] https://syzkaller.appspot.com/bug?extid=093d096417e7038a689b > > Signed-off-by: Manas > --- > mm/memory.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/mm/memory.c b/mm/memory.c > index 2366578015ad..b152a95e543f 100644 > --- a/mm/memory.c > +++ b/mm/memory.c > @@ -6346,6 +6346,9 @@ static inline void pfnmap_args_setup(struct follow_pfnmap_args *args, > static inline void pfnmap_lockdep_assert(struct vm_area_struct *vma) > { > #ifdef CONFIG_LOCKDEP > + if (!vma->vm_file) > + return; > + > struct address_space *mapping = vma->vm_file->f_mapping; > > if (mapping) > > --- > base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc > change-id: 20241003-fix-null-deref-6bfa0337efc3 > > Best regards, > -- > Manas > > >