From: Matthew Wilcox <willy@infradead.org>
To: SHAURYA RANE <ssrane_b23@ee.vjti.ac.in>
Cc: akpm@linux-foundation.org, shakeel.butt@linux.dev,
eddyz87@gmail.com, andrii@kernel.org, ast@kernel.org,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org,
linux-kernel-mentees@lists.linux.dev, skhan@linuxfoundation.org,
david.hunter.linux@gmail.com, khalid@kernel.org,
syzbot+09b7d050e4806540153d@syzkaller.appspotmail.com
Subject: Re: [PATCH] mm/filemap: fix NULL pointer dereference in do_read_cache_folio()
Date: Sun, 16 Nov 2025 22:32:12 +0000 [thread overview]
Message-ID: <aRpQ7LTZDP-Xz-Sr@casper.infradead.org> (raw)
In-Reply-To: <CANNWa07Y_GPKuYNQ0ncWHGa4KX91QFosz6WGJ9P6-AJQniD3zw@mail.gmail.com>
First, some process things ;-)
1. Thank you for working on this. Andrii has been ignoring it since
August, which is bad. So thank you for picking it up.
2. Sending a v2 while we're having a discussion is generally a bad idea.
It's fine to send a patch as a reply, but going as far as a v2 isn't
necessary. If conversation has died down, then a v2 is definitely
warranted, but you and I are still having a discussion ;-)
3. When you do send a v2 (or, now that you've sent a v2, send a v3),
do it as a new thread rather then in reply to the v1 thread. That plays
better with the tooling we have like b4 which will pull in all patches
in a thread.
With that over with, on to the fun technical stuff.
On Sun, Nov 16, 2025 at 11:13:42AM +0530, SHAURYA RANE wrote:
> On Sat, Nov 15, 2025 at 2:14 AM Matthew Wilcox <willy@infradead.org> wrote:
> >
> > On Sat, Nov 15, 2025 at 01:07:29AM +0530, ssrane_b23@ee.vjti.ac.in wrote:
> > > When read_cache_folio() is called with a NULL filler function on a
> > > mapping that does not implement read_folio, a NULL pointer
> > > dereference occurs in filemap_read_folio().
> > >
> > > The crash occurs when:
> > >
> > > build_id_parse() is called on a VMA backed by a file from a
> > > filesystem that does not implement ->read_folio() (e.g. procfs,
> > > sysfs, or other virtual filesystems).
> >
> > Not a fan of this approach, to be honest. This should be caught at
> > a higher level. In __build_id_parse(), there's already a check:
> >
> > /* only works for page backed storage */
> > if (!vma->vm_file)
> > return -EINVAL;
> >
> > which is funny because the comment is correct, but the code is not.
> > I suspect the right answer is to add right after it:
> >
> > + if (vma->vm_file->f_mapping->a_ops == &empty_aops)
> > + return -EINVAL;
> >
> > Want to test that out?
> Thanks for the suggestion.
> Checking for
> a_ops == &empty_aops
> is not enough. Certain filesystems for example XFS with DAX use
> their own a_ops table (not empty_aops) but still do not implement
> ->read_folio(). In those cases read_cache_folio() still ends up with
> filler = NULL and filemap_read_folio(NULL) crashes.
Ah, right. I had assumed that the only problem was synthetic
filesystems like sysfs and procfs which can't have buildids because
buildids only exist in executables. And neither procfs nor sysfs
contain executables.
But DAX is different. You can absolutely put executables on a DAX
filesystem. So we shouldn't filter out DAX here. And we definitely
shouldn't *silently* fail for DAX. Otherwise nobody will ever realise
that the buildid people just couldn't be bothered to make DAX work.
I don't think it's necessarily all that hard to make buildid work
for DAX. It's probably something like:
if (IS_DAX(file_inode(file)))
kernel_read(file, buf, count, &pos);
but that's just off the top of my head.
I really don't want the check for filler being NULL in read_cache_folio().
I want it to crash noisily if callers are doing something stupid.
next prev parent reply other threads:[~2025-11-16 22:32 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-14 19:37 ssrane_b23
2025-11-14 20:44 ` Matthew Wilcox
2025-11-16 5:42 ` [PATCH v2] " ssrane_b23
2025-11-16 5:43 ` [PATCH] " SHAURYA RANE
2025-11-16 22:32 ` Matthew Wilcox [this message]
2025-11-17 14:10 ` Shaurya Rane
2025-11-17 18:42 ` Andrii Nakryiko
2025-11-17 16:41 ` Darrick J. Wong
2025-11-17 18:03 ` Matthew Wilcox
2025-11-17 18:45 ` Andrii Nakryiko
2025-11-18 13:03 ` Christoph Hellwig
2025-11-18 15:37 ` Matthew Wilcox
2025-11-18 16:12 ` Darrick J. Wong
2025-11-18 19:38 ` Andrii Nakryiko
2025-11-19 5:52 ` Christoph Hellwig
2025-11-19 6:29 ` Darrick J. Wong
2025-11-18 19:27 ` Andrii Nakryiko
2025-11-19 5:50 ` Christoph Hellwig
2025-11-19 17:12 ` Andrii Nakryiko
2025-11-18 5:05 ` Christoph Hellwig
2025-11-18 12:51 ` Matthew Wilcox
2025-11-18 12:56 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aRpQ7LTZDP-Xz-Sr@casper.infradead.org \
--to=willy@infradead.org \
--cc=akpm@linux-foundation.org \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=david.hunter.linux@gmail.com \
--cc=eddyz87@gmail.com \
--cc=khalid@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel-mentees@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=shakeel.butt@linux.dev \
--cc=skhan@linuxfoundation.org \
--cc=ssrane_b23@ee.vjti.ac.in \
--cc=syzbot+09b7d050e4806540153d@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox