From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 30A98CFA779 for ; Fri, 4 Oct 2024 13:28:10 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id AB8D06B00A8; Fri, 4 Oct 2024 09:28:09 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id A683B6B0405; Fri, 4 Oct 2024 09:28:09 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 92F8C6B0406; Fri, 4 Oct 2024 09:28:09 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 6F0886B00A8 for ; Fri, 4 Oct 2024 09:28:09 -0400 (EDT) Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 090671A1812 for ; Fri, 4 Oct 2024 13:28:09 +0000 (UTC) X-FDA: 82635998298.06.3CF562A Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by imf29.hostedemail.com (Postfix) with ESMTP id 51CD512000A for ; Fri, 4 Oct 2024 13:28:06 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=iiitd.ac.in header.s=google header.b=KxbG+OO2; dmarc=none; spf=pass (imf29.hostedemail.com: domain of manas18244@iiitd.ac.in designates 209.85.210.178 as permitted sender) smtp.mailfrom=manas18244@iiitd.ac.in ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1728048381; a=rsa-sha256; cv=none; b=M3WSI/ifdoPj2+X6ZKU9q+pZF1B0EesEy+ELtPrq1BTTmc3+yqkIby/lfhdxdHjhc3PF44 5Z5yor4ILfPc7Oh9Ru2MjmfwfZoN1MMkLLvxlaWHJgyIwMXOXWgCAiEqetb9IdvXhVGl9e CPxEpLsbSSpPdji5v0H/MoIETAe7vPE= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=iiitd.ac.in header.s=google header.b=KxbG+OO2; dmarc=none; spf=pass (imf29.hostedemail.com: domain of manas18244@iiitd.ac.in designates 209.85.210.178 as permitted sender) smtp.mailfrom=manas18244@iiitd.ac.in ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1728048381; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=+/XyuYW22hcloSOF5PeubqI6B5GS2FJzkX02uzF2Vdc=; b=muAhAKxhoBemdN7COY8WLj+uulXoYRpC37dlLok9ojemVOhRw3G/PoMLKOHnJM6zzvyDzZ VKjTc6+hx3FNg5YSgn2m24aXUCFmOMR74ZOsXN0/p3tcDBZJJEhKAnuZGWddLD6ix46Yv6 9ut7rEdAn27V+m+6TMZFDs1PSaAJS/Q= Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-718d606726cso1584279b3a.3 for ; Fri, 04 Oct 2024 06:28:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iiitd.ac.in; s=google; t=1728048485; x=1728653285; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=+/XyuYW22hcloSOF5PeubqI6B5GS2FJzkX02uzF2Vdc=; b=KxbG+OO25ThiALYg0A47u0Rze2iEVtQX6oKlNMWxMHfCmG+PkyCOoxQLftqCirYphD TfwVTr1eFfyKvo1M28P7U/4ywrfZ5l/2pSciPpZTojS5Ps/AZNVIxX6Qi1FDUFAbdAPE iZBgEJkffTAdUwLl/n3+8w5wzqTvDbOGjQIUw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728048485; x=1728653285; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=+/XyuYW22hcloSOF5PeubqI6B5GS2FJzkX02uzF2Vdc=; b=UG3En8e5WpyApHTmgn9MVKn1pVqVWl3pu7LAR1c/XFgBYeOfjXgIsp0r7Hq/9HaaUM sBDEF8votxaG6RKbrKN3irADUuwHpuYweQg+zBCbOScE30Wep3rn7bUBmOhb51bNeepD Y4zXDqSpLLQdoJ3NOOpPOchOMWEc9HbeZrgGzro4SeKQZ9RyQLzxedBfiv3AzU0JdKeC UT4H0nnA3+KZN3wNI3wZAU3UxG4QE8FOCx0RogqfIG9SX+fs1IbNmxmDFIUOu6hdZs3d jSBQePPi9dj2Mycv/POca/V7/hF3OFfgvMqUlF82mZXkNpJScSrxYD1GdDzzeTswNhxe m4YA== X-Forwarded-Encrypted: i=1; AJvYcCU8yAQsIcvWwh5hWzphbcyGp494tJ74NNinYQNU/b629T5+HeNacBc9wnr8tLa1kGuWYZJ6sIBH6w==@kvack.org X-Gm-Message-State: AOJu0YzmTNc1W/R17p2iKE58V26EY2qE2/E2HPMOklxOBY4XLpDxaD8w EOrk2iw/gZLJb6SoWLMk4WUOdokW79o3D9FealwMnHpyG18y0srfYFn/znmU+NQ= X-Google-Smtp-Source: AGHT+IFrtukck/tWNOuDiKIC9Vr5Xn1b7TyPdD0qsuLFIVo2+GCHmHMPZiBEtVoIMNTJ6aY7tY0eWw== X-Received: by 2002:aa7:88c9:0:b0:710:50c8:ddcb with SMTP id d2e1a72fcca58-71de23a57efmr4221458b3a.5.1728048484567; Fri, 04 Oct 2024 06:28:04 -0700 (PDT) Received: from fedora ([103.3.204.140]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-7e9dcb049a7sm2415269a12.34.2024.10.04.06.28.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 04 Oct 2024 06:28:04 -0700 (PDT) Date: Fri, 4 Oct 2024 18:57:57 +0530 From: Manas To: Peter Xu Cc: Andrew Morton , Shuah Khan , Anup Sharma , linux-mm@kvack.org, linux-kernel@vger.kernel.org, syzbot+093d096417e7038a689b@syzkaller.appspotmail.com Subject: Re: [PATCH v2] Fixes: null pointer dereference in pfnmap_lockdep_assert Message-ID: References: <20241004-fix-null-deref-v2-1-23ad90999cd1@iiitd.ac.in> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline In-Reply-To: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 51CD512000A X-Stat-Signature: xzdgpuo7ft81cfpy6kykwawdz8r3jsd9 X-Rspam-User: X-HE-Tag: 1728048486-472608 X-HE-Meta: U2FsdGVkX18gohHWyEA6JubieFMcjYNzjdZay06NBp9QCX3qPoYdgb/Lu0mi6mVh7jPOzHROcGs+UzBLTNN6+5TSAwDYmx35GEGOi0nlpeIGtgUsOUQN2pbn+r3/qwrW/eTELk62F5S0Y7kh7h9QjPY7E7gMaAcE5dgTc+uKQrWX9VMflU7USwG0KGtN9ZKr7nuNFbL4x3hJzT+MIoYsffg3xhsZxRq3EBmmufzWX5TFqbVxulYst/ooyapqN4DPPOYsT4PR9vN6evlcvYroWrNvKqpkfdW/u7TdIpUPVjgMYPM82n1bJF77+yuuJBLZ7BFWb9+ccgX8bkmCierzKnXRA7MZx+6PlrO4fy8S/zh3KBBsMSJ7VbfCR3sL3Ppafqmd3nyUHRoR7VNY/OpGb6NW/wTncmdkQCVpWjnf+T5wFZmYfvBShOh1UjW9UgmMDGXQZ4fEHxrXy0gZ/56J7MdvebaFIYbM/ZS3tNZkN2e5Cs056EQeHgSeV+fLyms10HDw1S03/RUTtkpDv7tTE7OsFIoHZXFelMdypFLTjKQil6zOAWLRxiZ9JeswKmqBS7AxHswx0vGSVqacj/Z6y4CqJaNayj16o7bPXGiH2odo46fPZz0ggiZ9fhvtIBquzthrVV7SkrxPFGJgJ5ZShewafzVzZcLYudy+yy4x10lq/VamISbo1Lwwe8QLjMUPtFscbfDsmTn/1RfehQ27ZwmrObcs9iA/WUC6ZC9dg0xA5hNPzLmreb3HNvEbPU+Utd3KZnBdNTGSHEML9bSb5UKKhU0ZZzg2zHrYKLqdM9jpGacxcESa5VnksGqc6BnRUE3pN60UuL3TiYwd6DeK456GTHJep9L7nT72D+mFGRW6zOkmcmjbWR+2quNQd4/Q4gUor4UjiatBNupuckJwGNf4zEhHnhSXiBpPtJHmd3yLDYCKQfQM7rrXV0J2fizQPc0o2EDHl0quubW54Wp Cdu4AU6F W4DKzilNzvDJtzqqJ+MdU3ZcoXtB36t7a1m5Npy5/YvVRc5zWP5Q43d0dtcD6giFeoZy8XITJfYlGfvH0PZj94dB8QaK1qrC6A3WJdrPME8AFBLbIEOVJFI9JBIgaacbJiBM+uY+3cElbIFPjvKllYpVkiYQyNdstk1s+D+HpZ5OGmI4kqzYDiTHz4B9aQKKxest9nX7HMaqqK0ViikN1D9atM9iFsosAl7ePhOJxFXB047xrOT51KRykXQzGrcoY1icEAUBmi/XEqTWpHhdmZUJKviJ5Ooea0Mjt5fw2YiEnnjmVcfP2wbVWImuJhDsTxHDO2su6kXx4/ycwTjHSQii7OrsxaypAV8EBhT2/Mo0z+ge7a9YPhCwTwl9VrEJjmwxOD3JOsRyFvlJHcbFAnqClmAAgQX38ABNoeIkBJ9HNCGCS+OFxGk+k8Vq8VXBYw6a9+vXzPwWXAv1Z2x0L31bCBD4pbY5EUrvzmpCE41uQWaYE86X68cz53FsXDY47PGRC/u5Kkt7pMdEKBPspdRPCUCw/Bxn0IpJ2exGlPpvzVVWSU06NG5JaxkC7GigaaMNEbm+7F1msvBPbg2rNV26C8ij60Y1SJDkRd5k7pVtMiJx9O9kcdxer3qxx3zYREhZ06/PO6/oQNlIJczpTxG6Tb1pyMhd0if+yWkqj3X13xR5PV4qJcWAStg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 04.10.2024 09:21, Peter Xu wrote: >On Fri, Oct 04, 2024 at 06:35:53PM +0530, Manas via B4 Relay wrote: >> From: Manas >> >> syzbot has pointed to a possible null pointer dereference in >> pfnmap_lockdep_assert. vm_file member of vm_area_struct is being >> dereferenced without any checks. >> >> This fix returns if vm_file member in vm_area_struct is NULL. >> >> Reported-by: syzbot+093d096417e7038a689b@syzkaller.appspotmail.com >> Closes: https://syzkaller.appspot.com/bug?extid=093d096417e7038a689b >> --- >> This bug[1] triggers a general protection fault in follow_pfnmap_start >> function. An assertion pfnmap_lockdep_assert inside this function >> dereferences vm_file member of vm_area_struct. And panic gets triggered >> when vm_file is NULL. >> >> This patch returns from the assertion pfnmap_lockdep_assert if vm_file >> is found to be NULL. >> >> [1] https://syzkaller.appspot.com/bug?extid=093d096417e7038a689b >> >> Signed-off-by: Manas > >Reviewed-by: Peter Xu > >One nitpick: > >> --- >> Changes in v2: >> - v2: use ternary operator according to feedback >> - Link to v1: https://lore.kernel.org/r/20241003-fix-null-deref-v1-1-0a45df9d016a@iiitd.ac.in >> --- >> mm/memory.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/mm/memory.c b/mm/memory.c >> index 2366578015ad..5ed109a8f02e 100644 >> --- a/mm/memory.c >> +++ b/mm/memory.c >> @@ -6346,7 +6346,7 @@ static inline void pfnmap_args_setup(struct follow_pfnmap_args *args, >> static inline void pfnmap_lockdep_assert(struct vm_area_struct *vma) >> { >> #ifdef CONFIG_LOCKDEP >> - struct address_space *mapping = vma->vm_file->f_mapping; >> + struct address_space *mapping = vma->vm_file ? vma->vm_file->f_mapping : NULL; >> >> if (mapping) >> lockdep_assert(lockdep_is_held(&vma->vm_file->f_mapping->i_mmap_rwsem) || > >This can use "mapping" directly, as I mentioned in previous email (but >probably got overlooked..). > >Thanks! Oh no! I missed it. Sending v3... > >> >> --- >> base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc >> change-id: 20241003-fix-null-deref-6bfa0337efc3 >> >> Best regards, >> -- >> Manas >> >> > >-- >Peter Xu > -- Manas