mm/pagemap: fix null ptr deref in do_pagemap_cmd

Message ID	tencent_11194B111B6F25CEBA5FBB71336B9E9D1B08@qq.com (mailing list archive)
State	New, archived
Headers	show Received: from out203-205-221-173.mail.qq.com (out203-205-221-173.mail.qq.com [203.205.221.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D20681C6AD; Tue, 5 Mar 2024 11:38:19 +0000 (UTC) Message-ID: <tencent_11194B111B6F25CEBA5FBB71336B9E9D1B08@qq.com> From: Edward Adam Davis <eadavis@qq.com> To: syzbot+02e64be5307d72e9c309@syzkaller.appspotmail.com Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: [PATCH] mm/pagemap: fix null ptr deref in do_pagemap_cmd Date: Tue, 5 Mar 2024 19:38:16 +0800 In-Reply-To: <0000000000001bc4a00612d9a7f4@google.com> References: <0000000000001bc4a00612d9a7f4@google.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	mm/pagemap: fix null ptr deref in do_pagemap_cmd \| expand mm/pagemap: fix null ptr deref in do_pagemap_cmd

Message ID

tencent_11194B111B6F25CEBA5FBB71336B9E9D1B08@qq.com (mailing list archive)

State

New, archived

Headers

Message-ID: <tencent_11194B111B6F25CEBA5FBB71336B9E9D1B08@qq.com>
From: Edward Adam Davis <eadavis@qq.com>
To: syzbot+02e64be5307d72e9c309@syzkaller.appspotmail.com
Cc: linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	syzkaller-bugs@googlegroups.com
Subject: [PATCH] mm/pagemap: fix null ptr deref in do_pagemap_cmd
Date: Tue,  5 Mar 2024 19:38:16 +0800
In-Reply-To: <0000000000001bc4a00612d9a7f4@google.com>
References: <0000000000001bc4a00612d9a7f4@google.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

mm/pagemap: fix null ptr deref in do_pagemap_cmd | expand

Commit Message

Edward Adam Davis March 5, 2024, 11:38 a.m. UTC

When pagemap_open() runs in the kernel thread context, task->mm is NULL, it will
causes the pagemap file object's file->private_date to be NULL when the pagemap
file is opened, this will ultimately result in do_pagemap_cmd() referencing a 
null pointer.

So, before PAGEMAP_SCAN ioctl() call do_pagemap_scan(), need check mm first.

Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
Reported-and-tested-by: syzbot+02e64be5307d72e9c309@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/proc/task_mmu.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
index 3f78ebbb795f..ab28666956d0 100644
--- a/fs/proc/task_mmu.c
+++ b/fs/proc/task_mmu.c
@@ -2510,6 +2510,8 @@  static long do_pagemap_cmd(struct file *file, unsigned int cmd,
 
 	switch (cmd) {
 	case PAGEMAP_SCAN:
+		if (!mm)
+			return -EINVAL;
 		return do_pagemap_scan(mm, arg);
 
 	default:

mm/pagemap: fix null ptr deref in do_pagemap_cmd

Commit Message

Patch