From patchwork Thu Oct 3 16:01:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Manas via B4 Relay X-Patchwork-Id: 13821208 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6A64CCF34B2 for ; Thu, 3 Oct 2024 16:01:29 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 99D926B046C; Thu, 3 Oct 2024 12:01:28 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 94D4F6B046D; Thu, 3 Oct 2024 12:01:28 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 814D96B046E; Thu, 3 Oct 2024 12:01:28 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 631306B046C for ; Thu, 3 Oct 2024 12:01:28 -0400 (EDT) Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id E286A121922 for ; Thu, 3 Oct 2024 16:01:27 +0000 (UTC) X-FDA: 82632755814.08.60D7A97 Received: from nyc.source.kernel.org (nyc.source.kernel.org [147.75.193.91]) by imf19.hostedemail.com (Postfix) with ESMTP id 671BB1A001D for ; Thu, 3 Oct 2024 16:01:24 +0000 (UTC) Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=uX2ypOsO; spf=pass (imf19.hostedemail.com: domain of devnull+manas18244.iiitd.ac.in@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=devnull+manas18244.iiitd.ac.in@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1727971218; a=rsa-sha256; cv=none; b=EDUDdquGL7DbDKLtz00lDvJyLUUPnuazFTXjFzNTUqDTce/YR9Y9qcrgKWA5TuBolp+zrk iosLu45khELbTEbseONDarxm1PbdZiuJml7IN6VlYaAjqSiexKw+tx57qktWWECB4RKGwv TM//Zwd86ceEjkiz+z5U0b0SqbuKcUA= ARC-Authentication-Results: i=1; imf19.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=uX2ypOsO; spf=pass (imf19.hostedemail.com: domain of devnull+manas18244.iiitd.ac.in@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=devnull+manas18244.iiitd.ac.in@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1727971218; h=from:from:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=YJ1Nek6uOXpGyl5IlMFuLYPZRbdceGVTey8CHWq56GQ=; b=UPhtWHaYAGxn69z2hKKBpjr3vShrJ7k975MaoE+XpG5edSb3Zj3d1Uyd2JcGawKXHnUs1B tfltLsq+wZI6hxrg8TPNoNOCPXDR7GMhvB4yCV1aVDmqkD8oWaMDjt23Pr+lLES9WOhlwu 2O8cT8fHsE8Zm9ZmU2+Xu44iQcDsA4A= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by nyc.source.kernel.org (Postfix) with ESMTP id 1A40EA440EB; Thu, 3 Oct 2024 16:01:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPS id 273DAC4CEC5; Thu, 3 Oct 2024 16:01:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1727971283; bh=CX2P0FldUD9UrvNzD9zJjNC6r+EokVwad4+jJnTO4Ts=; h=From:Date:Subject:To:Cc:Reply-To:From; b=uX2ypOsORADHfL0GISRFpysTyz7sGD+mOYuGsZ+T+3e9PK1sopSXuutARdsDMSb1M KB4BF+8ylaHLeyjhCGJOtE7s02XjZYJMeOubS7KYkS08I6DeK4qjPJTqBDmgWYpaP4 W6+l+fyJg5hR4kuOZcChwFa/mwq2iOjBi80Q29z1DfXaBqkukDZSxsSBHU35OHG9D+ NeFBwNRNPH98YNG0IVz4SwjpZFnEFWGLHRSQuZSwlcGPvxD8evO+H6mud7zd1YLZcg wQG0rS76IEPrqEgKEyNybZwHqpE/+NhvjOET85n+0omP56yrxXWUoldD5vdQPkepvE YHl+FEPqY9vEQ== Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 15B74CF34B2; Thu, 3 Oct 2024 16:01:23 +0000 (UTC) From: Manas via B4 Relay Date: Thu, 03 Oct 2024 21:31:06 +0530 Subject: [PATCH] Fixes: null pointer dereference in pfnmap_lockdep_assert MIME-Version: 1.0 Message-Id: <20241003-fix-null-deref-v1-1-0a45df9d016a@iiitd.ac.in> X-B4-Tracking: v=1; b=H4sIAMG//mYC/x2MSQqAMAwAvyI5G4itKPgV8eCSaKBUaVEKxb9bP M7ATIbIQTnCUGUI/GjU0xdo6grWY/Y7o26FwZBpGyKLogn97RxuHFiwW2Qma3uW1UKJriI1/cN xet8Pec9y02AAAAA= To: Andrew Morton Cc: Peter Xu , Shuah Khan , Anup Sharma , linux-mm@kvack.org, linux-kernel@vger.kernel.org, syzbot+093d096417e7038a689b@syzkaller.appspotmail.com, Manas X-Mailer: b4 0.14.1 X-Developer-Signature: v=1; a=ed25519-sha256; t=1727971281; l=1475; i=manas18244@iiitd.ac.in; s=20240813; h=from:subject:message-id; bh=x08Dt4D4CnyqFeKnwiqo7wiyGAvva8Affj+d/SXsW+A=; b=Cn/tYNqn5B45YcZhsFYQSPD2ldhhhYgc5XE7ctAhBQhf7vIsn/RfiuzQUe+wgjx4v745x3D2z V5tBTMz6vKHBV2y4fcqeEqW0KI/UyEl3xFgDdg3DkuZcC0lzWWna4zG X-Developer-Key: i=manas18244@iiitd.ac.in; a=ed25519; pk=pXNEDKd3qTkQe9vsJtBGT9hrfOR7Dph1rfX5ig2AAoM= X-Endpoint-Received: by B4 Relay for manas18244@iiitd.ac.in/20240813 with auth_id=196 X-Original-From: Manas Reply-To: manas18244@iiitd.ac.in X-Stat-Signature: 6ejn19o3r7hirxb1ixmmd1ojm1hud3di X-Rspamd-Queue-Id: 671BB1A001D X-Rspam-User: X-Rspamd-Server: rspam10 X-HE-Tag: 1727971284-155015 X-HE-Meta: U2FsdGVkX1+QYU1CoH4UthBmOtBnX1bKgNDHt6FvH5sP8lCvErYWPiyxA3Mh4bjC7BtEPGpLwLr74H377Ij/bDAJLRkQrdFu9Ok/XlpX+5nEW68cxO6dPOakX+x4t5w4hW6sZ14b7S1uThWl2KrUJf73caGQiGgiuYkD4TUMI3tQ8SoRIN7y4I/J4wVxK7NGROidg/BGfdASvIu+ixmjp8jGgdk17GkfeiZuxF6LzRuJq4iPHKzgGdpPv2uMJ1atNFvBYleuVn8E/JikgGqdvCrHhrnY+zdeYo0KBodLe6vuxAPySOyYpb1qM0VQ3Pdmi4NyrG/eKG1CS+jupRuxTqkOBQW0ZH7oPrDJeI0JhIXt32Jolq9otflB0ST4QEVeFr5Wl6FWDsORH7puhAGKw2XrQK06h3O7yvwk8CnOgLce9p/cViWJkuGBBnWc8Ahqr7uXK4/6h3nwB+GEGZPH2zGlDsMpGRItRkQR94TEOdinInbHE0FRNE5qqIygZN17mqpdZC5A4kvVcnYwGPEqSUE27hzPOkLr3NMd0eOCj3Olvm8cs1/PGJSuo/snzJMZgJOJitRD0Vm3jXrMH6/i0EzZ8WkFoiRKjR4rQ8MCUq/aJAAui61abWaVL9lwmForbNDE6Q1We8HI7khFNV8+bclv36lsKEmxDd4GVV8o1PuF8uEol1A6JexmqQ0HfXuuj2j21z4ax1q56AQMIBRpRs5Lun0Yet9mWijoO7+KIKuixDhI6w+ksF1ozWa9BY+kY/XQIno9rX6SRemf/CXB8Z2eKro3/xQEsmZu+QwsjaRgkN40IrUmHmz2kwfQhfH8+zCVisj1Zx2/Udlwi/SmQx+53ucZDwbkCldPFK8JpUP0phHpAjt5NpjbGcrWyRQ19gqyYARH7p7FyyMEDUIrIljjh574harJsHo7M16RcJGlmAjlajR8eiVOQEk6SgbBa8ERjwlYUCLCqwsLh3H Kbi62QsH 5V9/NEthUsZB0HoyBGD/8LcLQEg0Ky5py9snvIv9nFIdCWpfza+okmzIzNhDZo13YIdi2Crzlt+YXwsdKgIrqzedazYt/qNVR2eGBQUluJaAI/ws/UqNmBBafCLaaC6HMGyX3Sb5ERpjQL+bSAAvOsQI6oDh2ASI/9y0ywlOdCFGdluPTOFcRlFdZgOQ7ax90baGPNN0M0E/8jXeAxtUMoYFUHoDe7SgKQ9FlNoXLK5UksFge+OWPAKEkTjqCNnsBLomLB3JB+xpnSZn2O/wdJuHczjizPnzzRnmSg4wjY97wfFOynHe0LXk7UvObBPVLvxgp4L9VkTi1dQxmGwaA7nPtMgNg81XaL0gUy9NSHPFQw5I5pP3ztJ8mQM6wzG/mdh/2CeA+JvMe+isRsJvfDtPm1dnN1+tuWbH6qjO1oN7gjUtyhsE0ZeFCwqqlnil1U2sCqJzgNNexafpy4n/N3w/Y8qfX8h8yUP3C58ylL1z0rxQoKNwaspRxJ2aodUErfkF0s7j7KNjP/nlqPZGmZOMWHAMs7rq3P02CjASTEkDDJkcSFYWKEA4CvGby/9W3yuX3IygUjdKyftpKh28iJn1O2JjmLyZXwUM93sp2egGirHP09+t2Cns//g== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Manas syzbot has pointed to a possible null pointer dereference in pfnmap_lockdep_assert. vm_file member of vm_area_struct is being dereferenced without any checks. This fix returns if vm_file member in vm_area_struct is NULL. Reported-by: syzbot+093d096417e7038a689b@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=093d096417e7038a689b --- This bug[1] triggers a general protection fault in follow_pfnmap_start function. An assertion pfnmap_lockdep_assert inside this function dereferences vm_file member of vm_area_struct. And panic gets triggered when vm_file is NULL. This patch returns from the assertion pfnmap_lockdep_assert if vm_file is found to be NULL. [1] https://syzkaller.appspot.com/bug?extid=093d096417e7038a689b Signed-off-by: Manas --- mm/memory.c | 3 +++ 1 file changed, 3 insertions(+) --- base-commit: 9852d85ec9d492ebef56dc5f229416c925758edc change-id: 20241003-fix-null-deref-6bfa0337efc3 Best regards, diff --git a/mm/memory.c b/mm/memory.c index 2366578015ad..b152a95e543f 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -6346,6 +6346,9 @@ static inline void pfnmap_args_setup(struct follow_pfnmap_args *args, static inline void pfnmap_lockdep_assert(struct vm_area_struct *vma) { #ifdef CONFIG_LOCKDEP + if (!vma->vm_file) + return; + struct address_space *mapping = vma->vm_file->f_mapping; if (mapping)