Re: [PATCH v2 2/4] mm: use get_i_mmap_root to access the file's i_mmap

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] In `nommu_shrink_inode_mappings`, `get_i_mmap_root()` is incorrectly called with `&inode->i_mapping` instead of `inode->i_mapping`, causing an invalid pointer calculation and subsequent memory corruption.
--

commit af3e57c8cfc7072a4088af8cf0bf41f373c9261b
Author: Huang Shijie <huangsj@hygon.cn>

mm: use get_i_mmap_root to access the file's i_mmap

This patch introduces the get_i_mmap_root() helper to encapsulate direct 
accesses to the i_mmap interval tree root within struct address_space. It 
updates various architectures and core memory management subsystems to use 
the new helper.

> diff --git a/mm/nommu.c b/mm/nommu.c
> index ed3934bc2de48..0f18ffc658e95 100644
> --- a/mm/nommu.c
> +++ b/mm/nommu.c
[ ... ]
> @@ -1804,6 +1804,7 @@ EXPORT_SYMBOL_GPL(copy_remote_vm_str);
>  int nommu_shrink_inode_mappings(struct inode *inode, size_t size,
>  				size_t newsize)
>  {
> +	struct rb_root_cached *root = get_i_mmap_root(&inode->i_mapping);

[Severity: High]
Does this code pass a double pointer to get_i_mmap_root()? 

Since inode->i_mapping is already a pointer to struct address_space, passing 
&inode->i_mapping provides a struct address_space ** instead of the expected 
struct address_space *. 

This will cause get_i_mmap_root() to calculate an invalid address by adding 
the structure offset to the address of the i_mapping pointer itself. The 
subsequent call to vma_interval_tree_foreach() will interpret garbage memory 
as an rb_root_cached structure, leading to a panic when it attempts to 
dereference the fake rb_node pointers. Should this be called with 
inode->i_mapping instead?

>  	struct vm_area_struct *vma;
>  	struct vm_region *region;
>  	pgoff_t low, high;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260611061915.2354307-1-huangsj@hygon.cn?part=2