From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ej1-f73.google.com (mail-ej1-f73.google.com [209.85.218.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 409703A254B for ; Tue, 23 Jun 2026 10:52:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.73 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782211927; cv=none; b=CCrB9Ai5f3lNSnxhmhvOxsRCfwXrw7FEIciF4x69yia9B+c9kMPdWlxQap2z1YdqN/vSYZ82x2YaAuXrgEPlnQTGJtcXNKN4AOnCr7rOsCEBSHPmBZS3w/GpEHEGu75bO68bgHvp8RUvPPu8qIpZ9imfxvZA+dSgtPQd60O7X/c= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782211927; c=relaxed/simple; bh=eKuzxkYQZjEMFbcCZuQ0Cs+YPEFnvZa7b+5FASQ9uao=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=ZgrdeFOe0jHHrYQ++E3qklqUQSOHSxDFp/HTdgdkhl3P/uKF0b6p/WQPtcduanzxiz+qCVTzY5ywlQ0Wqr5q+GAmvIG/VxgftABWQ8ON5i3lWp7oLWP4trtzYUMC0sKGLqq8N6Ny25lqXqZy3u9d9uZhD37SD05jRkp44X9pH/A= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--tarunsahu.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=XIIbnlzj; arc=none smtp.client-ip=209.85.218.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--tarunsahu.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="XIIbnlzj" Received: by mail-ej1-f73.google.com with SMTP id a640c23a62f3a-c0cf538efe1so204162666b.2 for ; Tue, 23 Jun 2026 03:52:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1782211925; x=1782816725; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=1Wz5oprksRaCrRIjUlZSqxfZyBEaRT4sgoIBdS9jtKw=; b=XIIbnlzjrVTJrE+g5FdUN24s3LOB8+FMiYSR/PFsJ+a5h/32H1l7ligcHA+L57uJ7T hCY+RZnNOSDLrhwkXQSO+rXcTbrX+2BlVDGlkD4/PeerutsB7N2XCtehATjn8cP73+nx 5AStnogbz4u2vt5je4EOUB5A6QaX9dFH2IZyb4SrKxBeAZt6dO4CJCb/NA/gMUf1mYV7 0GWdWBnA+fCqAvWDilb6vsLFRecyUsuJwO3t/m8ee4VKisu0g0PHQT656SmoiuOQeBmN jS/IxdrHYts/ZbX0P5ghpV4WFQ2C/MrzGYnvUWe2xC9eICA2223IKcUPtmgypTUPVpYl 0QAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782211925; x=1782816725; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=1Wz5oprksRaCrRIjUlZSqxfZyBEaRT4sgoIBdS9jtKw=; b=UKhs2aOqavOONobXN8DbQ0D/fKr5o3w3m0mmDoDRJYpXkR7Vl3dbeCy97Zp+nhWTp1 IpIV/zHZKj/uwn3AwurN6dLj03Okfqa6tfvUsaD/OoSkLSui+m0y3fBda+miu5nszv5C T+gcHhyexHVel6hXiCmWIQGXJHtibEHn/ysiglzQ5y/FaH9AJTHWYCi6r1kFILajqFlh 5E3cAlqzMy+Eu49qCIune6sU4xAAkT/5JvwlxMcvoGfQj+C1U7BGqiGegIP3o82GDd+G zx8HmX4Bk94UzuhSv0OGISDuthH7qkb8Fy67CIjb7S8V3e+eiqoJHAqk7qGIpWDbKeOZ Ve1g== X-Forwarded-Encrypted: i=1; AFNElJ/54wUZIE7ShBudmCEIJEbROS4pZu7nTme5jcBxUfDpuQp/FGw5rsNi3+lV064tCx/7MTFA+W+XiYsaYQY=@vger.kernel.org X-Gm-Message-State: AOJu0YwBliJKz5lMMcsPFulAXQwRd+XMMx9hY/iGtsAcRhoJ4wj5LQju u6aaKD4nwIGQilsYRdQjwMzHJ323QtM+z/BYCVPFRgN345QEQzb5x9NK2Uupgo+hIITF8djVwra I1DcDzasivgsBS2YWCw== X-Received: from ejef19.prod.google.com ([2002:a17:906:3913:b0:b9d:975a:28a8]) (user=tarunsahu job=prod-delivery.src-stubby-dispatcher) by 2002:a17:906:a083:b0:c11:1753:25cc with SMTP id a640c23a62f3a-c1117532ecfmr18544666b.42.1782211924283; Tue, 23 Jun 2026 03:52:04 -0700 (PDT) Date: Tue, 23 Jun 2026 10:51:59 +0000 In-Reply-To: <20260623105201.3724592-1-tarunsahu@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20260623105201.3724592-1-tarunsahu@google.com> X-Mailer: git-send-email 2.55.0.rc0.786.g65d90a0328-goog Message-ID: <20260623105201.3724592-2-tarunsahu@google.com> Subject: [PATCH v5 1/3] mm/memfd_luo: validate serialized_data before conversion From: Tarun Sahu To: Mike Rapoport , Pasha Tatashin , Pratyush Yadav , Andrew Morton , Alexander Graf Cc: kexec@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Tarun Sahu Content-Type: text/plain; charset="UTF-8" In memfd_luo_finish() and memfd_luo_retrieve(), phys_to_virt() was called on args->serialized_data before checking if the physical address is valid. Since physical address 0 does not map to virtual NULL (due to direct mapping offsets), the subsequent check 'if (!ser)' was ineffective at catching a missing serialized_data, leading to unsafe dereferences later. Validate that args->serialized_data is non-zero before calling phys_to_virt(). Fixes: b3749f174d68 ("mm: memfd_luo: allow preserving memfd") Signed-off-by: Tarun Sahu --- mm/memfd_luo.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/mm/memfd_luo.c b/mm/memfd_luo.c index 59de210bee5f..10f3983b0060 100644 --- a/mm/memfd_luo.c +++ b/mm/memfd_luo.c @@ -397,10 +397,11 @@ static void memfd_luo_finish(struct liveupdate_file_op_args *args) if (args->retrieve_status) return; - ser = phys_to_virt(args->serialized_data); - if (!ser) + if (!args->serialized_data) return; + ser = phys_to_virt(args->serialized_data); + if (ser->nr_folios) { folios_ser = kho_restore_vmalloc(&ser->folios); if (!folios_ser) @@ -522,10 +523,11 @@ static int memfd_luo_retrieve(struct liveupdate_file_op_args *args) struct file *file; int err; - ser = phys_to_virt(args->serialized_data); - if (!ser) + if (!args->serialized_data) return -EINVAL; + ser = phys_to_virt(args->serialized_data); + /* Make sure the file only has seals supported by this version. */ if (ser->seals & ~MEMFD_LUO_ALL_SEALS) { err = -EOPNOTSUPP; -- 2.55.0.rc0.786.g65d90a0328-goog