From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
To: Sungwoo Kim <iam@sung-woo.kim>
Cc: Jens Axboe <axboe@kernel.dk>, Keith Busch <kbusch@kernel.org>,
Chao Shi <cshi008@fiu.edu>, Weidong Zhu <weizhu@fiu.edu>,
Dave Tian <daveti@purdue.edu>,
linux-block@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v4] block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user()
Date: Thu, 30 Apr 2026 22:35:37 +0900 [thread overview]
Message-ID: <afM2oyQTraSWa5vO@shinmob> (raw)
In-Reply-To: <20260427040926.987166-3-iam@sung-woo.kim>
On Apr 27, 2026 / 00:09, Sungwoo Kim wrote:
> pin_user_pages_fast() can partially succeed and return the number of
> pages that were actually pinned. However, the bio_integrity_map_user()
> does not handle this partial pinning. This leads to a general protection
> fault since bvec_from_pages() dereferences an unpinned page address,
> which is 0.
>
> To fix this, add a check to verify that all requested memory is pinned.
> If partial pinning occurs, unpin the memory and return -EFAULT.
>
> Reproducer in blktest: https://github.com/linux-blktests/blktests/pull/244
The blktests Pull Request modifies the test case nvme/064 to write with 80KiB
size metadata. With this change, I confirmed that the Oops below was recreated
on my test system using the kernel v7.1-rc1.
>
> Kernel Oops:
>
> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] SMP KASAN NOPTI
> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
> CPU: 0 UID: 0 PID: 1061 Comm: nvme-passthroug Not tainted 7.0.0-11783-g90957f9314e8-dirty #16 PREEMPT(lazy)
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014
> RIP: 0010:bio_integrity_map_user.cold+0x1b0/0x9d6
>
> Fixes: 492c5d455969 ("block: bio-integrity: directly map user buffers")
> Acked-by: Chao Shi <cshi008@fiu.edu>
> Acked-by: Weidong Zhu <weizhu@fiu.edu>
> Acked-by: Dave Tian <daveti@purdue.edu>
> Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
> ---
> V3: https://lore.kernel.org/linux-block/20260420020327.1667156-3-iam@sung-woo.kim/
>
> V3->V4
> - Addressed a sashiko's comments [1], if it makes sense.
> - V3 wrongly assumed that iov_iter_extract_pages() always pins user
> memory.
> - V3 insufficiently handled the return value range.
>
> [1] https://sashiko.dev/#/patchset/20260420020327.1667156-3-iam%40sung-woo.kim
I applied this v4 patch to v7.1-rc1 kernel. With this, I confirmed that the
Oops goes away. Looks good from testing point of view.
Tested-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
next prev parent reply other threads:[~2026-04-30 13:35 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-27 4:09 [PATCH v4] block: bio-integrity: Fix null-ptr-deref in bio_integrity_map_user() Sungwoo Kim
2026-04-30 13:35 ` Shin'ichiro Kawasaki [this message]
2026-05-07 7:01 ` Sungwoo Kim
2026-05-07 7:51 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=afM2oyQTraSWa5vO@shinmob \
--to=shinichiro.kawasaki@wdc.com \
--cc=axboe@kernel.dk \
--cc=cshi008@fiu.edu \
--cc=daveti@purdue.edu \
--cc=iam@sung-woo.kim \
--cc=kbusch@kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=weizhu@fiu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.