From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 302EC370D49 for ; Thu, 7 May 2026 08:30:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.44 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778142663; cv=none; b=YnybZaWcyhVdA2FPwN9tsgZP0yGl0TJgtahx9AeQ/U56ya1y031KjJmOeZiT/iDI8q2nDPavkgMSkijgyHDqZHa6FiLO85JoNRyKl/hDJvf6kYdBJ2UWDvspF4p1zEqClmOmKxTK3ejOlBDzyUYbmYs/BW9iCis0xaw/eswNmuk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778142663; c=relaxed/simple; bh=CQpzd1LMatH4Rjl29mYVPxYYEnrlJQDJlF5ZF7uf6Sk=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=qK42/HfyzqcnndV/TIvlabhS6/ZwUJ+ctMYyplzKlpT0EfkcP14ZBM/3zG/u9zhWmy1r2ydn3CRvWpbwGsOWhSnmDwd8EdP7ybTzVFi9zQWMP4tHA1fvqHumf3NgFlnHwVEB2hOT1ZEaAkPtmJjaLYaY7t1UjmIuI4SyD+RfLss= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=R35qV/OH; arc=none smtp.client-ip=209.85.221.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="R35qV/OH" Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-43d7670826bso19307f8f.3 for ; Thu, 07 May 2026 01:30:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778142657; x=1778747457; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=nQFLkhSM0KCrS/GGAO/Ew0CjOKjOQsQ8J0e+alSilP0=; b=R35qV/OHhunNrV5WBZm5Zc/VZZS4M3B+JXtMbcha5V7uqyQdYtLQ7KH8yqDpgOznhc cL8HlDavOY9P5j0TgatjQF4oz/kjPtsr/eRy/c+uorcD4llRmfp6WJJ7BAAxPNmoS/3X AfxLgal47h1x6CRfRGaMWBZYA0prS4mlFTH44an1/csihNo7lc5gtR4zZwOLNlBuutNs aaBza7zkYFsmfukamiE8IwqOmv76gHkGzSJ3VwYEK2pDgKz2SXvpg392ZpoOJ6B9BwzA CqP4ldr1H3OojwtHLG5MCScKhbhp64LolzQKaRS4xtypS10THxBLMNyxhss9VVaQabZk b+vw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778142657; x=1778747457; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=nQFLkhSM0KCrS/GGAO/Ew0CjOKjOQsQ8J0e+alSilP0=; b=ic5Z4Xh4yUQJw44jXK2khVsF/64XG5w1iLvmTjf8/gv60WQLfn8yIK5OTqZIq41n3R NcysHWesK0UNPHgFSuGPezll3iaE5V50xFxjqGs9w+tIDSh+wvfsvroYUW5/kcTz6Rsu CcJhN8IF2P3bwh0mF9KFyKXpC1tRd6ZCyMgOzeFKXjv/ldu0pW/OBQc2MmIcUgW9C3Xy 7yBJ/n9/S04Yw2WShu3xRsS6l2+gTpVhgjdTw7uhiP8qIrZqYxeXo7IqgDnminHMKiX2 gTIZg03py6IuDdzq/u3IFvrMRjL1eqcNu3pRU1XWnsOaKySwJC4FW3kR8Y5ab0Z5FGcf VPkw== X-Forwarded-Encrypted: i=1; AFNElJ96DTInEHWyDtaEdS84REazp+j45IS0ucg7HujDWmw5nu9g4jGjRn6N7vVolCm0AnzZwFlWJVPl6ciyTYY=@vger.kernel.org X-Gm-Message-State: AOJu0Yw0g7CbGQLxLkX0DoviOJoO8jxNZIp4XzYoJ8CzROxpXQkc1TDh /G5lkgzxiO0mruGyb74nOHqlQ+NysdJvVEhwhd4eon+tvvN72uIDlVlu X-Gm-Gg: AeBDietEb2nIMuG5NThO7RTmTus2MvsvYwsY2X64PjMtG77ZRmxT2Dpi2ADdmHfUp4/ hiAqr9Ewrz+QQJ81O8FZkwRJiCkRL6xmBruneZ7XXrZYLp3zpOMSPOA4NPlt4Q8M2hS+aWLFxvt vUfoEOYjIufl2/sECI8nwzoqhAmOeXD8DY357J4ysylx5CUaQERVVPQfernioUbAHor/awfAkLL uw+xD39rNYEAa9DpecrKnhWWGFWHeZCkmZZljeZQDNbCTWPphHCTHTogTxbss/ArvTCTffvm25V oOuVHdr+XlhGJhyt/5x5QbRw9NW/VLbtozyV0G+hVt107tk9kwB4SQUAga5LorM8bP/r+FaS7Kh HJSbN7XLt3e5aVW0J6UPNUpxmw60VicjSVRRtzMj7bl9iWTx+M2kzEfj2pMSCA8kVWvgun8cx2S V9CBFdjOtFt+vNAwPizbvanLrC2PsbwMMmS6PSSWzAdsUxyNvLuL8= X-Received: by 2002:a05:6000:455c:b0:43c:fdfe:bdda with SMTP id ffacd0b85a97d-4518bb742bemr2511449f8f.6.1778142656759; Thu, 07 May 2026 01:30:56 -0700 (PDT) Received: from LAPTOP-9UC0RPH4.localdomain ([94.158.58.43]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45054b02802sm18769576f8f.17.2026.05.07.01.30.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 May 2026 01:30:56 -0700 (PDT) From: Stepan Ionichev To: akpm@linux-foundation.org Cc: david@kernel.org, jgg@ziepe.ca, jhubbard@nvidia.com, peterx@redhat.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Stepan Ionichev Subject: [PATCH] mm/gup: tolerate NULL unlocked in fixup_user_fault() Date: Thu, 7 May 2026 13:30:50 +0500 Message-ID: <20260507083050.416-1-sozdayvek@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit fixup_user_fault() takes a "bool *unlocked" output parameter that callers may set to NULL when they do not want the retry/unlock machinery. The function honours that contract on the way in: if (unlocked) fault_flags |= FAULT_FLAG_ALLOW_RETRY | FAULT_FLAG_KILLABLE; so callers passing NULL never set FAULT_FLAG_ALLOW_RETRY. In return, handle_mm_fault() is not expected to produce VM_FAULT_RETRY or VM_FAULT_COMPLETED for them, which is why the dereferences of unlocked further down used to be considered unreachable. That invariant is implicit, not enforced. At least one caller in arch/s390/pci/pci_mmio.c does pass NULL: fixup_user_fault(current->mm, mmio_addr, FAULT_FLAG_WRITE, NULL); If a future change in handle_mm_fault() ever returned VM_FAULT_COMPLETED or VM_FAULT_RETRY without ALLOW_RETRY having been requested, the unconditional "*unlocked = true" stores would NULL-deref and crash the kernel for this path. smatch flags both stores: mm/gup.c:1597 fixup_user_fault() error: we previously assumed 'unlocked' could be null (see line 1573) mm/gup.c:1612 fixup_user_fault() error: we previously assumed 'unlocked' could be null (see line 1573) Make the NULL handling consistent on both sides of the function: guard the two stores with "if (unlocked)" so fixup_user_fault() tolerates a NULL output pointer regardless of which fault outcome handle_mm_fault() returns. No functional change for callers that already pass a non-NULL pointer. Signed-off-by: Stepan Ionichev --- mm/gup.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/mm/gup.c b/mm/gup.c index ad9ded396..1a8d7c7c8 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -1594,7 +1594,8 @@ int fixup_user_fault(struct mm_struct *mm, * could tell the callers so they do not need to unlock. */ mmap_read_lock(mm); - *unlocked = true; + if (unlocked) + *unlocked = true; return 0; } @@ -1608,7 +1609,8 @@ int fixup_user_fault(struct mm_struct *mm, if (ret & VM_FAULT_RETRY) { mmap_read_lock(mm); - *unlocked = true; + if (unlocked) + *unlocked = true; fault_flags |= FAULT_FLAG_TRIED; goto retry; } -- 2.43.0