From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-m49241.qiye.163.com (mail-m49241.qiye.163.com [45.254.49.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 73D9A226CF1; Sat, 11 Oct 2025 07:45:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.254.49.241 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760168709; cv=none; b=B8TK4ZrjYSP8L4JGTnfy+pVcFAyW/+LqFd4MLikLYfQaTXLMEjMJJYN+m8os/ZDyR3Sv+c9FLpLEyhHghPP245lHmtCXih7KnCPaz6T2WaFg9RSRNtfK6zU1x0+A03vbRgoKuDbax+iMEs7r1I5zKQsQGYM0rD4VY9O1lHEAYt8= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760168709; c=relaxed/simple; bh=MXdE6JOzMN5JkLnUvLBmCT9zoevSFjlHubOknPy4r+A=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=O5rKBwaxnsfj4kE/DEp0Awj1gm7Mb78g2Z+O7f3M3xFM8ZhLewPpEBx6D2RK3qhIMdp5ZwCGQ4yqD/kj6V3y7rN09k/q7bNEyXYGCGcvvm6S+HEkaYGbTvN3SOeJTvVRgq06lDMTaMxnBg1NdTpByi+aByGyLMzolNr4lzJCuE8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=easystack.cn; spf=pass smtp.mailfrom=easystack.cn; arc=none smtp.client-ip=45.254.49.241 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=easystack.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=easystack.cn Received: from localhost.localdomain (unknown [218.94.118.90]) by smtp.qiye.163.com (Hmail) with ESMTP id 115ecd9cf; Sat, 11 Oct 2025 15:29:36 +0800 (GMT+08:00) From: Zhen Ni To: viro@zeniv.linux.org.uk, brauner@kernel.org, jack@suse.cz Cc: linux-fsdevel@vger.kernel.org, Zhen Ni , stable@vger.kernel.org Subject: [PATCH] pidfs: fix ERR_PTR dereference in pidfd_info() Date: Sat, 11 Oct 2025 15:29:27 +0800 Message-Id: <20251011072927.342302-1-zhen.ni@easystack.cn> X-Mailer: git-send-email 2.20.1 Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-HM-Tid: 0a99d22cd2840229kunmfe16db3ed1d0a X-HM-MType: 1 X-HM-Spam-Status: e1kfGhgUHx5ZQUpXWQgPGg8OCBgUHx5ZQUlOS1dZFg8aDwILHllBWSg2Ly tZV1koWUFJQjdXWS1ZQUlXWQ8JGhUIEh9ZQVkaGExNVhhDShkYQ0pCSUtLH1YVFAkWGhdVGRETFh oSFyQUDg9ZV1kYEgtZQVlJSkNVQk9VSkpDVUJLWVdZFhoPEhUdFFlBWU9LSFVKS0lPT09IVUpLS1 VKQktLWQY+ pidfd_pid() may return an ERR_PTR() when the file does not refer to a valid pidfs file. Currently pidfd_info() calls pid_in_current_pidns() directly on the returned value, which risks dereferencing an ERR_PTR. Fix it by explicitly checking IS_ERR(pid) and returning PTR_ERR(pid) before further use. Fixes: 7477d7dce48a ("pidfs: allow to retrieve exit information") Cc: stable@vger.kernel.org Signed-off-by: Zhen Ni --- fs/pidfs.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/pidfs.c b/fs/pidfs.c index 0ef5b47d796a..16670648bb09 100644 --- a/fs/pidfs.c +++ b/fs/pidfs.c @@ -314,6 +314,9 @@ static long pidfd_info(struct file *file, unsigned int cmd, unsigned long arg) if (copy_from_user(&mask, &uinfo->mask, sizeof(mask))) return -EFAULT; + if (IS_ERR(pid)) + return PTR_ERR(pid); + /* * Restrict information retrieval to tasks within the caller's pid * namespace hierarchy. -- 2.20.1