lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250905190133.345203b8f0332490c0249f66@linux-foundation.org>
Date: Fri, 5 Sep 2025 19:01:33 -0700
From: Andrew Morton <akpm@...ux-foundation.org>
To: David Hildenbrand <david@...hat.com>
Cc: Jens Axboe <axboe@...nel.dk>, syzbot
 <syzbot+1ab243d3eebb2aabf4a4@...kaller.appspotmail.com>,
 io-uring@...r.kernel.org, linux-kernel@...r.kernel.org,
 syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [io-uring?] KASAN: null-ptr-deref Read in
 io_sqe_buffer_register

On Fri, 5 Sep 2025 09:42:55 +0200 David Hildenbrand <david@...hat.com> wrote:

> #syz test
> 
>  From bfd07c995814354f6b66c5b6a72e96a7aa9fb73b Mon Sep 17 00:00:00 2001
> From: David Hildenbrand <david@...hat.com>
> Date: Fri, 5 Sep 2025 08:38:43 +0200
> Subject: [PATCH] fixup: mm/gup: remove record_subpages()
> 
> pages is not adjusted by the caller, but idnexed by existing *nr.
> 
> Signed-off-by: David Hildenbrand <david@...hat.com>

Cool, I resurrected "mm/gup: remove record_subpages()" and added the -fix:

From: David Hildenbrand <david@...hat.com>
Subject: fixup: mm/gup: remove record_subpages()
Date: Fri, 5 Sep 2025 08:38:43 +0200

pages is not adjusted by the caller, but indexed by existing *nr.

Link: https://lkml.kernel.org/r/cc7f03f8-da8b-407e-a03a-e8e5a9ec5462@redhat.com
Signed-off-by: David Hildenbrand <david@...hat.com>
Reported-by: syzbot+1ab243d3eebb2aabf4a4@...kaller.appspotmail.com
Tested-by: syzbot+1ab243d3eebb2aabf4a4@...kaller.appspotmail.com
Reported-by: Jens Axboe <axboe@...nel.dk>
Cc: David Hildenbrand <david@...hat.com>
Signed-off-by: Andrew Morton <akpm@...ux-foundation.org>
---

 mm/gup.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/mm/gup.c~mm-gup-remove-record_subpages-fix
+++ a/mm/gup.c
@@ -2966,6 +2966,7 @@ static int gup_fast_pmd_leaf(pmd_t orig,
 		return 0;
 	}
 
+	pages += *nr;
 	*nr += refs;
 	for (; refs; refs--)
 		*(pages++) = page++;
@@ -3009,6 +3010,7 @@ static int gup_fast_pud_leaf(pud_t orig,
 		return 0;
 	}
 
+	pages += *nr;
 	*nr += refs;
 	for (; refs; refs--)
 		*(pages++) = page++;
_

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ