Received: by 2002:a05:6358:16cd:b0:dc:6189:e246 with SMTP id r13csp1490534rwl;
        Fri, 4 Nov 2022 14:53:27 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM5ts7osZExUE52gSjcfLXzGK75MtZKudpn9FtvQRGcRRaJp3vBAQ76jSq8YqoyYQUiiPUm7
X-Received: by 2002:a17:907:6eab:b0:78d:4c16:a687 with SMTP id sh43-20020a1709076eab00b0078d4c16a687mr36430803ejc.392.1667598806813;
        Fri, 04 Nov 2022 14:53:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1667598806; cv=none;
        d=google.com; s=arc-20160816;
        b=ZxYXyWAzjQriW8KPFoNnVJhlV+46Csr4xT/fWqT857jqyxTKlRUufGuts+w8EgT9jH
         nF95mnDVQ1/5tVpUHOawDq4qHOa//z5JDn9OZmOCBkbtFa61rqwwOuOUMeLuJn+t2+FF
         bh0C577toTenb66kndyV3ssk9ETOwYwTSNfcweEirOczKHe/L/BrCVFvonINSfTunkFS
         NMzUPthx9b83sIGMHFbnZIEbPaHyretdHz5hEhTOVGphs0qgUUdW4OkzYVvi8prcDk79
         vnh/IkqeFqUGbUEgS/aUcNQvIWx2fiG3XD8cwZZYjubBCeXVd9ScVDxkLVHhbKLlifiY
         Uc4g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:cc:to:from:subject:message-id:mime-version:date
         :dkim-signature;
        bh=ZMzbEeAq/WBS4iwvB8bBgtIMvjV4CPxHl4/ZDJnosVw=;
        b=vguAiz3A3QT54a+sT9ZaJEgcvk1sNcb2eZkOeLiHhQcGp6oLEVMTQSYsUXHSbBq2sK
         zsXB9y1IT/8ZtqwnLFGF/ZjAp1Iaa4g4wVXp4vwAE20c2O1Yg8RjdnLlUUZtG9sLmkOY
         XeeCzPfo3zwTmRyXcR6/V3tdFg2MG7feby+L9Ke2ctBo7xpmUJodbeRT87775ckYhPms
         S8BFkFlQFtKLXAXN5w4wFIC5xuX1VJxxDK5Mh1SpxEpiZTlROV3kY8fMUuk70bpds9l4
         DuAid8s9U9OTjDORZmi6mIKPuEpmMzWgJOpKehPtaA9579gFkU/4Vy4On4Gd5ML5/Ylw
         KFRg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=ZrK+ebo6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id d20-20020aa7d694000000b0045d25cf222csi625152edr.362.2022.11.04.14.53.02;
        Fri, 04 Nov 2022 14:53:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=ZrK+ebo6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229910AbiKDVZo (ORCPT <rfc822;sshegde.linux@gmail.com>
        + 97 others); Fri, 4 Nov 2022 17:25:44 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38662 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229898AbiKDVZg (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 4 Nov 2022 17:25:36 -0400
Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6E93E4384D
        for <linux-kernel@vger.kernel.org>; Fri,  4 Nov 2022 14:25:35 -0700 (PDT)
Received: by mail-yb1-xb49.google.com with SMTP id m200-20020a25d4d1000000b006cb7e26b93cso5981402ybf.1
        for <linux-kernel@vger.kernel.org>; Fri, 04 Nov 2022 14:25:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
         :date:message-id:reply-to;
        bh=ZMzbEeAq/WBS4iwvB8bBgtIMvjV4CPxHl4/ZDJnosVw=;
        b=ZrK+ebo6lUDd9raxHtPZNseJQ/MOuileQPeRTp4FqpnqL0PiBei0t3rlsIuGVkcSLe
         XEDJC+IYxG3reEa/CtJkBvLhItgY1jvFfy3GuJ+ZEKv5HEGpNrUnjfNPy88NIBi1Hj9T
         migd7LYzNVulF8C/ji8OMzcXpYeEG5xHIioY8v/c1JWgn9sPzmNVN/p201g8/u+imUxM
         4QNvk8nFy7QDPLIu6OItVQClzrdd4NntORcBuLPRO5B+GncFefpH8PoMbfJaaX2r+2Rg
         8zZHpVttHLQGuvbnJo+t3LKSkaxbqielNnURCipoejdspuUUJ98WPGImxS/b+GrBeY9X
         /YPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=ZMzbEeAq/WBS4iwvB8bBgtIMvjV4CPxHl4/ZDJnosVw=;
        b=Em4bjDoZvBwsbZ8/9ruRXUxylYupyfiEecI6TlNw5WLJnDrIIWrgdGPYMhsP+8UEEP
         tGVODIx3URvUJxFpcCyRXoPq6ciW7/b6x6Wy4s1XV2AqfkZf39hFnhqJDBMuZlK6OsMT
         m/mHwH3cHA8RodIR1b1l9T71OeQS3tjfRzUkNXCYXtudArZ3ZUD2iJOhR0IBSRigj0Rm
         e/BEmDaGGLKocoE67sDP0irlgZG2lzOXNeuHUlQCCk2Rve6tS7GJBbq5sTJO/7GUsM/n
         34rM3pWA8NQ5gpVH2imXxvPRXB97sjhnLNfswOC+zZRwyBCl3mlt1JgoF68qvq2GFSoO
         DBww==
X-Gm-Message-State: ACrzQf2rAHJg0geV2N3idcAZY4np7jjkpSBN53mAstNHD7bsR5VTYRta
        e3lhBs3wjl/fN1SOhUt/uLlkMakNtv9+9iM9KA==
X-Received: from roguebantha-cloud.c.googlers.com ([fda3:e722:ac3:cc00:2b:7d90:c0a8:1eee])
 (user=sethjenkins job=sendgmr) by 2002:a05:6902:8d:b0:6bc:47ea:42da with SMTP
 id h13-20020a056902008d00b006bc47ea42damr34014092ybs.529.1667597134725; Fri,
 04 Nov 2022 14:25:34 -0700 (PDT)
Date:   Fri,  4 Nov 2022 17:25:19 -0400
Mime-Version: 1.0
X-Mailer: git-send-email 2.38.1.431.g37b22c650d-goog
Message-ID: <20221104212519.538108-1-sethjenkins@google.com>
Subject: [PATCH] aio: fix mremap after fork null-deref
From:   Seth Jenkins <sethjenkins@google.com>
To:     Alexander Viro <viro@zeniv.linux.org.uk>,
        Benjamin LaHaise <bcrl@kvack.org>
Cc:     linux-fsdevel@vger.kernel.org, linux-aio@kvack.org,
        linux-kernel@vger.kernel.org, Jann Horn <jannh@google.com>,
        Pavel Emelyanov <xemul@parallels.com>,
        Seth Jenkins <sethjenkins@google.com>, stable@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
        SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Commit e4a0d3e720e7 ("aio: Make it possible to remap aio ring") introduced
a null-deref if mremap is called on an old aio mapping after fork as
mm->ioctx_table will be set to NULL.

Fixes: e4a0d3e720e7 ("aio: Make it possible to remap aio ring")
Cc: stable@vger.kernel.org
Signed-off-by: Seth Jenkins <sethjenkins@google.com>
---
 fs/aio.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/fs/aio.c b/fs/aio.c
index 5b2ff20ad322..74eae7de7323 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -361,16 +361,18 @@ static int aio_ring_mremap(struct vm_area_struct *vma)
 	spin_lock(&mm->ioctx_lock);
 	rcu_read_lock();
 	table = rcu_dereference(mm->ioctx_table);
-	for (i = 0; i < table->nr; i++) {
-		struct kioctx *ctx;
-
-		ctx = rcu_dereference(table->table[i]);
-		if (ctx && ctx->aio_ring_file == file) {
-			if (!atomic_read(&ctx->dead)) {
-				ctx->user_id = ctx->mmap_base = vma->vm_start;
-				res = 0;
+	if (table) {
+		for (i = 0; i < table->nr; i++) {
+			struct kioctx *ctx;
+
+			ctx = rcu_dereference(table->table[i]);
+			if (ctx && ctx->aio_ring_file == file) {
+				if (!atomic_read(&ctx->dead)) {
+					ctx->user_id = ctx->mmap_base = vma->vm_start;
+					res = 0;
+				}
+				break;
 			}
-			break;
 		}
 	}
 
-- 
2.38.1.431.g37b22c650d-goog