[PATCH] mm/memfd_luo: validate serialized_data before conversion
From: Tarun Sahu
Date: Thu Jun 11 2026 - 06:31:52 EST
In memfd_luo_finish() and memfd_luo_retrieve(), phys_to_virt() was called
on args->serialized_data before checking if the physical address is valid.
Since physical address 0 does not map to virtual NULL (due to direct
mapping offsets), the subsequent check 'if (!ser)' was ineffective at
catching a missing serialized_data, leading to unsafe dereferences later.
Validate that args->serialized_data is non-zero before calling
phys_to_virt().
Fixes: b3749f174d68 ("mm: memfd_luo: allow preserving memfd")
Signed-off-by: Tarun Sahu <tarunsahu@xxxxxxxxxx>
---
mm/memfd_luo.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/mm/memfd_luo.c b/mm/memfd_luo.c
index 59de210bee5f..10f3983b0060 100644
--- a/mm/memfd_luo.c
+++ b/mm/memfd_luo.c
@@ -397,10 +397,11 @@ static void memfd_luo_finish(struct liveupdate_file_op_args *args)
if (args->retrieve_status)
return;
- ser = phys_to_virt(args->serialized_data);
- if (!ser)
+ if (!args->serialized_data)
return;
+ ser = phys_to_virt(args->serialized_data);
+
if (ser->nr_folios) {
folios_ser = kho_restore_vmalloc(&ser->folios);
if (!folios_ser)
@@ -522,10 +523,11 @@ static int memfd_luo_retrieve(struct liveupdate_file_op_args *args)
struct file *file;
int err;
- ser = phys_to_virt(args->serialized_data);
- if (!ser)
+ if (!args->serialized_data)
return -EINVAL;
+ ser = phys_to_virt(args->serialized_data);
+
/* Make sure the file only has seals supported by this version. */
if (ser->seals & ~MEMFD_LUO_ALL_SEALS) {
err = -EOPNOTSUPP;
base-commit: 9716c086c8e8b141d35aa61f2e96a2e83de212a7
--
2.54.0.1099.g489fc7bff1-goog