[PATCH] mm/filemap: fix NULL pointer dereference in do_read_cache_folio()

Next message: tip-bot2 for Thomas Wei&#xDF;schuh: "[tip: timers/core] selftests/timers/nanosleep: Add tests for return of remaining time"
Previous message: Bjorn Andersson: "Re: [PATCH v4 07/10] arm64: select HAVE_SHARED_GPIOS for ARCH_QCOM"
Next in thread: Matthew Wilcox: "Re: [PATCH] mm/filemap: fix NULL pointer dereference in do_read_cache_folio()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: ssrane_b23

Date: Fri Nov 14 2025 - 14:37:45 EST

From: Shaurya Rane <ssrane_b23@xxxxxxxxxxxxx>

When read_cache_folio() is called with a NULL filler function on a
mapping that does not implement read_folio, a NULL pointer
dereference occurs in filemap_read_folio().

The crash occurs when:

build_id_parse() is called on a VMA backed by a file from a
filesystem that does not implement ->read_folio() (e.g. procfs,
sysfs, or other virtual filesystems).

read_cache_folio() is called with filler = NULL.

do_read_cache_folio() assigns filler = mapping->a_ops->read_folio,
which is still NULL.

filemap_read_folio() calls filler(), causing a NULL pointer
dereference.

The fix is to add a NULL check after the fallback assignment and return
-EIO. Callers handle this error safely.

Reported-by: syzbot+09b7d050e4806540153d@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=09b7d050e4806540153d
Fixes: ad41251c290d ("lib/buildid: implement sleepable build_id_parse() API")
Signed-off-by: Shaurya Rane <ssrane_b23@xxxxxxxxxxxxx>
---
mm/filemap.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/mm/filemap.c b/mm/filemap.c
index 13f0259d993c..f700fe931d61 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -3980,6 +3980,8 @@ static struct folio *do_read_cache_folio(struct address_space *mapping,

if (!filler)
filler = mapping->a_ops->read_folio;
+ if (!filler)
+ return ERR_PTR(-EIO);
repeat:
folio = filemap_get_folio(mapping, index);
if (IS_ERR(folio)) {
--
2.34.1