Re: [PATCH v2 1/2] mm/process_vm_access: pidfd and nowait support for process_vm_readv/writev

Next message: Alan Stern: "Re: [PATCH 2/2] usb: core: Fix up Interrupt IN endpoints with bogus wBytesPerInterval"
Previous message: Alan Stern: "Re: [PATCH] HID: usbhid: sanitize hid-&gt;uniq against non-printable bytes"
In reply to: David Hildenbrand (Arm): "Re: [PATCH v2 1/2] mm/process_vm_access: pidfd and nowait support for process_vm_readv/writev"
Next in thread: David Hildenbrand (Arm): "Re: [PATCH v2 1/2] mm/process_vm_access: pidfd and nowait support for process_vm_readv/writev"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Laight

Date: Thu Apr 23 2026 - 10:05:55 EST

On Thu, 23 Apr 2026 14:52:26 +0200
"David Hildenbrand (Arm)" <david@xxxxxxxxxx> wrote:

> >>
> >> /* Get process information */
> >> - task = find_get_task_by_vpid(pid);
> >> + if (flags & PROCESS_VM_PIDFD)
> >> + task = pidfd_get_task(pid, &f_flags);
> >> + else
> >> + task = find_get_task_by_vpid(pid);
> >> +
> >> if (!task) {
> >> rc = -ESRCH;
> >> goto free_proc_pages;
> >
> > pidfd_get_task() returns ERR_PTR() on failure (e.g. ERR_PTR(-EBADF)),
> > but the code checks "if (!task)" which only catches NULL. An invalid
> > pidfd will cause mm_access() and put_task_struct() to dereference an
> > error pointer, crashing the kernel.
>
> Yes. Should we add proper selftests that exercise these code paths?
>

Probably worth checking what happens when a 64bit process tries to
read high addresses of a 32bit process.

I remember trying to grok the way this code accessed the iov[] and
failing to find the appropriate access_ok() for the accesses to the
target process.

David