On Thu, 23 Apr 2026 14:52:26 +0200
"David Hildenbrand (Arm)" <[email protected]> wrote:
> >>
> >> /* Get process information */
> >> - task = find_get_task_by_vpid(pid);
> >> + if (flags & PROCESS_VM_PIDFD)
> >> + task = pidfd_get_task(pid, &f_flags);
> >> + else
> >> + task = find_get_task_by_vpid(pid);
> >> +
> >> if (!task) {
> >> rc = -ESRCH;
> >> goto free_proc_pages;
> >
> > pidfd_get_task() returns ERR_PTR() on failure (e.g. ERR_PTR(-EBADF)),
> > but the code checks "if (!task)" which only catches NULL. An invalid
> > pidfd will cause mm_access() and put_task_struct() to dereference an
> > error pointer, crashing the kernel.
>
> Yes. Should we add proper selftests that exercise these code paths?
>
Probably worth checking what happens when a 64bit process tries to
read high addresses of a 32bit process.
I remember trying to grok the way this code accessed the iov[] and
failing to find the appropriate access_ok() for the accesses to the
target process.
David
