From nobody Wed Oct 8 17:31:51 2025 Received: from mout-p-201.mailbox.org (mout-p-201.mailbox.org [80.241.56.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 991722652AF for ; Wed, 25 Jun 2025 15:24:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=80.241.56.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750865065; cv=none; b=DhpReoTg3b+1AX/OE5Wx3v454jEmGxadEm6KhAPTrcyv+0+P83H2yR6/TO1rZhapgZGLZLllJaT5hEnWZqz1L50oySJph2BzAWxDUd1vT7dy/Jdu7BjS8preO7oQD5ihheRRNWx7tqMp33QmoYgNceemuUpCIHCcH1WixzUHDy0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1750865065; c=relaxed/simple; bh=RieOHerA30zX9NjFi3on8Zd6Jptai2wCUHJtpQFdF78=; h=Date:From:To:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=jG60/2tGcdTf6YSjb2UKgCF5fKXCGDcboVBzocyQcHOZYqLKZjxAKnSww6pCKNdZJVoipTewpmvfSVAtDHMPDYho7YYP3NLaW4ubBRVSxXD96obC4Auxq8jSEkZGgeFn4/KKEgXlUvE46J5ZwyPXJ61nt/qEVhWFdGP+NFEOmhI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org; spf=pass smtp.mailfrom=df7cb.de; arc=none smtp.client-ip=80.241.56.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=debian.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=df7cb.de Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4bS5Fv3GSHz9v0M; Wed, 25 Jun 2025 17:24:19 +0200 (CEST) Date: Wed, 25 Jun 2025 17:24:14 +0200 From: Christoph Berg To: Andrew Morton , David Hildenbrand , Zi Yan , Matthew Brost , Joshua Hahn , Rakie Kim , Byungchul Park , Gregory Price , Ying Huang , Alistair Popple , "open list:MEMORY MANAGEMENT - MEMORY POLICY AND MIGRATION" , open list Subject: [PATCH] Fix do_pages_stat to use compat_uptr_t Message-ID: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4bS5Fv3GSHz9v0M Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For arrays with more than 16 entries, the old code would incorrectly advance the pages pointer by 16 words instead of 16 compat_uptr_t. Signed-off-by: Christoph Berg Suggested-by: Bertrand Drouvot Suggested-by: David Hildenbrand --- mm/migrate.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/mm/migrate.c b/mm/migrate.c index 8cf0f9c9599..542c81ec3ed 100644 --- a/mm/migrate.c +++ b/mm/migrate.c @@ -2444,7 +2444,13 @@ static int do_pages_stat(struct mm_struct *mm, unsig= ned long nr_pages, if (copy_to_user(status, chunk_status, chunk_nr * sizeof(*status))) break; =20 - pages +=3D chunk_nr; + if (in_compat_syscall()) { + compat_uptr_t __user *pages32 =3D (compat_uptr_t __user *)pages; + + pages32 +=3D chunk_nr; + pages =3D (const void __user * __user *) pages32; + } else + pages +=3D chunk_nr; status +=3D chunk_nr; nr_pages -=3D chunk_nr; } --=20 2.47.2