If copy_param() fails, we cannot trust param structure, so access it only if this call returned success. Bug introduced in patch adding secure flag to dm-ioctl (currently in linux-next). Found during regression tests. Signed-off-by: Milan Broz <mbroz@xxxxxxxxxx> --- drivers/md/dm-ioctl.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index e7af88b..516def2 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1611,14 +1611,15 @@ static int ctl_ioctl(uint command, struct dm_ioctl __user *user) * Copy the parameters into kernel space. */ r = copy_params(user, ¶m); - input_param_size = param->data_size; - wipe_buffer = param->flags & DM_SECURE_DATA_FLAG; current->flags &= ~PF_MEMALLOC; if (r) return r; + input_param_size = param->data_size; + wipe_buffer = param->flags & DM_SECURE_DATA_FLAG; + r = validate_params(cmd, param); if (r) goto out; -- 1.7.2.3 -- dm-devel mailing list dm-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/dm-devel