On 9/4/22 2:46 PM, Binyi Han wrote:
Smatch checker complains that 'secretmem_mnt' dereferencing possible
ERR_PTR().
Let the function return if 'secretmem_mnt' is ERR_PTR, to avoid
deferencing it.
Signed-off-by: Binyi Han <dantengknight@xxxxxxxxx>
---
Fixes: 1507f51255c9ff07d75909a84e7c0d7f3c4b2f49 ("mm: introduce memfd_secret system call to create "secret" memory areas")
mm/secretmem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/secretmem.c b/mm/secretmem.c
index e3e9590c6fb3..3f7154099795 100644
--- a/mm/secretmem.c
+++ b/mm/secretmem.c
@@ -285,7 +285,7 @@ static int secretmem_init(void)
secretmem_mnt = kern_mount(&secretmem_fs);
if (IS_ERR(secretmem_mnt))
- ret = PTR_ERR(secretmem_mnt);
+ return PTR_ERR(secretmem_mnt);
/* prevent secretmem mappings from ever getting PROT_EXEC */
secretmem_mnt->mnt_flags |= MNT_NOEXEC;
I agree that doing:
secretmem_mnt->mnt_flags |= MNT_NOEXEC;
when IS_ERR(secretmem_mnt) evaluates to true is wrong. But I have
a question: what happen if you invoke memfd_secret() syscall when
@secretmem_mnt is an ERR_PTR?
Shouldn't we also guard the memfd_secret() path?
diff --git a/mm/secretmem.c b/mm/secretmem.c
index e3e9590c6fb3..2d52508d47a9 100644
--- a/mm/secretmem.c
+++ b/mm/secretmem.c
@@ -230,18 +230,21 @@ static struct file *secretmem_file_create(unsigned long flags)
SYSCALL_DEFINE1(memfd_secret, unsigned int, flags)
{
struct file *file;
int fd, err;
/* make sure local flags do not confict with global fcntl.h */
BUILD_BUG_ON(SECRETMEM_FLAGS_MASK & O_CLOEXEC);
+ if (IS_ERR(secretmem_mnt))
+ return PTR_ERR(secretmem_mnt);
+
if (!secretmem_enable)
return -ENOSYS;
if (flags & ~(SECRETMEM_FLAGS_MASK | O_CLOEXEC))
return -EINVAL;
if (atomic_read(&secretmem_users) < 0)
return -ENFILE;
fd = get_unused_fd_flags(flags & O_CLOEXEC);
--
Ammar Faizi