On Tue, 7 Jun 2022, Jiri Slaby wrote: > Only the return value of copy_to_user() is checked in con_get_unimap(). > Do the same for put_user() of the count too. > > Signed-off-by: Jiri Slaby <jslaby@xxxxxxx> > --- > drivers/tty/vt/consolemap.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/tty/vt/consolemap.c b/drivers/tty/vt/consolemap.c > index 831450f2bfd1..92b5dddb00d9 100644 > --- a/drivers/tty/vt/consolemap.c > +++ b/drivers/tty/vt/consolemap.c > @@ -813,7 +813,8 @@ int con_get_unimap(struct vc_data *vc, ushort ct, ushort __user *uct, > console_unlock(); > if (copy_to_user(list, unilist, min(ect, ct) * sizeof(*unilist))) > ret = -EFAULT; > - put_user(ect, uct); > + if (put_user(ect, uct)) > + ret = -EFAULT; > kvfree(unilist); > return ret ? ret : (ect <= ct) ? 0 : -ENOMEM; > } > Doesn't this fix something? -- i.
