Hi Ian,
thanks for reviewing our code and sorry for not answering immediately.
Am Donnerstag, den 06.11.2014, 16:23 +0000 schrieb Ian Abbott:
> `genwqe_user_vmap()` calls `get_user_pages_fast()` and if the return
> value is less than the number of pages requested, it frees the pages and
> returns an error (`-EFAULT`). However, it fails to consider a negative
> error return value from `get_user_pages_fast()`. In that case, the test
> `if (rc < m->nr_pages)` will be false (due to promotion of `rc` to a
> large `unsigned int`) and the code will continue on to call
> `genwqe_map_pages()` with an invalid list of page pointers. Fix it by
> bailing out if `get_user_pages_fast()` returns a negative error value.
True. Did you find this by manual inspection of the code or did you use
tools to figure it out?
>
> Signed-off-by: Ian Abbott <abbotti@xxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx> # 3.14.x # 3.15.x # 3.16.x # 3.17.x
> ---
> drivers/misc/genwqe/card_utils.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/misc/genwqe/card_utils.c b/drivers/misc/genwqe/card_utils.c
> index 7cb3b7e..1ca94e6 100644
> --- a/drivers/misc/genwqe/card_utils.c
> +++ b/drivers/misc/genwqe/card_utils.c
> @@ -590,6 +590,8 @@ int genwqe_user_vmap(struct genwqe_dev *cd, struct dma_mapping *m, void *uaddr,
> m->nr_pages,
> 1, /* write by caller */
> m->page_list); /* ptrs to pages */
> + if (rc < 0)
> + goto fail_get_user_pages;
>
> /* assumption: get_user_pages can be killed by signals. */
> if (rc < m->nr_pages) {
Regards
Frank
Acked-by: Frank Haverkamp <haver@xxxxxxxxxxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html