On 02/12/14 12:59, Frank Haverkamp wrote:
Hi Ian,
thanks for reviewing our code and sorry for not answering immediately.
Am Donnerstag, den 06.11.2014, 16:23 +0000 schrieb Ian Abbott:
`genwqe_user_vmap()` calls `get_user_pages_fast()` and if the return
value is less than the number of pages requested, it frees the pages and
returns an error (`-EFAULT`). However, it fails to consider a negative
error return value from `get_user_pages_fast()`. In that case, the test
`if (rc < m->nr_pages)` will be false (due to promotion of `rc` to a
large `unsigned int`) and the code will continue on to call
`genwqe_map_pages()` with an invalid list of page pointers. Fix it by
bailing out if `get_user_pages_fast()` returns a negative error value.
True. Did you find this by manual inspection of the code or did you use
tools to figure it out?
I just spotted it while grepping for examples of drivers that used
get_user_pages() or get_user_pages_fast() as I want to use it in a
driver for some custom hardware.
--
-=( Ian Abbott @ MEV Ltd. E-mail: <abbotti@xxxxxxxxx> )=-
-=( Web: http://www.mev.co.uk/ )=-
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html