| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200407095107.1988-1-miles.chen@mediatek.com>
Date: Tue, 7 Apr 2020 17:51:07 +0800
From: Miles Chen <miles.chen@...iatek.com>
To: Andrew Morton <akpm@...ux-foundation.org>
CC: <linux-mm@...ck.org>, <linux-kernel@...r.kernel.org>,
<linux-mediatek@...ts.infradead.org>, <wsd_upstream@...iatek.com>,
Miles Chen <miles.chen@...iatek.com>
Subject: [PATCH] mm/gup: fix null pointer dereference detected by coverity
In fixup_user_fault(), it is possible that unlocked is NULL,
so we should test unlocked before using it.
For example, in arch/arc/kernel/process.c, NULL is passed
to fixup_user_fault().
SYSCALL_DEFINE3(arc_usr_cmpxchg, int *, uaddr, int, expected, int, new)
{
...
ret = fixup_user_fault(current, current->mm, (unsigned long) uaddr,
FAULT_FLAG_WRITE, NULL);
...
}
Fixes: 4a9e1cda2748 ("mm: bring in additional flag for fixup_user_fault to signal unlock")
Signed-off-by: Miles Chen <miles.chen@...iatek.com>
---
mm/gup.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/mm/gup.c b/mm/gup.c
index da3e03185144..a68d11dc232d 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -1230,7 +1230,8 @@ int fixup_user_fault(struct task_struct *tsk, struct mm_struct *mm,
if (ret & VM_FAULT_RETRY) {
down_read(&mm->mmap_sem);
if (!(fault_flags & FAULT_FLAG_TRIED)) {
- *unlocked = true;
+ if (unlocked)
+ *unlocked = true;
fault_flags |= FAULT_FLAG_TRIED;
goto retry;
}
--
2.18.0
Powered by blists - more mailing lists