[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <tencent_CF4FA00DCAA5918DB7127CDDC95DBF190607@qq.com>
Date: Tue, 1 Apr 2025 21:34:57 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+5d83cecd003a369a9965@...kaller.appspotmail.com
Cc: linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [isdn4linux?] [nilfs?] INFO: task hung in mISDN_ioctl
#syz test: upstream a29967be967e
diff --git a/drivers/isdn/mISDN/timerdev.c b/drivers/isdn/mISDN/timerdev.c
index 7cfa8c61dba0..0c3771a5cd0b 100644
--- a/drivers/isdn/mISDN/timerdev.c
+++ b/drivers/isdn/mISDN/timerdev.c
@@ -238,8 +238,13 @@ mISDN_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
ret = id;
break;
}
- if (put_user(id, (int __user *)arg))
+ if (!user_write_access_begin((int __user *)arg, sizeof(int))) {
ret = -EFAULT;
+ break;
+ }
+
+ unsafe_put_user(id, (int __user *)arg, Efault);
+ user_write_access_end();
break;
case IMDELTIMER:
if (get_user(id, (int __user *)arg)) {
@@ -255,8 +260,13 @@ mISDN_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
default:
ret = -EINVAL;
}
+out:
mutex_unlock(&mISDN_mutex);
return ret;
+Efault:
+ user_write_access_end();
+ ret = -EFAULT;
+ goto out;
}
static const struct file_operations mISDN_fops = {
Powered by blists - more mailing lists