[PATCH 4.14 109/191] rapidio: fix error handling path

From: Greg Kroah-Hartman
Date: Tue Oct 27 2020 - 14:13:42 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.14 035/191] media: mx2_emmaprp: Fix memleak in emmaprp_probe"
Previous message: Greg Kroah-Hartman: "[PATCH 4.14 108/191] ramfs: fix nommu mmap with gaps in the page cache"
In reply to: Greg Kroah-Hartman: "[PATCH 4.14 108/191] ramfs: fix nommu mmap with gaps in the page cache"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.14 035/191] media: mx2_emmaprp: Fix memleak in emmaprp_probe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Souptick Joarder <jrdr.linux@xxxxxxxxx>

[ Upstream commit fa63f083b3492b5ed5332b8d7c90b03b5ef24a1d ]

rio_dma_transfer() attempts to clamp the return value of
pin_user_pages_fast() to be >= 0. However, the attempt fails because
nr_pages is overridden a few lines later, and restored to the undesirable
-ERRNO value.

The return value is ultimately stored in nr_pages, which in turn is passed
to unpin_user_pages(), which expects nr_pages >= 0, else, disaster.

Fix this by fixing the nesting of the assignment to nr_pages: nr_pages
should be clamped to zero if pin_user_pages_fast() returns -ERRNO, or set
to the return value of pin_user_pages_fast(), otherwise.

[jhubbard@xxxxxxxxxx: new changelog]

Fixes: e8de370188d09 ("rapidio: add mport char device driver")
Signed-off-by: Souptick Joarder <jrdr.linux@xxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Reviewed-by: Ira Weiny <ira.weiny@xxxxxxxxx>
Reviewed-by: John Hubbard <jhubbard@xxxxxxxxxx>
Cc: Matthew Wilcox <willy@xxxxxxxxxxxxx>
Cc: Matt Porter <mporter@xxxxxxxxxxxxxxxxxxx>
Cc: Alexandre Bounine <alex.bou9@xxxxxxxxx>
Cc: Gustavo A. R. Silva <gustavoars@xxxxxxxxxx>
Cc: Madhuparna Bhowmik <madhuparnabhowmik10@xxxxxxxxx>
Cc: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Link: https://lkml.kernel.org/r/1600227737-20785-1-git-send-email-jrdr.linux@xxxxxxxxx
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/rapidio/devices/rio_mport_cdev.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
index f207f8725993c..171d6bcad5bc5 100644
--- a/drivers/rapidio/devices/rio_mport_cdev.c
+++ b/drivers/rapidio/devices/rio_mport_cdev.c
@@ -900,15 +900,16 @@ rio_dma_transfer(struct file *filp, u32 transfer_mode,
rmcd_error("get_user_pages_unlocked err=%ld",
pinned);
nr_pages = 0;
- } else
+ } else {
rmcd_error("pinned %ld out of %ld pages",
pinned, nr_pages);
+ /*
+ * Set nr_pages up to mean "how many pages to unpin, in
+ * the error handler:
+ */
+ nr_pages = pinned;
+ }
ret = -EFAULT;
- /*
- * Set nr_pages up to mean "how many pages to unpin, in
- * the error handler:
- */
- nr_pages = pinned;
goto err_pg;
}

--
2.25.1

Next message: Greg Kroah-Hartman: "[PATCH 4.14 035/191] media: mx2_emmaprp: Fix memleak in emmaprp_probe"
Previous message: Greg Kroah-Hartman: "[PATCH 4.14 108/191] ramfs: fix nommu mmap with gaps in the page cache"
In reply to: Greg Kroah-Hartman: "[PATCH 4.14 108/191] ramfs: fix nommu mmap with gaps in the page cache"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.14 035/191] media: mx2_emmaprp: Fix memleak in emmaprp_probe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]