Re: [PATCH] mm/gup: fix null pointer dereference detected by coverity
From: Andrew Morton
Date: Tue Apr 14 2020 - 20:08:35 EST
On Tue, 7 Apr 2020 17:51:07 +0800 Miles Chen <miles.chen@xxxxxxxxxxxx> wrote:
> In fixup_user_fault(), it is possible that unlocked is NULL,
> so we should test unlocked before using it.
>
> For example, in arch/arc/kernel/process.c, NULL is passed
> to fixup_user_fault().
>
> SYSCALL_DEFINE3(arc_usr_cmpxchg, int *, uaddr, int, expected, int, new)
> {
> ...
> ret = fixup_user_fault(current, current->mm, (unsigned long) uaddr,
> FAULT_FLAG_WRITE, NULL);
> ...
> }
(cc Peter)
> --- a/mm/gup.c
> +++ b/mm/gup.c
> @@ -1230,7 +1230,8 @@ int fixup_user_fault(struct task_struct *tsk, struct mm_struct *mm,
> if (ret & VM_FAULT_RETRY) {
> down_read(&mm->mmap_sem);
> if (!(fault_flags & FAULT_FLAG_TRIED)) {
> - *unlocked = true;
> + if (unlocked)
> + *unlocked = true;
> fault_flags |= FAULT_FLAG_TRIED;
> goto retry;
> }
Not sure. If the caller passes FAULT_FLAG_ALLOW_RETRY then they must
also pass in a valid non-NULL `unlocked'. If the caller passed
FAULT_FLAG_ALLOW_RETRY and unlocked==NULL then the resulting oops is an
appropriate way of reporting this mistake. I think?