[6/9] sysctl: Call sysctl_head_finish on error
diff mbox series

Message ID 20200626075836.1998185-7-hch@lst.de
State New
Headers show
Series
  • [1/9] fs: refactor new_sync_read
Related show

Commit Message

Christoph Hellwig June 26, 2020, 7:58 a.m. UTC
From: "Matthew Wilcox (Oracle)" <willy@infradead.org>

This error path returned directly instead of calling sysctl_head_finish().

Fixes: ef9d965bc8b6 ("sysctl: reject gigantic reads/write to sysctl files")
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
---
 fs/proc/proc_sysctl.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Comments

Luis Chamberlain June 26, 2020, 12:17 p.m. UTC | #1
On Fri, Jun 26, 2020 at 09:58:33AM +0200, Christoph Hellwig wrote:
> From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
> 
> This error path returned directly instead of calling sysctl_head_finish().

And if the commit log can say why this was bad. Found through code
inspection from what I recall right?

  Luis
Matthew Wilcox June 26, 2020, 12:27 p.m. UTC | #2
On Fri, Jun 26, 2020 at 12:17:01PM +0000, Luis Chamberlain wrote:
> On Fri, Jun 26, 2020 at 09:58:33AM +0200, Christoph Hellwig wrote:
> > From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
> > 
> > This error path returned directly instead of calling sysctl_head_finish().
> 
> And if the commit log can say why this was bad. Found through code
> inspection from what I recall right?

I don't know why it's bad, it's just different from every other exit
path from this function, and it's user-triggerable, so it just needs to
get fixed.

Patch
diff mbox series

diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index 42c5128c7d1c76..6c1166ccdaea57 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -566,8 +566,9 @@  static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
 		goto out;
 
 	/* don't even try if the size is too large */
-	if (count > KMALLOC_MAX_SIZE)
-		return -ENOMEM;
+	error = -ENOMEM;
+	if (count >= KMALLOC_MAX_SIZE)
+		goto out;
 
 	if (write) {
 		kbuf = memdup_user_nul(ubuf, count);
@@ -576,7 +577,6 @@  static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf,
 			goto out;
 		}
 	} else {
-		error = -ENOMEM;
 		kbuf = kzalloc(count, GFP_KERNEL);
 		if (!kbuf)
 			goto out;