Message ID | ZK0Q+ZuONTsBG+1T@moroto (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | accel/qaic: Improve bounds checking in encode/decode | expand |
On 7/11/2023 1:51 PM, Dan Carpenter wrote: > If get_user_pages_fast() allocates some pages but not as many as we > wanted, then the current code leaks those pages. Call put_page() on > the pages before returning. > > Fixes: 129776ac2e38 ("accel/qaic: Add control path") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>
On 7/14/2023 5:47 AM, Pranjal Ramajor Asha Kanojiya wrote: > > > On 7/11/2023 1:51 PM, Dan Carpenter wrote: >> If get_user_pages_fast() allocates some pages but not as many as we >> wanted, then the current code leaks those pages. Call put_page() on >> the pages before returning. >> >> Fixes: 129776ac2e38 ("accel/qaic: Add control path") >> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> > > Reviewed-by: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com> Pushed to drm-misc-fixes -Jeff
diff --git a/drivers/accel/qaic/qaic_control.c b/drivers/accel/qaic/qaic_control.c index d5ce36cb351f..9a6f80f31c65 100644 --- a/drivers/accel/qaic/qaic_control.c +++ b/drivers/accel/qaic/qaic_control.c @@ -425,9 +425,12 @@ static int find_and_map_user_pages(struct qaic_device *qdev, } ret = get_user_pages_fast(xfer_start_addr, nr_pages, 0, page_list); - if (ret < 0 || ret != nr_pages) { - ret = -EFAULT; + if (ret < 0) goto free_page_list; + if (ret != nr_pages) { + nr_pages = ret; + ret = -EFAULT; + goto put_pages; } sgt = kmalloc(sizeof(*sgt), GFP_KERNEL);
If get_user_pages_fast() allocates some pages but not as many as we wanted, then the current code leaks those pages. Call put_page() on the pages before returning. Fixes: 129776ac2e38 ("accel/qaic: Add control path") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> --- no change drivers/accel/qaic/qaic_control.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)