| Message ID | 20200626075836.1998185-7-hch@lst.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/9] fs: refactor new_sync_read | expand |
On Fri, Jun 26, 2020 at 09:58:33AM +0200, Christoph Hellwig wrote: > From: "Matthew Wilcox (Oracle)" <willy@infradead.org> > > This error path returned directly instead of calling sysctl_head_finish(). And if the commit log can say why this was bad. Found through code inspection from what I recall right? Luis
On Fri, Jun 26, 2020 at 12:17:01PM +0000, Luis Chamberlain wrote: > On Fri, Jun 26, 2020 at 09:58:33AM +0200, Christoph Hellwig wrote: > > From: "Matthew Wilcox (Oracle)" <willy@infradead.org> > > > > This error path returned directly instead of calling sysctl_head_finish(). > > And if the commit log can say why this was bad. Found through code > inspection from what I recall right? I don't know why it's bad, it's just different from every other exit path from this function, and it's user-triggerable, so it just needs to get fixed.
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c index 42c5128c7d1c76..6c1166ccdaea57 100644 --- a/fs/proc/proc_sysctl.c +++ b/fs/proc/proc_sysctl.c @@ -566,8 +566,9 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf, goto out; /* don't even try if the size is too large */ - if (count > KMALLOC_MAX_SIZE) - return -ENOMEM; + error = -ENOMEM; + if (count >= KMALLOC_MAX_SIZE) + goto out; if (write) { kbuf = memdup_user_nul(ubuf, count); @@ -576,7 +577,6 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *ubuf, goto out; } } else { - error = -ENOMEM; kbuf = kzalloc(count, GFP_KERNEL); if (!kbuf) goto out;