| From cb54a71e2c1bcd180c1ae37c32d018832163bd5a Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Date: Thu, 31 Jan 2019 13:57:58 +0100 |
| Subject: relay: check return of create_buf_file() properly |
| |
| [ Upstream commit 2c1cf00eeacb784781cf1c9896b8af001246d339 ] |
| |
| If create_buf_file() returns an error, don't try to reference it later |
| as a valid dentry pointer. |
| |
| This problem was exposed when debugfs started to return errors instead |
| of just NULL for some calls when they do not succeed properly. |
| |
| Also, the check for WARN_ON(dentry) was just wrong :) |
| |
| Reported-by: Kees Cook <keescook@chromium.org> |
| Reported-and-tested-by: syzbot+16c3a70e1e9b29346c43@syzkaller.appspotmail.com |
| Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> |
| Cc: Andrew Morton <akpm@linux-foundation.org> |
| Cc: David Rientjes <rientjes@google.com> |
| Fixes: ff9fb72bc077 ("debugfs: return error values, not NULL") |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| kernel/relay.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| diff --git a/kernel/relay.c b/kernel/relay.c |
| index 04f248644e06..9e0f52375487 100644 |
| --- a/kernel/relay.c |
| +++ b/kernel/relay.c |
| @@ -428,6 +428,8 @@ static struct dentry *relay_create_buf_file(struct rchan *chan, |
| dentry = chan->cb->create_buf_file(tmpname, chan->parent, |
| S_IRUSR, buf, |
| &chan->is_global); |
| + if (IS_ERR(dentry)) |
| + dentry = NULL; |
| |
| kfree(tmpname); |
| |
| @@ -461,7 +463,7 @@ static struct rchan_buf *relay_open_buf(struct rchan *chan, unsigned int cpu) |
| dentry = chan->cb->create_buf_file(NULL, NULL, |
| S_IRUSR, buf, |
| &chan->is_global); |
| - if (WARN_ON(dentry)) |
| + if (IS_ERR_OR_NULL(dentry)) |
| goto free_buf; |
| } |
| |
| -- |
| 2.19.1 |
| |
