udmabuf: fix general protection fault in udmabuf_create
authorPavel Skripkin <paskripkin@gmail.com>
Wed, 11 Aug 2021 17:50:52 +0000 (20:50 +0300)
committerGerd Hoffmann <kraxel@redhat.com>
Thu, 12 Aug 2021 07:27:22 +0000 (09:27 +0200)
Syzbot reported general protection fault in udmabuf_create. The problem
was in wrong error handling.

In commit 16c243e99d33 ("udmabuf: Add support for mapping hugepages (v4)")
shmem_read_mapping_page() call was replaced with find_get_page_flags(),
but find_get_page_flags() returns NULL on failure instead PTR_ERR().

Wrong error checking was causing GPF in get_page(), since passed page
was equal to NULL. Fix it by changing if (IS_ER(!hpage)) to if (!hpage)

Reported-by: syzbot+e9cd3122a37c5d6c51e8@syzkaller.appspotmail.com
Fixes: 16c243e99d33 ("udmabuf: Add support for mapping hugepages (v4)")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20210811175052.21254-1-paskripkin@gmail.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
drivers/dma-buf/udmabuf.c

index 8df761a102511494a771d00c39b85fecfd6350da..c57a609db75be7d7b1d3fa1fdc2e789403bc933f 100644 (file)
@@ -227,8 +227,8 @@ static long udmabuf_create(struct miscdevice *device,
                                if (!hpage) {
                                        hpage = find_get_page_flags(mapping, pgoff,
                                                                    FGP_ACCESSED);
-                                       if (IS_ERR(hpage)) {
-                                               ret = PTR_ERR(hpage);
+                                       if (!hpage) {
+                                               ret = -EINVAL;
                                                goto err;
                                        }
                                }