__gup_benchmark_ioctl does not handle the case where
get_user_pages_fast fails:
- a negative return code will cause a buffer overrun
- returning with partial success will cause use of
uninitialized memory.
Cc: Kirill A. Shutemov <kirill.shute...@linux.intel.com>
Cc: Andrew Morton <a...@linux-foundation.org>
Cc: Huang Ying <ying.hu...@intel.com>
Cc: Jonathan Corbet <cor...@lwn.net>
Cc: Linus Torvalds <torva...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <t...@linutronix.de>
Cc: Thorsten Leemhuis <regressi...@leemhuis.info>
Cc: sta...@vger.kernel.org
Signed-off-by: Michael S. Tsirkin <m...@redhat.com>
---
mm/gup_benchmark.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/mm/gup_benchmark.c b/mm/gup_benchmark.c
index 5c8e2ab..d743035 100644
--- a/mm/gup_benchmark.c
+++ b/mm/gup_benchmark.c
@@ -23,7 +23,7 @@ static int __gup_benchmark_ioctl(unsigned int cmd,
struct page **pages;
nr_pages = gup->size / PAGE_SIZE;
- pages = kvmalloc(sizeof(void *) * nr_pages, GFP_KERNEL);
+ pages = kvzalloc(sizeof(void *) * nr_pages, GFP_KERNEL);
if (!pages)
return -ENOMEM;
@@ -41,7 +41,8 @@ static int __gup_benchmark_ioctl(unsigned int cmd,
}
nr = get_user_pages_fast(addr, nr, gup->flags & 1, pages + i);
- i += nr;
+ if (nr > 0)
+ i += nr;
}
end_time = ktime_get();
--
MST
