diff options
| author | Pavel Begunkov <asml.silence@gmail.com> | 2025-01-31 14:13:15 +0000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-02-27 04:30:22 -0800 |
| commit | cd1c4113ba9e100d889a5b702c5b42c62026bf88 (patch) | |
| tree | 64284fe9c6195b7cb5c8810e784bc7ee97bdbe1a /lib | |
| parent | 3fb84dfb978473f1b79a2541cb81a7f4820d2397 (diff) | |
| download | linux-cd1c4113ba9e100d889a5b702c5b42c62026bf88.tar.gz linux-cd1c4113ba9e100d889a5b702c5b42c62026bf88.tar.bz2 linux-cd1c4113ba9e100d889a5b702c5b42c62026bf88.zip | |
lib/iov_iter: fix import_iovec_ubuf iovec management
commit f4b78260fc678ccd7169f32dc9f3bfa3b93931c7 upstream.
import_iovec() says that it should always be fine to kfree the iovec
returned in @iovp regardless of the error code. __import_iovec_ubuf()
never reallocates it and thus should clear the pointer even in cases when
copy_iovec_*() fail.
Link: https://lkml.kernel.org/r/378ae26923ffc20fd5e41b4360d673bf47b1775b.1738332461.git.asml.silence@gmail.com
Fixes: 3b2deb0e46da ("iov_iter: import single vector iovecs as ITER_UBUF")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/iov_iter.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/iov_iter.c b/lib/iov_iter.c index 908e75a28d90..bdb37d572e97 100644 --- a/lib/iov_iter.c +++ b/lib/iov_iter.c @@ -1428,6 +1428,8 @@ static ssize_t __import_iovec_ubuf(int type, const struct iovec __user *uvec, struct iovec *iov = *iovp; ssize_t ret; + *iovp = NULL; + if (compat) ret = copy_compat_iovec_from_user(iov, uvec, 1); else @@ -1438,7 +1440,6 @@ static ssize_t __import_iovec_ubuf(int type, const struct iovec __user *uvec, ret = import_ubuf(type, iov->iov_base, iov->iov_len, i); if (unlikely(ret)) return ret; - *iovp = NULL; return i->count; } |