diff options
| author | Ruipeng Qi <ruipengqi3@gmail.com> | 2026-02-03 05:03:58 +0300 |
|---|---|---|
| committer | Kees Cook <kees@kernel.org> | 2026-02-07 03:50:35 +0300 |
| commit | 05363abc7625cf18c96e67f50673cd07f11da5e9 (patch) | |
| tree | ba70e97742bf28950f04bc9e5db02224b3aa411a | |
| parent | 9448598b22c50c8a5bb77a9103e2d49f134c9578 (diff) | |
| download | linux-05363abc7625cf18c96e67f50673cd07f11da5e9.tar.xz | |
pstore: ram_core: fix incorrect success return when vmap() fails
In persistent_ram_vmap(), vmap() may return NULL on failure.
If offset is non-zero, adding offset_in_page(start) causes the function
to return a non-NULL pointer even though the mapping failed.
persistent_ram_buffer_map() therefore incorrectly returns success.
Subsequent access to prz->buffer may dereference an invalid address
and cause crashes.
Add proper NULL checking for vmap() failures.
Signed-off-by: Ruipeng Qi <ruipengqi3@gmail.com>
Link: https://patch.msgid.link/20260203020358.3315299-1-ruipengqi3@gmail.com
Signed-off-by: Kees Cook <kees@kernel.org>
| -rw-r--r-- | fs/pstore/ram_core.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c index f1848cdd6d34..f8b9b47e8b24 100644 --- a/fs/pstore/ram_core.c +++ b/fs/pstore/ram_core.c @@ -447,6 +447,13 @@ static void *persistent_ram_vmap(phys_addr_t start, size_t size, kfree(pages); /* + * vmap() may fail and return NULL. Do not add the offset in this + * case, otherwise a NULL mapping would appear successful. + */ + if (!vaddr) + return NULL; + + /* * Since vmap() uses page granularity, we must add the offset * into the page here, to get the byte granularity address * into the mapping to represent the actual "start" location. |