Fix: lttng-logger get_user_pages_fast error handling

Comparing a signed return value against an unsigned nr_pages performs
the comparison as "unsigned", and therefore mistakenly considers
get_user_pages_fast() errors as success.

By passing an invalid pointer to write() to the /proc/lttng-logger
interface, unprivileged user-space processes can trigger a kernel OOPS.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>

diff --git a/probes/lttng.c b/probes/lttng.c
index 8810fa223893b302b5e0b7c42426e9e2748c1cd4..09045fac18529702ad2ceac0ce7319c8cf2f549b 100644 (file)
--- a/probes/lttng.c
+++ b/probes/lttng.c
@@ -65,7 +65,7 @@ static
 ssize_t lttng_logger_write(struct file *file, const char __user *user_buf,
                    size_t count, loff_t *ppos)
 {
-       unsigned int nr_pages = 1, i;
+       int nr_pages = 1, i;
        unsigned long uaddr = (unsigned long) user_buf;
        struct page *pages[2];
        ssize_t written;