MFC r317645:

Fix NULL pointer dereference in futex_wake_op() in case when the same address specified for arguments uaddr and uaddr2. PR: 218987
author: dchagin <dchagin@FreeBSD.org> 2017-05-08 10:51:30 +0000
committer: dchagin <dchagin@FreeBSD.org> 2017-05-08 10:51:30 +0000
commit: 6e4a77a9e910d3ad2f48e3e93a7b66f5842cfdb9 (patch)
tree: 78efc683f7923788f7ff3f1cfab069d134631f2c /sys/compat/linux/linux_futex.c
parent: 21a0149b39d932d2cc8d82064b25c5bc80f023d7 (diff)
download: FreeBSD-src-6e4a77a9e910d3ad2f48e3e93a7b66f5842cfdb9.zip
FreeBSD-src-6e4a77a9e910d3ad2f48e3e93a7b66f5842cfdb9.tar.gz
1 files changed, 6 insertions, 3 deletions
diff --git a/sys/compat/linux/linux_futex.c b/sys/compat/linux/linux_futex.c
index 3075afb..7cbdaea 100644
--- a/sys/compat/linux/linux_futex.c
+++ b/sys/compat/linux/linux_futex.c
@@ -952,6 +952,11 @@ retry1:
 		    args->uaddr, args->val, args->uaddr2, args->val3,
 		    args->timeout);
 
+		if (args->uaddr == args->uaddr2) {
+			LIN_SDT_PROBE1(futex, linux_sys_futex, return, EINVAL);
+			return (EINVAL);
+		}
+
 retry2:
 		error = futex_get(args->uaddr, NULL, &f, flags | FUTEX_DONTLOCK);
 		if (error) {
@@ -959,9 +964,7 @@ retry2:
 			return (error);
 		}
 
-		if (args->uaddr != args->uaddr2)
-			error = futex_get(args->uaddr2, NULL, &f2,
-			    flags | FUTEX_DONTLOCK);
+		error = futex_get(args->uaddr2, NULL, &f2, flags | FUTEX_DONTLOCK);
 		if (error) {
 			futex_put(f, NULL);
author	dchagin <dchagin@FreeBSD.org>	2017-05-08 10:51:30 +0000
committer	dchagin <dchagin@FreeBSD.org>	2017-05-08 10:51:30 +0000
commit	6e4a77a9e910d3ad2f48e3e93a7b66f5842cfdb9 (patch)
tree	78efc683f7923788f7ff3f1cfab069d134631f2c /sys/compat/linux/linux_futex.c
parent	21a0149b39d932d2cc8d82064b25c5bc80f023d7 (diff)
download	FreeBSD-src-6e4a77a9e910d3ad2f48e3e93a7b66f5842cfdb9.zip FreeBSD-src-6e4a77a9e910d3ad2f48e3e93a7b66f5842cfdb9.tar.gz