From: yu kuai yukuai3@huawei.com
euler inclusion category: bugfix bugzilla: 46858 CVE: NA
---------------------------
In 'write_proc', if input from userspace is invlid, the 'buff_num' will be set to 0 with unfreed buffer.
Fix it by setting 'buff_num' to 'old_buff_num'.
Reported-by: song jian songjian15@huawei.com Signed-off-by: yu kuai yukuai3@huawei.com Reviewed-by: zhangyi (F) yi.zhang@huawei.com Signed-off-by: zhangyi (F) yi.zhang@huawei.com Signed-off-by: Dianfang Zhang zhangdianfang@huawei.com --- fs/dirty_pages.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/dirty_pages.c b/fs/dirty_pages.c index 7a32f01021fb..32bff2d0981a 100644 --- a/fs/dirty_pages.c +++ b/fs/dirty_pages.c @@ -259,7 +259,7 @@ static ssize_t write_proc( old_buff_num = buff_num; ret = kstrtol(msg, 10, &buff_num); if (ret != 0 || buff_num < 0 || buff_num > MAX_BUFF_SIZE) { - buff_num = 0; + buff_num = old_buff_num; ret = -EINVAL; goto free; }