From 467f3a485d0da1e9410c5e3e75790dc5f9f456cc Mon Sep 17 00:00:00 2001
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Tue, 31 Oct 2017 18:23:59 -0400
Subject: [PATCH] Fix: lttng-logger get_user_pages_fast error handling

Comparing a signed return value against an unsigned nr_pages performs
the comparison as "unsigned", and therefore mistakenly considers
get_user_pages_fast() errors as success.

By passing an invalid pointer to write() to the /proc/lttng-logger
interface, unprivileged user-space processes can trigger a kernel OOPS.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
---
 probes/lttng.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/probes/lttng.c b/probes/lttng.c
index 8810fa22..09045fac 100644
--- a/probes/lttng.c
+++ b/probes/lttng.c
@@ -65,7 +65,7 @@ static
 ssize_t lttng_logger_write(struct file *file, const char __user *user_buf,
 		    size_t count, loff_t *ppos)
 {
-	unsigned int nr_pages = 1, i;
+	int nr_pages = 1, i;
 	unsigned long uaddr = (unsigned long) user_buf;
 	struct page *pages[2];
 	ssize_t written;
-- 
2.34.1