Fix NULL pointer dereference in futex_wake_op() in case when the same

address specified for arguments uaddr and uaddr2. PR: 218987 Reported by: luke.tw gmail MFC after: 1 week
2026-06-11 09:41:03 -04:00 · 2017-05-01 12:25:37 +00:00 · 2017-05-01 12:25:37 +00:00 · 2ca5d34d20
commit 2ca5d34d20
parent 52f72bfa66
1 changed files with 6 additions and 3 deletions
--- a/sys/compat/linux/linux_futex.c
+++ b/sys/compat/linux/linux_futex.c
@ -952,6 +952,11 @@ retry1:
 		    args->uaddr, args->val, args->uaddr2, args->val3,
 		    args->timeout);

+		if (args->uaddr == args->uaddr2) {
+			LIN_SDT_PROBE1(futex, linux_sys_futex, return, EINVAL);
+			return (EINVAL);
+		}
+
 retry2:
 		error = futex_get(args->uaddr, NULL, &f, flags | FUTEX_DONTLOCK);
 		if (error) {
@ -959,9 +964,7 @@ retry2:
 			return (error);
 		}

-		if (args->uaddr != args->uaddr2)
-			error = futex_get(args->uaddr2, NULL, &f2,
-			    flags | FUTEX_DONTLOCK);
+		error = futex_get(args->uaddr2, NULL, &f2, flags | FUTEX_DONTLOCK);
 		if (error) {
 			futex_put(f, NULL);