NFC: Use GFP_USER for user-controlled kmalloc
authorCong Wang <xiyou.wangcong@gmail.com>
Fri, 29 Jan 2016 19:24:24 +0000 (11:24 -0800)
committerSamuel Ortiz <sameo@linux.intel.com>
Thu, 25 Feb 2016 07:40:55 +0000 (08:40 +0100)
These two functions are called in sendmsg path, and the
'len' is passed from user-space, so we should not allow
malicious users to OOM kernel on purpose.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Julian Calaby <julian.calaby@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
net/nfc/llcp_commands.c

index 3621a902cb6e36e3399848694a8ab6bfc0a962a8..3425532c39f7839d9ce6d87167d6b9222d6cd5e2 100644 (file)
@@ -663,7 +663,7 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock,
                return -ENOBUFS;
        }
 
-       msg_data = kzalloc(len, GFP_KERNEL);
+       msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN);
        if (msg_data == NULL)
                return -ENOMEM;
 
@@ -729,7 +729,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap,
        if (local == NULL)
                return -ENODEV;
 
-       msg_data = kzalloc(len, GFP_KERNEL);
+       msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN);
        if (msg_data == NULL)
                return -ENOMEM;