From: Cong Wang Date: Fri, 29 Jan 2016 19:24:24 +0000 (-0800) Subject: NFC: Use GFP_USER for user-controlled kmalloc X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=81ca7835f2cb0c3ba4236e3bcf31d997c6f5d71a;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git NFC: Use GFP_USER for user-controlled kmalloc These two functions are called in sendmsg path, and the 'len' is passed from user-space, so we should not allow malicious users to OOM kernel on purpose. Reported-by: Dmitry Vyukov Acked-by: Eric Dumazet Reviewed-by: Julian Calaby Signed-off-by: Cong Wang Signed-off-by: Samuel Ortiz --- diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c index 3621a902cb6e..3425532c39f7 100644 --- a/net/nfc/llcp_commands.c +++ b/net/nfc/llcp_commands.c @@ -663,7 +663,7 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock, return -ENOBUFS; } - msg_data = kzalloc(len, GFP_KERNEL); + msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN); if (msg_data == NULL) return -ENOMEM; @@ -729,7 +729,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap, if (local == NULL) return -ENODEV; - msg_data = kzalloc(len, GFP_KERNEL); + msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN); if (msg_data == NULL) return -ENOMEM;