3.8.13.14 -stable review patch. If anyone has any objections, please let me know. ------------------ From: Peter Hurley <peter@xxxxxxxxxxxxxxxxxx> commit be5f4b335f6e05df1b5c24b7e7d79ff52d7b8dbc upstream. Separating msg allocation enables single-block vmalloc allocation instead. Signed-off-by: Peter Hurley <peter@xxxxxxxxxxxxxxxxxx> Acked-by: Stanislav Kinsbursky <skinsbursky@xxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> [ kamal: 3.8 stable prereq for 4e9b45a ipc, msg: fix message length check for negative values ] Signed-off-by: Kamal Mostafa <kamal@xxxxxxxxxxxxx> --- ipc/msgutil.c | 52 ++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 38 insertions(+), 14 deletions(-) diff --git a/ipc/msgutil.c b/ipc/msgutil.c index 98b1c2b..0a5c8a9 100644 --- a/ipc/msgutil.c +++ b/ipc/msgutil.c @@ -44,21 +44,54 @@ struct msg_msgseg { #define DATALEN_MSG (int)(PAGE_SIZE-sizeof(struct msg_msg)) #define DATALEN_SEG (int)(PAGE_SIZE-sizeof(struct msg_msgseg)) -struct msg_msg *load_msg(const void __user *src, int len) + +static struct msg_msg *alloc_msg(int len) { struct msg_msg *msg; struct msg_msgseg **pseg; - int err; int alen; alen = min(len, DATALEN_MSG); msg = kmalloc(sizeof(*msg) + alen, GFP_KERNEL); if (msg == NULL) - return ERR_PTR(-ENOMEM); + return NULL; msg->next = NULL; msg->security = NULL; + len -= alen; + pseg = &msg->next; + while (len > 0) { + struct msg_msgseg *seg; + alen = min(len, DATALEN_SEG); + seg = kmalloc(sizeof(*seg) + alen, GFP_KERNEL); + if (seg == NULL) + goto out_err; + *pseg = seg; + seg->next = NULL; + pseg = &seg->next; + len -= alen; + } + + return msg; + +out_err: + free_msg(msg); + return NULL; +} + +struct msg_msg *load_msg(const void __user *src, int len) +{ + struct msg_msg *msg; + struct msg_msgseg *seg; + int err; + int alen; + + msg = alloc_msg(len); + if (msg == NULL) + return ERR_PTR(-ENOMEM); + + alen = min(len, DATALEN_MSG); if (copy_from_user(msg + 1, src, alen)) { err = -EFAULT; goto out_err; @@ -66,23 +99,14 @@ struct msg_msg *load_msg(const void __user *src, int len) len -= alen; src = ((char __user *)src) + alen; - pseg = &msg->next; + seg = msg->next; while (len > 0) { - struct msg_msgseg *seg; alen = min(len, DATALEN_SEG); - seg = kmalloc(sizeof(*seg) + alen, - GFP_KERNEL); - if (seg == NULL) { - err = -ENOMEM; - goto out_err; - } - *pseg = seg; - seg->next = NULL; if (copy_from_user(seg + 1, src, alen)) { err = -EFAULT; goto out_err; } - pseg = &seg->next; + seg = seg->next; len -= alen; src = ((char __user *)src) + alen; } -- 1.8.3.2 -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html