NFC: Use GFP_USER for user-controlled kmalloc These two functions are called in sendmsg path, and the 'len' is passed from user-space, so we should not allow malicious users to OOM kernel on purpose. Reported-by: Dmitry Vyukov <dvyukov@google.com> Acked-by: Eric Dumazet <edumazet@google.com> Reviewed-by: Julian Calaby <julian.calaby@gmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>

commit: 81ca7835f2cb0c3ba4236e3bcf31d997c6f5d71a [log] [tgz]
author: Cong Wang <xiyou.wangcong@gmail.com> Fri Jan 29 11:24:24 2016 -0800
committer: Samuel Ortiz <sameo@linux.intel.com> Thu Feb 25 08:40:55 2016 +0100
tree: 5ca43bb47ccc627193473702e140b70b036c66a1
parent: 667f00630ebefc4d73aa105c6ab254e4aec867f8 [diff] [blame]
diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index 3621a90..3425532 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c

@@ -663,7 +663,7 @@
 		return -ENOBUFS;
 	}
 
-	msg_data = kzalloc(len, GFP_KERNEL);
+	msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN);
 	if (msg_data == NULL)
 		return -ENOMEM;
 
@@ -729,7 +729,7 @@
 	if (local == NULL)
 		return -ENODEV;
 
-	msg_data = kzalloc(len, GFP_KERNEL);
+	msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN);
 	if (msg_data == NULL)
 		return -ENOMEM;
commit	81ca7835f2cb0c3ba4236e3bcf31d997c6f5d71a	[log] [tgz]
author	Cong Wang <xiyou.wangcong@gmail.com>	Fri Jan 29 11:24:24 2016 -0800
committer	Samuel Ortiz <sameo@linux.intel.com>	Thu Feb 25 08:40:55 2016 +0100
tree	5ca43bb47ccc627193473702e140b70b036c66a1
parent	667f00630ebefc4d73aa105c6ab254e4aec867f8 [diff] [blame]