diff options
author | Cong Wang <xiyou.wangcong@gmail.com> | 2016-01-29 22:24:24 +0300 |
---|---|---|
committer | Samuel Ortiz <sameo@linux.intel.com> | 2016-02-25 10:40:55 +0300 |
commit | 81ca7835f2cb0c3ba4236e3bcf31d997c6f5d71a (patch) | |
tree | 5ca43bb47ccc627193473702e140b70b036c66a1 /net/nfc/llcp_commands.c | |
parent | 667f00630ebefc4d73aa105c6ab254e4aec867f8 (diff) | |
download | linux-81ca7835f2cb0c3ba4236e3bcf31d997c6f5d71a.tar.xz |
NFC: Use GFP_USER for user-controlled kmalloc
These two functions are called in sendmsg path, and the
'len' is passed from user-space, so we should not allow
malicious users to OOM kernel on purpose.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Julian Calaby <julian.calaby@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Diffstat (limited to 'net/nfc/llcp_commands.c')
-rw-r--r-- | net/nfc/llcp_commands.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c index 3621a902cb6e..3425532c39f7 100644 --- a/net/nfc/llcp_commands.c +++ b/net/nfc/llcp_commands.c @@ -663,7 +663,7 @@ int nfc_llcp_send_i_frame(struct nfc_llcp_sock *sock, return -ENOBUFS; } - msg_data = kzalloc(len, GFP_KERNEL); + msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN); if (msg_data == NULL) return -ENOMEM; @@ -729,7 +729,7 @@ int nfc_llcp_send_ui_frame(struct nfc_llcp_sock *sock, u8 ssap, u8 dsap, if (local == NULL) return -ENODEV; - msg_data = kzalloc(len, GFP_KERNEL); + msg_data = kmalloc(len, GFP_USER | __GFP_NOWARN); if (msg_data == NULL) return -ENOMEM; |