From: Markus Elfring <[email protected]> Date: Tue, 13 Sep 2016 21:00:44 +0200
* Reuse existing functionality from memdup_user() instead of keeping duplicate source code. * Try this copy operation before allocating memory for the local variable "ksegment". Signed-off-by: Markus Elfring <[email protected]> --- drivers/char/agp/compat_ioctl.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/drivers/char/agp/compat_ioctl.c b/drivers/char/agp/compat_ioctl.c index a2b69db..68d4dc7 100644 --- a/drivers/char/agp/compat_ioctl.c +++ b/drivers/char/agp/compat_ioctl.c @@ -98,11 +98,10 @@ static int compat_agpioc_reserve_wrap(struct agp_file_private *priv, void __user if (ureserve.seg_count >= 16384) return -EINVAL; - usegment = kmalloc_array(ureserve.seg_count, - sizeof(*usegment), - GFP_KERNEL); - if (!usegment) - return -ENOMEM; + usegment = memdup_user((void __user *) ureserve.seg_list, + sizeof(*usegment) * ureserve.seg_count); + if (IS_ERR(usegment)) + return PTR_ERR(usegment); ksegment = kmalloc_array(kreserve.seg_count, sizeof(*ksegment), @@ -112,13 +111,6 @@ static int compat_agpioc_reserve_wrap(struct agp_file_private *priv, void __user return -ENOMEM; } - if (copy_from_user(usegment, (void __user *) ureserve.seg_list, - sizeof(*usegment) * ureserve.seg_count)) { - kfree(usegment); - kfree(ksegment); - return -EFAULT; - } - for (seg = 0; seg < ureserve.seg_count; seg++) { ksegment[seg].pg_start = usegment[seg].pg_start; ksegment[seg].pg_count = usegment[seg].pg_count; -- 2.10.0
