+3 -9

arch/xtensa/platforms/iss/simdisk.c

reviewed

··· 227 227 static ssize_t proc_write_simdisk(struct file *file, const char __user *buf, 228 228 size_t count, loff_t *ppos) 229 229 { 230 230 - char *tmp = kmalloc(count + 1, GFP_KERNEL); 230 230 + char *tmp = memdup_user_nul(buf, count); 231 231 struct simdisk *dev = PDE_DATA(file_inode(file)); 232 232 int err; 233 233 234 234 - if (tmp == NULL) 235 235 - return -ENOMEM; 236 236 - if (copy_from_user(tmp, buf, count)) { 237 237 - err = -EFAULT; 238 238 - goto out_free; 239 239 - } 234 234 + if (IS_ERR(tmp)) 235 235 + return PTR_ERR(tmp); 240 236 241 237 err = simdisk_detach(dev); 242 238 if (err != 0) ··· 240 244 241 245 if (count > 0 && tmp[count - 1] == '\n') 242 246 tmp[count - 1] = 0; 243 243 - else 244 244 - tmp[count] = 0; 245 247 246 248 if (tmp[0]) 247 249 err = simdisk_attach(dev, tmp);

+3 -9

drivers/net/wireless/ath/wil6210/debugfs.c

reviewed

··· 580 580 long channel; 581 581 bool on; 582 582 583 583 - char *kbuf = kmalloc(len + 1, GFP_KERNEL); 583 583 + char *kbuf = memdup_user_nul(buf, len); 584 584 585 585 - if (!kbuf) 586 586 - return -ENOMEM; 587 587 - if (copy_from_user(kbuf, buf, len)) { 588 588 - kfree(kbuf); 589 589 - return -EIO; 590 590 - } 591 591 - 592 592 - kbuf[len] = '\0'; 585 585 + if (IS_ERR(kbuf)) 586 586 + return PTR_ERR(kbuf); 593 587 rc = kstrtol(kbuf, 0, &channel); 594 588 kfree(kbuf); 595 589 if (rc)

+3 -8

drivers/s390/char/vmcp.c

reviewed

··· 88 88 89 89 if (count > 240) 90 90 return -EINVAL; 91 91 - cmd = kmalloc(count + 1, GFP_KERNEL); 92 92 - if (!cmd) 93 93 - return -ENOMEM; 94 94 - if (copy_from_user(cmd, buff, count)) { 95 95 - kfree(cmd); 96 96 - return -EFAULT; 97 97 - } 98 98 - cmd[count] = '\0'; 91 91 + cmd = memdup_user_nul(buff, count); 92 92 + if (IS_ERR(cmd)) 93 93 + return PTR_ERR(cmd); 99 94 session = file->private_data; 100 95 if (mutex_lock_interruptible(&session->mutex)) { 101 96 kfree(cmd);

+3 -10

drivers/sbus/char/openprom.c

reviewed

··· 390 390 if ((ssize_t)len < 0 || (ssize_t)(len + 1) < 0) 391 391 return -EINVAL; 392 392 393 393 - tmp = kmalloc(len + 1, GFP_KERNEL); 394 394 - if (!tmp) 395 395 - return -ENOMEM; 396 396 - 397 397 - if (copy_from_user(tmp, user, len)) { 398 398 - kfree(tmp); 399 399 - return -EFAULT; 400 400 - } 401 401 - 402 402 - tmp[len] = '\0'; 393 393 + tmp = memdup_user_nul(user, len); 394 394 + if (IS_ERR(tmp)) 395 395 + return PTR_ERR(tmp); 403 396 404 397 *ptr = tmp; 405 398

+6 -19

fs/afs/proc.c

reviewed

··· 230 230 if (size <= 1 || size >= PAGE_SIZE) 231 231 return -EINVAL; 232 232 233 233 - kbuf = kmalloc(size + 1, GFP_KERNEL); 234 234 - if (!kbuf) 235 235 - return -ENOMEM; 236 236 - 237 237 - ret = -EFAULT; 238 238 - if (copy_from_user(kbuf, buf, size) != 0) 239 239 - goto done; 240 240 - kbuf[size] = 0; 233 233 + kbuf = memdup_user_nul(buf, size); 234 234 + if (IS_ERR(kbuf)) 235 235 + return PTR_ERR(kbuf); 241 236 242 237 /* trim to first NL */ 243 238 name = memchr(kbuf, '\n', size); ··· 310 315 if (size <= 1 || size >= PAGE_SIZE) 311 316 return -EINVAL; 312 317 313 313 - ret = -ENOMEM; 314 314 - kbuf = kmalloc(size + 1, GFP_KERNEL); 315 315 - if (!kbuf) 316 316 - goto nomem; 317 317 - 318 318 - ret = -EFAULT; 319 319 - if (copy_from_user(kbuf, buf, size) != 0) 320 320 - goto infault; 321 321 - kbuf[size] = 0; 318 318 + kbuf = memdup_user_nul(buf, size); 319 319 + if (IS_ERR(kbuf)) 320 320 + return PTR_ERR(kbuf); 322 321 323 322 /* trim to first NL */ 324 323 s = memchr(kbuf, '\n', size); ··· 326 337 if (ret >= 0) 327 338 ret = size; /* consume everything, always */ 328 339 329 329 - infault: 330 340 kfree(kbuf); 331 331 - nomem: 332 341 _leave(" = %d", ret); 333 342 return ret; 334 343 }

+3 -9

fs/cachefiles/daemon.c

reviewed

··· 226 226 return -EOPNOTSUPP; 227 227 228 228 /* drag the command string into the kernel so we can parse it */ 229 229 - data = kmalloc(datalen + 1, GFP_KERNEL); 230 230 - if (!data) 231 231 - return -ENOMEM; 232 232 - 233 233 - ret = -EFAULT; 234 234 - if (copy_from_user(data, _data, datalen) != 0) 235 235 - goto error; 236 236 - 237 237 - data[datalen] = '\0'; 229 229 + data = memdup_user_nul(_data, datalen); 230 230 + if (IS_ERR(data)) 231 231 + return PTR_ERR(data); 238 232 239 233 ret = -EINVAL; 240 234 if (memchr(data, '\0', datalen))

+3 -8

fs/dlm/user.c

reviewed

··· 515 515 if (count > sizeof(struct dlm_write_request) + DLM_RESNAME_MAXLEN) 516 516 return -EINVAL; 517 517 518 518 - kbuf = kzalloc(count + 1, GFP_NOFS); 519 519 - if (!kbuf) 520 520 - return -ENOMEM; 521 521 - 522 522 - if (copy_from_user(kbuf, buf, count)) { 523 523 - error = -EFAULT; 524 524 - goto out_free; 525 525 - } 518 518 + kbuf = memdup_user_nul(buf, count); 519 519 + if (!IS_ERR(kbuf)) 520 520 + return PTR_ERR(kbuf); 526 521 527 522 if (check_version(kbuf)) { 528 523 error = -EBADE;

+3 -9

kernel/trace/blktrace.c

reviewed

··· 349 349 if (count >= BLK_TN_MAX_MSG) 350 350 return -EINVAL; 351 351 352 352 - msg = kmalloc(count + 1, GFP_KERNEL); 353 353 - if (msg == NULL) 354 354 - return -ENOMEM; 352 352 + msg = memdup_user_nul(buffer, count); 353 353 + if (IS_ERR(msg)) 354 354 + return PTR_ERR(msg); 355 355 356 356 - if (copy_from_user(msg, buffer, count)) { 357 357 - kfree(msg); 358 358 - return -EFAULT; 359 359 - } 360 360 - 361 361 - msg[count] = '\0'; 362 356 bt = filp->private_data; 363 357 __trace_note_message(bt, "%s", msg); 364 358 kfree(msg);

+3 -8

lib/dynamic_debug.c

reviewed

··· 657 657 pr_warn("expected <%d bytes into control\n", USER_BUF_PAGE); 658 658 return -E2BIG; 659 659 } 660 660 - tmpbuf = kmalloc(len + 1, GFP_KERNEL); 661 661 - if (!tmpbuf) 662 662 - return -ENOMEM; 663 663 - if (copy_from_user(tmpbuf, ubuf, len)) { 664 664 - kfree(tmpbuf); 665 665 - return -EFAULT; 666 666 - } 667 667 - tmpbuf[len] = '\0'; 660 660 + tmpbuf = memdup_user_nul(ubuf, len); 661 661 + if (IS_ERR(tmpbuf)) 662 662 + return PTR_ERR(tmpbuf); 668 663 vpr_info("read %d bytes from userspace\n", (int)len); 669 664 670 665 ret = ddebug_exec_queries(tmpbuf, NULL);

+6 -18

net/rxrpc/ar-key.c

reviewed

··· 896 896 if (optlen <= 0 || optlen > PAGE_SIZE - 1) 897 897 return -EINVAL; 898 898 899 899 - description = kmalloc(optlen + 1, GFP_KERNEL); 900 900 - if (!description) 901 901 - return -ENOMEM; 902 902 - 903 903 - if (copy_from_user(description, optval, optlen)) { 904 904 - kfree(description); 905 905 - return -EFAULT; 906 906 - } 907 907 - description[optlen] = 0; 899 899 + description = memdup_user_nul(optval, optlen); 900 900 + if (IS_ERR(description)) 901 901 + return PTR_ERR(description); 908 902 909 903 key = request_key(&key_type_rxrpc, description, NULL); 910 904 if (IS_ERR(key)) { ··· 927 933 if (optlen <= 0 || optlen > PAGE_SIZE - 1) 928 934 return -EINVAL; 929 935 930 930 - description = kmalloc(optlen + 1, GFP_KERNEL); 931 931 - if (!description) 932 932 - return -ENOMEM; 933 933 - 934 934 - if (copy_from_user(description, optval, optlen)) { 935 935 - kfree(description); 936 936 - return -EFAULT; 937 937 - } 938 938 - description[optlen] = 0; 936 936 + description = memdup_user_nul(optval, optlen); 937 937 + if (IS_ERR(description)) 938 938 + return PTR_ERR(description); 939 939 940 940 key = request_key(&key_type_keyring, description, NULL); 941 941 if (IS_ERR(key)) {

+32 -82

security/smack/smackfs.c

reviewed

··· 497 497 } 498 498 } 499 499 500 500 - data = kmalloc(count + 1, GFP_KERNEL); 501 501 - if (data == NULL) 502 502 - return -ENOMEM; 503 503 - 504 504 - if (copy_from_user(data, buf, count) != 0) { 505 505 - rc = -EFAULT; 506 506 - goto out; 507 507 - } 500 500 + data = memdup_user_nul(buf, count); 501 501 + if (IS_ERR(data)) 502 502 + return PTR_ERR(data); 508 503 509 504 /* 510 505 * In case of parsing only part of user buf, ··· 879 884 (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX)) 880 885 return -EINVAL; 881 886 882 882 - data = kzalloc(count + 1, GFP_KERNEL); 883 883 - if (data == NULL) 884 884 - return -ENOMEM; 887 887 + data = memdup_user_nul(buf, count); 888 888 + if (IS_ERR(data)) 889 889 + return PTR_ERR(data); 885 890 886 886 - if (copy_from_user(data, buf, count) != 0) { 887 887 - rc = -EFAULT; 888 888 - goto unlockedout; 889 889 - } 890 890 - 891 891 - data[count] = '\0'; 892 891 rule = data; 893 892 /* 894 893 * Only allow one writer at a time. Writes should be ··· 935 946 936 947 out: 937 948 mutex_unlock(&smack_cipso_lock); 938 938 - unlockedout: 939 949 kfree(data); 940 950 return rc; 941 951 } ··· 1175 1187 if (count < SMK_NETLBLADDRMIN) 1176 1188 return -EINVAL; 1177 1189 1178 1178 - data = kzalloc(count + 1, GFP_KERNEL); 1179 1179 - if (data == NULL) 1180 1180 - return -ENOMEM; 1181 1181 - 1182 1182 - if (copy_from_user(data, buf, count) != 0) { 1183 1183 - rc = -EFAULT; 1184 1184 - goto free_data_out; 1185 1185 - } 1190 1190 + data = memdup_user_nul(buf, count); 1191 1191 + if (IS_ERR(data)) 1192 1192 + return PTR_ERR(data); 1186 1193 1187 1194 smack = kzalloc(count + 1, GFP_KERNEL); 1188 1195 if (smack == NULL) { 1189 1196 rc = -ENOMEM; 1190 1197 goto free_data_out; 1191 1198 } 1192 1192 - 1193 1193 - data[count] = '\0'; 1194 1199 1195 1200 rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%u %s", 1196 1201 &host[0], &host[1], &host[2], &host[3], &masks, smack); ··· 1435 1454 if (count < SMK_NETLBLADDRMIN) 1436 1455 return -EINVAL; 1437 1456 1438 1438 - data = kzalloc(count + 1, GFP_KERNEL); 1439 1439 - if (data == NULL) 1440 1440 - return -ENOMEM; 1441 1441 - 1442 1442 - if (copy_from_user(data, buf, count) != 0) { 1443 1443 - rc = -EFAULT; 1444 1444 - goto free_data_out; 1445 1445 - } 1457 1457 + data = memdup_user_nul(buf, count); 1458 1458 + if (IS_ERR(data)) 1459 1459 + return PTR_ERR(data); 1446 1460 1447 1461 smack = kzalloc(count + 1, GFP_KERNEL); 1448 1462 if (smack == NULL) { 1449 1463 rc = -ENOMEM; 1450 1464 goto free_data_out; 1451 1465 } 1452 1452 - 1453 1453 - data[count] = '\0'; 1454 1466 1455 1467 i = sscanf(data, "%x:%x:%x:%x:%x:%x:%x:%x/%u %s", 1456 1468 &scanned[0], &scanned[1], &scanned[2], &scanned[3], ··· 1839 1865 if (!smack_privileged(CAP_MAC_ADMIN)) 1840 1866 return -EPERM; 1841 1867 1842 1842 - data = kzalloc(count + 1, GFP_KERNEL); 1843 1843 - if (data == NULL) 1844 1844 - return -ENOMEM; 1845 1845 - 1846 1846 - if (copy_from_user(data, buf, count) != 0) { 1847 1847 - rc = -EFAULT; 1848 1848 - goto out; 1849 1849 - } 1868 1868 + data = memdup_user_nul(buf, count); 1869 1869 + if (IS_ERR(data)) 1870 1870 + return PTR_ERR(data); 1850 1871 1851 1872 skp = smk_import_entry(data, count); 1852 1873 if (IS_ERR(skp)) { ··· 2010 2041 if (!smack_privileged(CAP_MAC_ADMIN)) 2011 2042 return -EPERM; 2012 2043 2013 2013 - data = kzalloc(count + 1, GFP_KERNEL); 2014 2014 - if (data == NULL) 2015 2015 - return -ENOMEM; 2016 2016 - 2017 2017 - if (copy_from_user(data, buf, count) != 0) { 2018 2018 - kfree(data); 2019 2019 - return -EFAULT; 2020 2020 - } 2044 2044 + data = memdup_user_nul(buf, count); 2045 2045 + if (IS_ERR(data)) 2046 2046 + return PTR_ERR(data); 2021 2047 2022 2048 rc = smk_parse_label_list(data, &list_tmp); 2023 2049 kfree(data); ··· 2097 2133 if (!smack_privileged(CAP_MAC_ADMIN)) 2098 2134 return -EPERM; 2099 2135 2100 2100 - data = kzalloc(count + 1, GFP_KERNEL); 2101 2101 - if (data == NULL) 2102 2102 - return -ENOMEM; 2103 2103 - 2104 2104 - if (copy_from_user(data, buf, count) != 0) { 2105 2105 - rc = -EFAULT; 2106 2106 - goto freeout; 2107 2107 - } 2136 2136 + data = memdup_user_nul(buf, count); 2137 2137 + if (IS_ERR(data)) 2138 2138 + return PTR_ERR(data); 2108 2139 2109 2140 /* 2110 2141 * Clear the smack_unconfined on invalid label errors. This means ··· 2655 2696 if (!smack_privileged(CAP_MAC_ADMIN)) 2656 2697 return -EPERM; 2657 2698 2658 2658 - data = kzalloc(count + 1, GFP_KERNEL); 2659 2659 - if (data == NULL) 2660 2660 - return -ENOMEM; 2699 2699 + data = memdup_user_nul(buf, count); 2700 2700 + if (IS_ERR(data)) 2701 2701 + return PTR_ERR(data); 2661 2702 2662 2662 - if (copy_from_user(data, buf, count) != 0) 2663 2663 - rc = -EFAULT; 2664 2664 - else { 2665 2665 - skp = smk_import_entry(data, count); 2666 2666 - if (IS_ERR(skp)) 2667 2667 - rc = PTR_ERR(skp); 2668 2668 - else 2669 2669 - smack_syslog_label = skp; 2670 2670 - } 2703 2703 + skp = smk_import_entry(data, count); 2704 2704 + if (IS_ERR(skp)) 2705 2705 + rc = PTR_ERR(skp); 2706 2706 + else 2707 2707 + smack_syslog_label = skp; 2671 2708 2672 2709 kfree(data); 2673 2710 return rc; ··· 2753 2798 if (*ppos != 0) 2754 2799 return -EINVAL; 2755 2800 2756 2756 - data = kzalloc(count + 1, GFP_KERNEL); 2757 2757 - if (data == NULL) 2758 2758 - return -ENOMEM; 2759 2759 - 2760 2760 - if (copy_from_user(data, buf, count) != 0) { 2761 2761 - kfree(data); 2762 2762 - return -EFAULT; 2763 2763 - } 2801 2801 + data = memdup_user_nul(buf, count); 2802 2802 + if (IS_ERR(data)) 2803 2803 + return PTR_ERR(data); 2764 2804 2765 2805 rc = smk_parse_label_list(data, &list_tmp); 2766 2806 kfree(data);

+3 -8

security/tomoyo/securityfs_if.c

reviewed

··· 43 43 int error; 44 44 if (!count || count >= TOMOYO_EXEC_TMPSIZE - 10) 45 45 return -ENOMEM; 46 46 - data = kzalloc(count + 1, GFP_NOFS); 47 47 - if (!data) 48 48 - return -ENOMEM; 49 49 - if (copy_from_user(data, buf, count)) { 50 50 - error = -EFAULT; 51 51 - goto out; 52 52 - } 46 46 + data = memdup_user_nul(buf, count); 47 47 + if (IS_ERR(data)) 48 48 + return PTR_ERR(data); 53 49 tomoyo_normalize_line(data); 54 50 if (tomoyo_correct_domain(data)) { 55 51 const int idx = tomoyo_read_lock(); ··· 83 87 tomoyo_read_unlock(idx); 84 88 } else 85 89 error = -EINVAL; 86 86 - out: 87 90 kfree(data); 88 91 return error ? error : count; 89 92 }