12 files changed, 71 insertions, 197 deletions

diff --git a/arch/xtensa/platforms/iss/simdisk.c b/arch/xtensa/platforms/iss/simdisk.c
index 3c3ace2c46b6..f58a4e6472cb 100644
--- a/arch/xtensa/platforms/iss/simdisk.c
+++ b/arch/xtensa/platforms/iss/simdisk.c
@@ -227,16 +227,12 @@ static ssize_t proc_read_simdisk(struct file *file, char __user *buf,
 static ssize_t proc_write_simdisk(struct file *file, const char __user *buf,
                         size_t count, loff_t *ppos)
 {
-        char *tmp = kmalloc(count + 1, GFP_KERNEL);
+        char *tmp = memdup_user_nul(buf, count);
         struct simdisk *dev = PDE_DATA(file_inode(file));
         int err;
 
-        if (tmp == NULL)
-                return -ENOMEM;
-        if (copy_from_user(tmp, buf, count)) {
-                err = -EFAULT;
-                goto out_free;
-        }
+        if (IS_ERR(tmp))
+                return PTR_ERR(tmp);
 
         err = simdisk_detach(dev);
         if (err != 0)
@@ -244,8 +240,6 @@ static ssize_t proc_write_simdisk(struct file *file, const char __user *buf,
 
         if (count > 0 && tmp[count - 1] == '\n')
                 tmp[count - 1] = 0;
-        else
-                tmp[count] = 0;
 
         if (tmp[0])
                 err = simdisk_attach(dev, tmp);
diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c
index 97bc186f9728..a1d10b85989f 100644
--- a/drivers/net/wireless/ath/wil6210/debugfs.c
+++ b/drivers/net/wireless/ath/wil6210/debugfs.c
@@ -580,16 +580,10 @@ static ssize_t wil_write_file_rxon(struct file *file, const char __user *buf,
         long channel;
         bool on;
 
-        char *kbuf = kmalloc(len + 1, GFP_KERNEL);
-
-        if (!kbuf)
-                return -ENOMEM;
-        if (copy_from_user(kbuf, buf, len)) {
-                kfree(kbuf);
-                return -EIO;
-        }
+        char *kbuf = memdup_user_nul(buf, len);
 
-        kbuf[len] = '\0';
+        if (IS_ERR(kbuf))
+                return PTR_ERR(kbuf);
         rc = kstrtol(kbuf, 0, &channel);
         kfree(kbuf);
         if (rc)
diff --git a/drivers/s390/char/vmcp.c b/drivers/s390/char/vmcp.c
index 0fdedadff7bc..2a67b496a9e2 100644
--- a/drivers/s390/char/vmcp.c
+++ b/drivers/s390/char/vmcp.c
@@ -88,14 +88,9 @@ vmcp_write(struct file *file, const char __user *buff, size_t count,
 
         if (count > 240)
                 return -EINVAL;
-        cmd = kmalloc(count + 1, GFP_KERNEL);
-        if (!cmd)
-                return -ENOMEM;
-        if (copy_from_user(cmd, buff, count)) {
-                kfree(cmd);
-                return -EFAULT;
-        }
-        cmd[count] = '\0';
+        cmd = memdup_user_nul(buff, count);
+        if (IS_ERR(cmd))
+                return PTR_ERR(cmd);
         session = file->private_data;
         if (mutex_lock_interruptible(&session->mutex)) {
                 kfree(cmd);
diff --git a/drivers/sbus/char/openprom.c b/drivers/sbus/char/openprom.c
index 5843288f64bc..e077ebd89319 100644
--- a/drivers/sbus/char/openprom.c
+++ b/drivers/sbus/char/openprom.c
@@ -390,16 +390,9 @@ static int copyin_string(char __user *user, size_t len, char **ptr)
         if ((ssize_t)len < 0 || (ssize_t)(len + 1) < 0)
                 return -EINVAL;
 
-        tmp = kmalloc(len + 1, GFP_KERNEL);
-        if (!tmp)
-                return -ENOMEM;
-
-        if (copy_from_user(tmp, user, len)) {
-                kfree(tmp);
-                return -EFAULT;
-        }
-
-        tmp[len] = '\0';
+        tmp = memdup_user_nul(user, len);
+        if (IS_ERR(tmp))
+                return PTR_ERR(tmp);
 
         *ptr = tmp;
 
diff --git a/fs/afs/proc.c b/fs/afs/proc.c
index 24a905b076fd..2853b4095344 100644
--- a/fs/afs/proc.c
+++ b/fs/afs/proc.c
@@ -230,14 +230,9 @@ static ssize_t afs_proc_cells_write(struct file *file, const char __user *buf,
         if (size <= 1 || size >= PAGE_SIZE)
                 return -EINVAL;
 
-        kbuf = kmalloc(size + 1, GFP_KERNEL);
-        if (!kbuf)
-                return -ENOMEM;
-
-        ret = -EFAULT;
-        if (copy_from_user(kbuf, buf, size) != 0)
-                goto done;
-        kbuf[size] = 0;
+        kbuf = memdup_user_nul(buf, size);
+        if (IS_ERR(kbuf))
+                return PTR_ERR(kbuf);
 
         /* trim to first NL */
         name = memchr(kbuf, '\n', size);
@@ -315,15 +310,9 @@ static ssize_t afs_proc_rootcell_write(struct file *file,
         if (size <= 1 || size >= PAGE_SIZE)
                 return -EINVAL;
 
-        ret = -ENOMEM;
-        kbuf = kmalloc(size + 1, GFP_KERNEL);
-        if (!kbuf)
-                goto nomem;
-
-        ret = -EFAULT;
-        if (copy_from_user(kbuf, buf, size) != 0)
-                goto infault;
-        kbuf[size] = 0;
+        kbuf = memdup_user_nul(buf, size);
+        if (IS_ERR(kbuf))
+                return PTR_ERR(kbuf);
 
         /* trim to first NL */
         s = memchr(kbuf, '\n', size);
@@ -337,9 +326,7 @@ static ssize_t afs_proc_rootcell_write(struct file *file,
         if (ret >= 0)
                 ret = size;     /* consume everything, always */
 
-infault:
         kfree(kbuf);
-nomem:
         _leave(" = %d", ret);
         return ret;
 }
diff --git a/fs/cachefiles/daemon.c b/fs/cachefiles/daemon.c
index f601def05bdf..452e98dd7560 100644
--- a/fs/cachefiles/daemon.c
+++ b/fs/cachefiles/daemon.c
@@ -226,15 +226,9 @@ static ssize_t cachefiles_daemon_write(struct file *file,
                 return -EOPNOTSUPP;
 
         /* drag the command string into the kernel so we can parse it */
-        data = kmalloc(datalen + 1, GFP_KERNEL);
-        if (!data)
-                return -ENOMEM;
-
-        ret = -EFAULT;
-        if (copy_from_user(data, _data, datalen) != 0)
-                goto error;
-
-        data[datalen] = '\0';
+        data = memdup_user_nul(_data, datalen);
+        if (IS_ERR(data))
+                return PTR_ERR(data);
 
         ret = -EINVAL;
         if (memchr(data, '\0', datalen))
diff --git a/fs/dlm/user.c b/fs/dlm/user.c
index 173b3873a4f4..1925d6d222b8 100644
--- a/fs/dlm/user.c
+++ b/fs/dlm/user.c
@@ -515,14 +515,9 @@ static ssize_t device_write(struct file *file, const char __user *buf,
         if (count > sizeof(struct dlm_write_request) + DLM_RESNAME_MAXLEN)
                 return -EINVAL;
 
-        kbuf = kzalloc(count + 1, GFP_NOFS);
-        if (!kbuf)
-                return -ENOMEM;
-
-        if (copy_from_user(kbuf, buf, count)) {
-                error = -EFAULT;
-                goto out_free;
-        }
+        kbuf = memdup_user_nul(buf, count);
+        if (!IS_ERR(kbuf))
+                return PTR_ERR(kbuf);
 
         if (check_version(kbuf)) {
                 error = -EBADE;
diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index a990824c8604..2aeb6ffc0a1e 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -349,16 +349,10 @@ static ssize_t blk_msg_write(struct file *filp, const char __user *buffer,
         if (count >= BLK_TN_MAX_MSG)
                 return -EINVAL;
 
-        msg = kmalloc(count + 1, GFP_KERNEL);
-        if (msg == NULL)
-                return -ENOMEM;
-
-        if (copy_from_user(msg, buffer, count)) {
-                kfree(msg);
-                return -EFAULT;
-        }
+        msg = memdup_user_nul(buffer, count);
+        if (IS_ERR(msg))
+                return PTR_ERR(msg);
 
-        msg[count] = '\0';
         bt = filp->private_data;
         __trace_note_message(bt, "%s", msg);
         kfree(msg);
diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c
index e3952e9c8ec0..fe42b6ec3f0c 100644
--- a/lib/dynamic_debug.c
+++ b/lib/dynamic_debug.c
@@ -657,14 +657,9 @@ static ssize_t ddebug_proc_write(struct file *file, const char __user *ubuf,
                 pr_warn("expected <%d bytes into control\n", USER_BUF_PAGE);
                 return -E2BIG;
         }
-        tmpbuf = kmalloc(len + 1, GFP_KERNEL);
-        if (!tmpbuf)
-                return -ENOMEM;
-        if (copy_from_user(tmpbuf, ubuf, len)) {
-                kfree(tmpbuf);
-                return -EFAULT;
-        }
-        tmpbuf[len] = '\0';
+        tmpbuf = memdup_user_nul(ubuf, len);
+        if (IS_ERR(tmpbuf))
+                return PTR_ERR(tmpbuf);
         vpr_info("read %d bytes from userspace\n", (int)len);
 
         ret = ddebug_exec_queries(tmpbuf, NULL);
diff --git a/net/rxrpc/ar-key.c b/net/rxrpc/ar-key.c
index da3cc09f683e..3f6571651d32 100644
--- a/net/rxrpc/ar-key.c
+++ b/net/rxrpc/ar-key.c
@@ -896,15 +896,9 @@ int rxrpc_request_key(struct rxrpc_sock *rx, char __user *optval, int optlen)
         if (optlen <= 0 || optlen > PAGE_SIZE - 1)
                 return -EINVAL;
 
-        description = kmalloc(optlen + 1, GFP_KERNEL);
-        if (!description)
-                return -ENOMEM;
-
-        if (copy_from_user(description, optval, optlen)) {
-                kfree(description);
-                return -EFAULT;
-        }
-        description[optlen] = 0;
+        description = memdup_user_nul(optval, optlen);
+        if (IS_ERR(description))
+                return PTR_ERR(description);
 
         key = request_key(&key_type_rxrpc, description, NULL);
         if (IS_ERR(key)) {
@@ -933,15 +927,9 @@ int rxrpc_server_keyring(struct rxrpc_sock *rx, char __user *optval,
         if (optlen <= 0 || optlen > PAGE_SIZE - 1)
                 return -EINVAL;
 
-        description = kmalloc(optlen + 1, GFP_KERNEL);
-        if (!description)
-                return -ENOMEM;
-
-        if (copy_from_user(description, optval, optlen)) {
-                kfree(description);
-                return -EFAULT;
-        }
-        description[optlen] = 0;
+        description = memdup_user_nul(optval, optlen);
+        if (IS_ERR(description))
+                return PTR_ERR(description);
 
         key = request_key(&key_type_keyring, description, NULL);
         if (IS_ERR(key)) {
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index 94bd9e41c9ec..e249a66db533 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -497,14 +497,9 @@ static ssize_t smk_write_rules_list(struct file *file, const char __user *buf,
                 }
         }
 
-        data = kmalloc(count + 1, GFP_KERNEL);
-        if (data == NULL)
-                return -ENOMEM;
-
-        if (copy_from_user(data, buf, count) != 0) {
-                rc = -EFAULT;
-                goto out;
-        }
+        data = memdup_user_nul(buf, count);
+        if (IS_ERR(data))
+                return PTR_ERR(data);
 
         /*
          * In case of parsing only part of user buf,
@@ -884,16 +879,10 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
             (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX))
                 return -EINVAL;
 
-        data = kzalloc(count + 1, GFP_KERNEL);
-        if (data == NULL)
-                return -ENOMEM;
-
-        if (copy_from_user(data, buf, count) != 0) {
-                rc = -EFAULT;
-                goto unlockedout;
-        }
+        data = memdup_user_nul(buf, count);
+        if (IS_ERR(data))
+                return PTR_ERR(data);
 
-        data[count] = '\0';
         rule = data;
         /*
          * Only allow one writer at a time. Writes should be
@@ -946,7 +935,6 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
 
 out:
         mutex_unlock(&smack_cipso_lock);
-unlockedout:
         kfree(data);
         return rc;
 }
@@ -1187,14 +1175,9 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
         if (count < SMK_NETLBLADDRMIN)
                 return -EINVAL;
 
-        data = kzalloc(count + 1, GFP_KERNEL);
-        if (data == NULL)
-                return -ENOMEM;
-
-        if (copy_from_user(data, buf, count) != 0) {
-                rc = -EFAULT;
-                goto free_data_out;
-        }
+        data = memdup_user_nul(buf, count);
+        if (IS_ERR(data))
+                return PTR_ERR(data);
 
         smack = kzalloc(count + 1, GFP_KERNEL);
         if (smack == NULL) {
@@ -1202,8 +1185,6 @@ static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
                 goto free_data_out;
         }
 
-        data[count] = '\0';
-
         rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%u %s",
                 &host[0], &host[1], &host[2], &host[3], &masks, smack);
         if (rc != 6) {
@@ -1454,14 +1435,9 @@ static ssize_t smk_write_net6addr(struct file *file, const char __user *buf,
         if (count < SMK_NETLBLADDRMIN)
                 return -EINVAL;
 
-        data = kzalloc(count + 1, GFP_KERNEL);
-        if (data == NULL)
-                return -ENOMEM;
-
-        if (copy_from_user(data, buf, count) != 0) {
-                rc = -EFAULT;
-                goto free_data_out;
-        }
+        data = memdup_user_nul(buf, count);
+        if (IS_ERR(data))
+                return PTR_ERR(data);
 
         smack = kzalloc(count + 1, GFP_KERNEL);
         if (smack == NULL) {
@@ -1469,8 +1445,6 @@ static ssize_t smk_write_net6addr(struct file *file, const char __user *buf,
                 goto free_data_out;
         }
 
-        data[count] = '\0';
-
         i = sscanf(data, "%x:%x:%x:%x:%x:%x:%x:%x/%u %s",
                         &scanned[0], &scanned[1], &scanned[2], &scanned[3],
                         &scanned[4], &scanned[5], &scanned[6], &scanned[7],
@@ -1865,14 +1839,9 @@ static ssize_t smk_write_ambient(struct file *file, const char __user *buf,
         if (!smack_privileged(CAP_MAC_ADMIN))
                 return -EPERM;
 
-        data = kzalloc(count + 1, GFP_KERNEL);
-        if (data == NULL)
-                return -ENOMEM;
-
-        if (copy_from_user(data, buf, count) != 0) {
-                rc = -EFAULT;
-                goto out;
-        }
+        data = memdup_user_nul(buf, count);
+        if (IS_ERR(data))
+                return PTR_ERR(data);
 
         skp = smk_import_entry(data, count);
         if (IS_ERR(skp)) {
@@ -2041,14 +2010,9 @@ static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
         if (!smack_privileged(CAP_MAC_ADMIN))
                 return -EPERM;
 
-        data = kzalloc(count + 1, GFP_KERNEL);
-        if (data == NULL)
-                return -ENOMEM;
-
-        if (copy_from_user(data, buf, count) != 0) {
-                kfree(data);
-                return -EFAULT;
-        }
+        data = memdup_user_nul(buf, count);
+        if (IS_ERR(data))
+                return PTR_ERR(data);
 
         rc = smk_parse_label_list(data, &list_tmp);
         kfree(data);
@@ -2133,14 +2097,9 @@ static ssize_t smk_write_unconfined(struct file *file, const char __user *buf,
         if (!smack_privileged(CAP_MAC_ADMIN))
                 return -EPERM;
 
-        data = kzalloc(count + 1, GFP_KERNEL);
-        if (data == NULL)
-                return -ENOMEM;
-
-        if (copy_from_user(data, buf, count) != 0) {
-                rc = -EFAULT;
-                goto freeout;
-        }
+        data = memdup_user_nul(buf, count);
+        if (IS_ERR(data))
+                return PTR_ERR(data);
 
         /*
          * Clear the smack_unconfined on invalid label errors. This means
@@ -2696,19 +2655,15 @@ static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
         if (!smack_privileged(CAP_MAC_ADMIN))
                 return -EPERM;
 
-        data = kzalloc(count + 1, GFP_KERNEL);
-        if (data == NULL)
-                return -ENOMEM;
+        data = memdup_user_nul(buf, count);
+        if (IS_ERR(data))
+                return PTR_ERR(data);
 
-        if (copy_from_user(data, buf, count) != 0)
-                rc = -EFAULT;
-        else {
-                skp = smk_import_entry(data, count);
-                if (IS_ERR(skp))
-                        rc = PTR_ERR(skp);
-                else
-                        smack_syslog_label = skp;
-        }
+        skp = smk_import_entry(data, count);
+        if (IS_ERR(skp))
+                rc = PTR_ERR(skp);
+        else
+                smack_syslog_label = skp;
 
         kfree(data);
         return rc;
@@ -2798,14 +2753,9 @@ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
         if (*ppos != 0)
                 return -EINVAL;
 
-        data = kzalloc(count + 1, GFP_KERNEL);
-        if (data == NULL)
-                return -ENOMEM;
-
-        if (copy_from_user(data, buf, count) != 0) {
-                kfree(data);
-                return -EFAULT;
-        }
+        data = memdup_user_nul(buf, count);
+        if (IS_ERR(data))
+                return PTR_ERR(data);
 
         rc = smk_parse_label_list(data, &list_tmp);
         kfree(data);
diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c
index 179a955b319d..06ab41b1ff28 100644
--- a/security/tomoyo/securityfs_if.c
+++ b/security/tomoyo/securityfs_if.c
@@ -43,13 +43,9 @@ static ssize_t tomoyo_write_self(struct file *file, const char __user *buf,
         int error;
         if (!count || count >= TOMOYO_EXEC_TMPSIZE - 10)
                 return -ENOMEM;
-        data = kzalloc(count + 1, GFP_NOFS);
-        if (!data)
-                return -ENOMEM;
-        if (copy_from_user(data, buf, count)) {
-                error = -EFAULT;
-                goto out;
-        }
+        data = memdup_user_nul(buf, count);
+        if (IS_ERR(data))
+                return PTR_ERR(data);
         tomoyo_normalize_line(data);
         if (tomoyo_correct_domain(data)) {
                 const int idx = tomoyo_read_lock();
@@ -87,7 +83,6 @@ static ssize_t tomoyo_write_self(struct file *file, const char __user *buf,
                 tomoyo_read_unlock(idx);
         } else
                 error = -EINVAL;
-out:
         kfree(data);
         return error ? error : count;
 }