[PATCH] Fix the size limit of compat space msgsize

Currently we allocate 64k space on the user stack and use it the msgbuf for
sys_{msgrcv,msgsnd} for compat and the results are later copied in user [
by copy_in_user].  This patch introduces helper routines for
sys_{msgrcv,msgsnd} as below:

do_msgsnd() : Accepts the mtype and user space ptr to the buffer along with
the msqid and msgflg.

do_msgrcv() : Accepts a kernel space ptr to mtype and a userspace ptr to
the buffer.  The mtype has to be copied back the user space msgbuf by the
caller.

These changes avoid the need to allocate the msgsize on the userspace (
thus removing the size limt ) and the overhead of an extra copy_in_user().

Signed-off-by: Suzuki K P <suzuki@in.ibm.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

1 files changed, 7 insertions, 16 deletions

diff --git a/ipc/compat.c b/ipc/compat.c
index 4d20cfd38f0a..fa18141539fb 100644
--- a/ipc/compat.c
+++ b/ipc/compat.c
@@ -115,7 +115,6 @@ struct compat_shm_info {
 
 extern int sem_ctls[];
 #define sc_semopm       (sem_ctls[2])
-#define MAXBUF (64*1024)
 
 static inline int compat_ipc_parse_version(int *cmd)
 {
@@ -307,35 +306,30 @@ long compat_sys_semctl(int first, int second, int third, void __user *uptr)
 
 long compat_sys_msgsnd(int first, int second, int third, void __user *uptr)
 {
-        struct msgbuf __user *p;
         struct compat_msgbuf __user *up = uptr;
         long type;
 
         if (first < 0)
                 return -EINVAL;
-        if (second < 0 || (second >= MAXBUF - sizeof(struct msgbuf)))
+        if (second < 0)
                 return -EINVAL;
 
-        p = compat_alloc_user_space(second + sizeof(struct msgbuf));
-        if (get_user(type, &up->mtype) ||
-            put_user(type, &p->mtype) ||
-            copy_in_user(p->mtext, up->mtext, second))
+        if (get_user(type, &up->mtype))
                 return -EFAULT;
 
-        return sys_msgsnd(first, p, second, third);
+        return do_msgsnd(first, type, up->mtext, second, third);
 }
 
 long compat_sys_msgrcv(int first, int second, int msgtyp, int third,
                            int version, void __user *uptr)
 {
-        struct msgbuf __user *p;
         struct compat_msgbuf __user *up;
         long type;
         int err;
 
         if (first < 0)
                 return -EINVAL;
-        if (second < 0 || (second >= MAXBUF - sizeof(struct msgbuf)))
+        if (second < 0)
                 return -EINVAL;
 
         if (!version) {
@@ -349,14 +343,11 @@ long compat_sys_msgrcv(int first, int second, int msgtyp, int third,
                 uptr = compat_ptr(ipck.msgp);
                 msgtyp = ipck.msgtyp;
         }
-        p = compat_alloc_user_space(second + sizeof(struct msgbuf));
-        err = sys_msgrcv(first, p, second, msgtyp, third);
+        up = uptr;
+        err = do_msgrcv(first, &type, up->mtext, second, msgtyp, third);
         if (err < 0)
                 goto out;
-        up = uptr;
-        if (get_user(type, &p->mtype) ||
-            put_user(type, &up->mtype) ||
-            copy_in_user(up->mtext, p->mtext, err))
+        if (put_user(type, &up->mtype))
                 err = -EFAULT;
 out:
         return err;