2 files changed, 47 insertions, 64 deletions
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 03042d60a8fc..0a646e2b57c5 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1309,12 +1309,11 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
        if (page_num >= blob_size)
                goto out;
        r = -ENOMEM;
-        page = kzalloc(PAGE_SIZE, GFP_KERNEL);
+        page = memdup_user(blob_addr + (page_num * PAGE_SIZE), PAGE_SIZE);
-        if (!page)
+        if (IS_ERR(page)) {
+                r = PTR_ERR(page);
                goto out;
-        r = -EFAULT;
+        }
-        if (copy_from_user(page, blob_addr + (page_num * PAGE_SIZE), PAGE_SIZE))
-                goto out_free;
        if (kvm_write_guest(kvm, page_addr, page, PAGE_SIZE))
                goto out_free;
        r = 0;
@@ -1988,15 +1987,12 @@ static int msr_io(struct kvm_vcpu *vcpu, struct kvm_msrs __user *user_msrs,
        if (msrs.nmsrs >= MAX_IO_MSRS)
                goto out;
-        r = -ENOMEM;
        size = sizeof(struct kvm_msr_entry) * msrs.nmsrs;
-        entries = kmalloc(size, GFP_KERNEL);
+        entries = memdup_user(user_msrs->entries, size);
-        if (!entries)
+        if (IS_ERR(entries)) {
+                r = PTR_ERR(entries);
                goto out;
+        }
-        r = -EFAULT;
-        if (copy_from_user(entries, user_msrs->entries, size))
-                goto out_free;
        r = n = __msr_io(vcpu, &msrs, entries, do_msr);
        if (r < 0)
@@ -2533,13 +2529,12 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
                r = -EINVAL;
                if (!vcpu->arch.apic)
                        goto out;
-                u.lapic = kmalloc(sizeof(struct kvm_lapic_state), GFP_KERNEL);
+                u.lapic = memdup_user(argp, sizeof(*u.lapic));
-                r = -ENOMEM;
+                if (IS_ERR(u.lapic)) {
-                if (!u.lapic)
+                        r = PTR_ERR(u.lapic);
-                        goto out;
-                r = -EFAULT;
-                if (copy_from_user(u.lapic, argp, sizeof(struct kvm_lapic_state)))
                        goto out;
+                }
                r = kvm_vcpu_ioctl_set_lapic(vcpu, u.lapic);
                if (r)
                        goto out;
@@ -2718,14 +2713,11 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
                break;
        }
        case KVM_SET_XSAVE: {
-                u.xsave = kzalloc(sizeof(struct kvm_xsave), GFP_KERNEL);
+                u.xsave = memdup_user(argp, sizeof(*u.xsave));
-                r = -ENOMEM;
+                if (IS_ERR(u.xsave)) {
-                if (!u.xsave)
+                        r = PTR_ERR(u.xsave);
-                        break;
+                        goto out;
+                }
-                r = -EFAULT;
-                if (copy_from_user(u.xsave, argp, sizeof(struct kvm_xsave)))
-                        break;
                r = kvm_vcpu_ioctl_x86_set_xsave(vcpu, u.xsave);
                break;
@@ -2746,15 +2738,11 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
                break;
        }
        case KVM_SET_XCRS: {
-                u.xcrs = kzalloc(sizeof(struct kvm_xcrs), GFP_KERNEL);
+                u.xcrs = memdup_user(argp, sizeof(*u.xcrs));
-                r = -ENOMEM;
+                if (IS_ERR(u.xcrs)) {
-                if (!u.xcrs)
+                        r = PTR_ERR(u.xcrs);
-                        break;
+                        goto out;
+                }
-                r = -EFAULT;
-                if (copy_from_user(u.xcrs, argp,
-                                   sizeof(struct kvm_xcrs)))
-                        break;
                r = kvm_vcpu_ioctl_x86_set_xcrs(vcpu, u.xcrs);
                break;
@@ -3190,14 +3178,14 @@ long kvm_arch_vm_ioctl(struct file *filp,
        }
        case KVM_GET_IRQCHIP: {
                /* 0: PIC master, 1: PIC slave, 2: IOAPIC */
-                struct kvm_irqchip *chip = kmalloc(sizeof(*chip), GFP_KERNEL);
+                struct kvm_irqchip *chip;
-                r = -ENOMEM;
+                chip = memdup_user(argp, sizeof(*chip));
-                if (!chip)
+                if (IS_ERR(chip)) {
+                        r = PTR_ERR(chip);
                        goto out;
-                r = -EFAULT;
+                }
-                if (copy_from_user(chip, argp, sizeof *chip))
-                        goto get_irqchip_out;
                r = -ENXIO;
                if (!irqchip_in_kernel(kvm))
                        goto get_irqchip_out;
@@ -3216,14 +3204,14 @@ long kvm_arch_vm_ioctl(struct file *filp,
        }
        case KVM_SET_IRQCHIP: {
                /* 0: PIC master, 1: PIC slave, 2: IOAPIC */
-                struct kvm_irqchip *chip = kmalloc(sizeof(*chip), GFP_KERNEL);
+                struct kvm_irqchip *chip;
-                r = -ENOMEM;
+                chip = memdup_user(argp, sizeof(*chip));
-                if (!chip)
+                if (IS_ERR(chip)) {
+                        r = PTR_ERR(chip);
                        goto out;
-                r = -EFAULT;
+                }
-                if (copy_from_user(chip, argp, sizeof *chip))
-                        goto set_irqchip_out;
                r = -ENXIO;
                if (!irqchip_in_kernel(kvm))
                        goto set_irqchip_out;
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index a6e612fced73..d8bac0751666 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -1821,12 +1821,11 @@ out_free1:
                struct kvm_regs *kvm_regs;
                r = -ENOMEM;
-                kvm_regs = kzalloc(sizeof(struct kvm_regs), GFP_KERNEL);
+                kvm_regs = memdup_user(argp, sizeof(*kvm_regs));
-                if (!kvm_regs)
+                if (IS_ERR(kvm_regs)) {
+                        r = PTR_ERR(kvm_regs);
                        goto out;
-                r = -EFAULT;
+                }
-                if (copy_from_user(kvm_regs, argp, sizeof(struct kvm_regs)))
-                        goto out_free2;
                r = kvm_arch_vcpu_ioctl_set_regs(vcpu, kvm_regs);
                if (r)
                        goto out_free2;
@@ -1850,13 +1849,11 @@ out_free2:
                break;
        }
        case KVM_SET_SREGS: {
-                kvm_sregs = kmalloc(sizeof(struct kvm_sregs), GFP_KERNEL);
+                kvm_sregs = memdup_user(argp, sizeof(*kvm_sregs));
-                r = -ENOMEM;
+                if (IS_ERR(kvm_sregs)) {
-                if (!kvm_sregs)
+                        r = PTR_ERR(kvm_sregs);
-                        goto out;
-                r = -EFAULT;
-                if (copy_from_user(kvm_sregs, argp, sizeof(struct kvm_sregs)))
                        goto out;
+                }
                r = kvm_arch_vcpu_ioctl_set_sregs(vcpu, kvm_sregs);
                if (r)
                        goto out;
@@ -1952,13 +1949,11 @@ out_free2:
                break;
        }
        case KVM_SET_FPU: {
-                fpu = kmalloc(sizeof(struct kvm_fpu), GFP_KERNEL);
+                fpu = memdup_user(argp, sizeof(*fpu));
-                r = -ENOMEM;
+                if (IS_ERR(fpu)) {
-                if (!fpu)
+                        r = PTR_ERR(fpu);
-                        goto out;
-                r = -EFAULT;
-                if (copy_from_user(fpu, argp, sizeof(struct kvm_fpu)))
                        goto out;
+                }
                r = kvm_arch_vcpu_ioctl_set_fpu(vcpu, fpu);
                if (r)
                        goto out;

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 03042d60a8fc..0a646e2b57c5 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c
@@ -1309,12 +1309,11 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
1309	if (page_num >= blob_size)	1309	if (page_num >= blob_size)
1310	goto out;	1310	goto out;
1311	r = -ENOMEM;	1311	r = -ENOMEM;
1312	page = kzalloc(PAGE_SIZE, GFP_KERNEL);	1312	page = memdup_user(blob_addr + (page_num * PAGE_SIZE), PAGE_SIZE);
1313	if (!page)	1313	if (IS_ERR(page)) {
		1314	r = PTR_ERR(page);
1314	goto out;	1315	goto out;
1315	r = -EFAULT;	1316	}
1316	if (copy_from_user(page, blob_addr + (page_num * PAGE_SIZE), PAGE_SIZE))
1317	goto out_free;
1318	if (kvm_write_guest(kvm, page_addr, page, PAGE_SIZE))	1317	if (kvm_write_guest(kvm, page_addr, page, PAGE_SIZE))
1319	goto out_free;	1318	goto out_free;
1320	r = 0;	1319	r = 0;
@@ -1988,15 +1987,12 @@ static int msr_io(struct kvm_vcpu vcpu, struct kvm_msrs __user user_msrs,
1988	if (msrs.nmsrs >= MAX_IO_MSRS)	1987	if (msrs.nmsrs >= MAX_IO_MSRS)
1989	goto out;	1988	goto out;
1990		1989
1991	r = -ENOMEM;
1992	size = sizeof(struct kvm_msr_entry) * msrs.nmsrs;	1990	size = sizeof(struct kvm_msr_entry) * msrs.nmsrs;
1993	entries = kmalloc(size, GFP_KERNEL);	1991	entries = memdup_user(user_msrs->entries, size);
1994	if (!entries)	1992	if (IS_ERR(entries)) {
		1993	r = PTR_ERR(entries);
1995	goto out;	1994	goto out;
1996		1995	}
1997	r = -EFAULT;
1998	if (copy_from_user(entries, user_msrs->entries, size))
1999	goto out_free;
2000		1996
2001	r = n = __msr_io(vcpu, &msrs, entries, do_msr);	1997	r = n = __msr_io(vcpu, &msrs, entries, do_msr);
2002	if (r < 0)	1998	if (r < 0)
@@ -2533,13 +2529,12 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
2533	r = -EINVAL;	2529	r = -EINVAL;
2534	if (!vcpu->arch.apic)	2530	if (!vcpu->arch.apic)
2535	goto out;	2531	goto out;
2536	u.lapic = kmalloc(sizeof(struct kvm_lapic_state), GFP_KERNEL);	2532	u.lapic = memdup_user(argp, sizeof(*u.lapic));
2537	r = -ENOMEM;	2533	if (IS_ERR(u.lapic)) {
2538	if (!u.lapic)	2534	r = PTR_ERR(u.lapic);
2539	goto out;
2540	r = -EFAULT;
2541	if (copy_from_user(u.lapic, argp, sizeof(struct kvm_lapic_state)))
2542	goto out;	2535	goto out;
		2536	}
		2537
2543	r = kvm_vcpu_ioctl_set_lapic(vcpu, u.lapic);	2538	r = kvm_vcpu_ioctl_set_lapic(vcpu, u.lapic);
2544	if (r)	2539	if (r)
2545	goto out;	2540	goto out;
@@ -2718,14 +2713,11 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
2718	break;	2713	break;
2719	}	2714	}
2720	case KVM_SET_XSAVE: {	2715	case KVM_SET_XSAVE: {
2721	u.xsave = kzalloc(sizeof(struct kvm_xsave), GFP_KERNEL);	2716	u.xsave = memdup_user(argp, sizeof(*u.xsave));
2722	r = -ENOMEM;	2717	if (IS_ERR(u.xsave)) {
2723	if (!u.xsave)	2718	r = PTR_ERR(u.xsave);
2724	break;	2719	goto out;
2725		2720	}
2726	r = -EFAULT;
2727	if (copy_from_user(u.xsave, argp, sizeof(struct kvm_xsave)))
2728	break;
2729		2721
2730	r = kvm_vcpu_ioctl_x86_set_xsave(vcpu, u.xsave);	2722	r = kvm_vcpu_ioctl_x86_set_xsave(vcpu, u.xsave);
2731	break;	2723	break;
@@ -2746,15 +2738,11 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
2746	break;	2738	break;
2747	}	2739	}
2748	case KVM_SET_XCRS: {	2740	case KVM_SET_XCRS: {
2749	u.xcrs = kzalloc(sizeof(struct kvm_xcrs), GFP_KERNEL);	2741	u.xcrs = memdup_user(argp, sizeof(*u.xcrs));
2750	r = -ENOMEM;	2742	if (IS_ERR(u.xcrs)) {
2751	if (!u.xcrs)	2743	r = PTR_ERR(u.xcrs);
2752	break;	2744	goto out;
2753		2745	}
2754	r = -EFAULT;
2755	if (copy_from_user(u.xcrs, argp,
2756	sizeof(struct kvm_xcrs)))
2757	break;
2758		2746
2759	r = kvm_vcpu_ioctl_x86_set_xcrs(vcpu, u.xcrs);	2747	r = kvm_vcpu_ioctl_x86_set_xcrs(vcpu, u.xcrs);
2760	break;	2748	break;
@@ -3190,14 +3178,14 @@ long kvm_arch_vm_ioctl(struct file *filp,
3190	}	3178	}
3191	case KVM_GET_IRQCHIP: {	3179	case KVM_GET_IRQCHIP: {
3192	/* 0: PIC master, 1: PIC slave, 2: IOAPIC */	3180	/* 0: PIC master, 1: PIC slave, 2: IOAPIC */
3193	struct kvm_irqchip chip = kmalloc(sizeof(chip), GFP_KERNEL);	3181	struct kvm_irqchip *chip;
3194		3182
3195	r = -ENOMEM;	3183	chip = memdup_user(argp, sizeof(*chip));
3196	if (!chip)	3184	if (IS_ERR(chip)) {
		3185	r = PTR_ERR(chip);
3197	goto out;	3186	goto out;
3198	r = -EFAULT;	3187	}
3199	if (copy_from_user(chip, argp, sizeof *chip))	3188
3200	goto get_irqchip_out;
3201	r = -ENXIO;	3189	r = -ENXIO;
3202	if (!irqchip_in_kernel(kvm))	3190	if (!irqchip_in_kernel(kvm))
3203	goto get_irqchip_out;	3191	goto get_irqchip_out;
@@ -3216,14 +3204,14 @@ long kvm_arch_vm_ioctl(struct file *filp,
3216	}	3204	}
3217	case KVM_SET_IRQCHIP: {	3205	case KVM_SET_IRQCHIP: {
3218	/* 0: PIC master, 1: PIC slave, 2: IOAPIC */	3206	/* 0: PIC master, 1: PIC slave, 2: IOAPIC */
3219	struct kvm_irqchip chip = kmalloc(sizeof(chip), GFP_KERNEL);	3207	struct kvm_irqchip *chip;
3220		3208
3221	r = -ENOMEM;	3209	chip = memdup_user(argp, sizeof(*chip));
3222	if (!chip)	3210	if (IS_ERR(chip)) {
		3211	r = PTR_ERR(chip);
3223	goto out;	3212	goto out;
3224	r = -EFAULT;	3213	}
3225	if (copy_from_user(chip, argp, sizeof *chip))	3214
3226	goto set_irqchip_out;
3227	r = -ENXIO;	3215	r = -ENXIO;
3228	if (!irqchip_in_kernel(kvm))	3216	if (!irqchip_in_kernel(kvm))
3229	goto set_irqchip_out;	3217	goto set_irqchip_out;


diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index a6e612fced73..d8bac0751666 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c
@@ -1821,12 +1821,11 @@ out_free1:
1821	struct kvm_regs *kvm_regs;	1821	struct kvm_regs *kvm_regs;
1822		1822
1823	r = -ENOMEM;	1823	r = -ENOMEM;
1824	kvm_regs = kzalloc(sizeof(struct kvm_regs), GFP_KERNEL);	1824	kvm_regs = memdup_user(argp, sizeof(*kvm_regs));
1825	if (!kvm_regs)	1825	if (IS_ERR(kvm_regs)) {
		1826	r = PTR_ERR(kvm_regs);
1826	goto out;	1827	goto out;
1827	r = -EFAULT;	1828	}
1828	if (copy_from_user(kvm_regs, argp, sizeof(struct kvm_regs)))
1829	goto out_free2;
1830	r = kvm_arch_vcpu_ioctl_set_regs(vcpu, kvm_regs);	1829	r = kvm_arch_vcpu_ioctl_set_regs(vcpu, kvm_regs);
1831	if (r)	1830	if (r)
1832	goto out_free2;	1831	goto out_free2;
@@ -1850,13 +1849,11 @@ out_free2:
1850	break;	1849	break;
1851	}	1850	}
1852	case KVM_SET_SREGS: {	1851	case KVM_SET_SREGS: {
1853	kvm_sregs = kmalloc(sizeof(struct kvm_sregs), GFP_KERNEL);	1852	kvm_sregs = memdup_user(argp, sizeof(*kvm_sregs));
1854	r = -ENOMEM;	1853	if (IS_ERR(kvm_sregs)) {
1855	if (!kvm_sregs)	1854	r = PTR_ERR(kvm_sregs);
1856	goto out;
1857	r = -EFAULT;
1858	if (copy_from_user(kvm_sregs, argp, sizeof(struct kvm_sregs)))
1859	goto out;	1855	goto out;
		1856	}
1860	r = kvm_arch_vcpu_ioctl_set_sregs(vcpu, kvm_sregs);	1857	r = kvm_arch_vcpu_ioctl_set_sregs(vcpu, kvm_sregs);
1861	if (r)	1858	if (r)
1862	goto out;	1859	goto out;
@@ -1952,13 +1949,11 @@ out_free2:
1952	break;	1949	break;
1953	}	1950	}
1954	case KVM_SET_FPU: {	1951	case KVM_SET_FPU: {
1955	fpu = kmalloc(sizeof(struct kvm_fpu), GFP_KERNEL);	1952	fpu = memdup_user(argp, sizeof(*fpu));
1956	r = -ENOMEM;	1953	if (IS_ERR(fpu)) {
1957	if (!fpu)	1954	r = PTR_ERR(fpu);
1958	goto out;
1959	r = -EFAULT;
1960	if (copy_from_user(fpu, argp, sizeof(struct kvm_fpu)))
1961	goto out;	1955	goto out;
		1956	}
1962	r = kvm_arch_vcpu_ioctl_set_fpu(vcpu, fpu);	1957	r = kvm_arch_vcpu_ioctl_set_fpu(vcpu, fpu);
1963	if (r)	1958	if (r)
1964	goto out;	1959	goto out;