2 files changed, 9 insertions, 6 deletions

diff --git a/include/net/scm.h b/include/net/scm.h
index 31656506d967..745460fa2f02 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -10,11 +10,12 @@
 /* Well, we should have at least one descriptor open
  * to accept passed FDs 8)
  */
-#define SCM_MAX_FD      255
+#define SCM_MAX_FD      253
 
 struct scm_fp_list {
         struct list_head        list;
-        int                     count;
+        short                   count;
+        short                   max;
         struct file             *fp[SCM_MAX_FD];
 };
 
diff --git a/net/core/scm.c b/net/core/scm.c
index 413cab89017d..bbe454450801 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -79,10 +79,11 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
                         return -ENOMEM;
                 *fplp = fpl;
                 fpl->count = 0;
+                fpl->max = SCM_MAX_FD;
         }
         fpp = &fpl->fp[fpl->count];
 
-        if (fpl->count + num > SCM_MAX_FD)
+        if (fpl->count + num > fpl->max)
                 return -EINVAL;
 
         /*
@@ -331,11 +332,12 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl)
         if (!fpl)
                 return NULL;
 
-        new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL);
+        new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]),
+                          GFP_KERNEL);
         if (new_fpl) {
-                for (i=fpl->count-1; i>=0; i--)
+                for (i = 0; i < fpl->count; i++)
                         get_file(fpl->fp[i]);
-                memcpy(new_fpl, fpl, sizeof(*fpl));
+                new_fpl->max = new_fpl->count;
         }
         return new_fpl;
 }