vhost_net: validate sock before trying to put its fd

[linux.git] / drivers / vhost / net.c

diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c
index e7cf7d21cfb5e4e137829123597eb8ff3af6391f..29756d88799b630f2c73ca097b56b092a14a7d5a 100644 (file)
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -274,8 +274,10 @@ static int vhost_net_set_ubuf_info(struct vhost_net *n)
                zcopy = vhost_net_zcopy_mask & (0x1 << i);
                if (!zcopy)
                        continue;
-               n->vqs[i].ubuf_info = kmalloc(sizeof(*n->vqs[i].ubuf_info) *
-                                             UIO_MAXIOV, GFP_KERNEL);
+               n->vqs[i].ubuf_info =
+                       kmalloc_array(UIO_MAXIOV,
+                                     sizeof(*n->vqs[i].ubuf_info),
+                                     GFP_KERNEL);
                if  (!n->vqs[i].ubuf_info)
                        goto err;
        }
@@ -943,7 +945,7 @@ static int vhost_net_open(struct inode *inode, struct file *f)
        n = kvmalloc(sizeof *n, GFP_KERNEL | __GFP_RETRY_MAYFAIL);
        if (!n)
                return -ENOMEM;
-       vqs = kmalloc(VHOST_NET_VQ_MAX * sizeof(*vqs), GFP_KERNEL);
+       vqs = kmalloc_array(VHOST_NET_VQ_MAX, sizeof(*vqs), GFP_KERNEL);
        if (!vqs) {
                kvfree(n);
                return -ENOMEM;
@@ -1224,7 +1226,8 @@ static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd)
        if (ubufs)
                vhost_net_ubuf_put_wait_and_free(ubufs);
 err_ubufs:
-       sockfd_put(sock);
+       if (sock)
+               sockfd_put(sock);
 err_vq:
        mutex_unlock(&vq->mutex);
 err: