[PATCH] perf/core: use strndup_user() instead of buggy open-coded version

From: Jann Horn
Date: Mon Feb 18 2019 - 17:07:35 EST


The first version of this method was missing the check for
`ret == PATH_MAX`; then such a check was added, but it didn't call kfree()
on error, so there was still a small memory leak in the error case.
Fix it by using strndup_user() instead of open-coding it.

Fixes: 0eadcc7a7bc0 ("perf/core: Fix perf_uprobe_init()")
Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>
---
compile-tested only

kernel/trace/trace_event_perf.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/kernel/trace/trace_event_perf.c b/kernel/trace/trace_event_perf.c
index 76217bbef815..c744b02081c3 100644
--- a/kernel/trace/trace_event_perf.c
+++ b/kernel/trace/trace_event_perf.c
@@ -299,15 +299,11 @@ int perf_uprobe_init(struct perf_event *p_event,

if (!p_event->attr.uprobe_path)
return -EINVAL;
- path = kzalloc(PATH_MAX, GFP_KERNEL);
- if (!path)
- return -ENOMEM;
- ret = strncpy_from_user(
- path, u64_to_user_ptr(p_event->attr.uprobe_path), PATH_MAX);
- if (ret == PATH_MAX)
- return -E2BIG;
- if (ret < 0)
- goto out;
+
+ path = strndup_user(u64_to_user_ptr(p_event->attr.uprobe_path),
+ PATH_MAX);
+ if (IS_ERR(path))
+ return PTR_ERR(path);
if (path[0] == '\0') {
ret = -EINVAL;
goto out;
--
2.21.0.rc0.258.g878e2cd30e-goog