mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status()

[sagit-ice-cold/kernel_xiaomi_msm8998.git] / ipc / mqueue.c

diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index 161a180..2a39784 100644 (file)
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -371,9 +371,9 @@ static void mqueue_evict_inode(struct inode *inode)
 {
        struct mqueue_inode_info *info;
        struct user_struct *user;
-       unsigned long mq_bytes, mq_treesize;
        struct ipc_namespace *ipc_ns;
-       struct msg_msg *msg;
+       struct msg_msg *msg, *nmsg;
+       LIST_HEAD(tmp_msg);
 
        clear_inode(inode);
 
@@ -384,20 +384,27 @@ static void mqueue_evict_inode(struct inode *inode)
        info = MQUEUE_I(inode);
        spin_lock(&info->lock);
        while ((msg = msg_get(info)) != NULL)
-               free_msg(msg);
+               list_add_tail(&msg->m_list, &tmp_msg);
        kfree(info->node_cache);
        spin_unlock(&info->lock);
 
-       /* Total amount of bytes accounted for the mqueue */
-       mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) +
-               min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) *
-               sizeof(struct posix_msg_tree_node);
-
-       mq_bytes = mq_treesize + (info->attr.mq_maxmsg *
-                                 info->attr.mq_msgsize);
+       list_for_each_entry_safe(msg, nmsg, &tmp_msg, m_list) {
+               list_del(&msg->m_list);
+               free_msg(msg);
+       }
 
        user = info->user;
        if (user) {
+               unsigned long mq_bytes, mq_treesize;
+
+               /* Total amount of bytes accounted for the mqueue */
+               mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) +
+                       min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) *
+                       sizeof(struct posix_msg_tree_node);
+
+               mq_bytes = mq_treesize + (info->attr.mq_maxmsg *
+                                         info->attr.mq_msgsize);
+
                spin_lock(&mq_lock);
                user->mq_bytes -= mq_bytes;
                /*
@@ -1251,8 +1258,10 @@ retry:
 
                        timeo = MAX_SCHEDULE_TIMEOUT;
                        ret = netlink_attachskb(sock, nc, &timeo, NULL);
-                       if (ret == 1)
+                       if (ret == 1) {
+                               sock = NULL;
                                goto retry;
+                       }
                        if (ret) {
                                sock = NULL;
                                nc = NULL;