xenbus: don't free other end details too early

[platform/adaptation/renesas_rcar/renesas_kernel.git] / drivers / xen / xenbus / xenbus_xs.c

diff --git a/drivers/xen/xenbus/xenbus_xs.c b/drivers/xen/xenbus/xenbus_xs.c
index ede860f..d1c217b 100644 (file)
--- a/drivers/xen/xenbus/xenbus_xs.c
+++ b/drivers/xen/xenbus/xenbus_xs.c
@@ -532,21 +532,18 @@ int xenbus_printf(struct xenbus_transaction t,
 {
        va_list ap;
        int ret;
-#define PRINTF_BUFFER_SIZE 4096
-       char *printf_buffer;
-
-       printf_buffer = kmalloc(PRINTF_BUFFER_SIZE, GFP_NOIO | __GFP_HIGH);
-       if (printf_buffer == NULL)
-               return -ENOMEM;
+       char *buf;
 
        va_start(ap, fmt);
-       ret = vsnprintf(printf_buffer, PRINTF_BUFFER_SIZE, fmt, ap);
+       buf = kvasprintf(GFP_NOIO | __GFP_HIGH, fmt, ap);
        va_end(ap);
 
-       BUG_ON(ret > PRINTF_BUFFER_SIZE-1);
-       ret = xenbus_write(t, dir, node, printf_buffer);
+       if (!buf)
+               return -ENOMEM;
+
+       ret = xenbus_write(t, dir, node, buf);
 
-       kfree(printf_buffer);
+       kfree(buf);
 
        return ret;
 }
@@ -801,6 +798,12 @@ static int process_msg(void)
                goto out;
        }
 
+       if (msg->hdr.len > XENSTORE_PAYLOAD_MAX) {
+               kfree(msg);
+               err = -EINVAL;
+               goto out;
+       }
+
        body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH);
        if (body == NULL) {
                kfree(msg);