--- zzzz-none-000/linux-3.10.107/drivers/misc/vmw_vmci/vmci_host.c 2017-06-27 09:49:32.000000000 +0000 +++ scorpion-7490-727/linux-3.10.107/drivers/misc/vmw_vmci/vmci_host.c 2021-02-04 17:41:59.000000000 +0000 @@ -218,13 +218,12 @@ } /* - * Sets up a given context for notify to work. Calls drv_map_bool_ptr() - * which maps the notify boolean in user VA in kernel space. + * Sets up a given context for notify to work. Maps the notify + * boolean in user VA into kernel space. */ static int vmci_host_setup_notify(struct vmci_ctx *context, unsigned long uva) { - struct page *page; int retval; if (context->notify_page) { @@ -243,18 +242,16 @@ /* * Lock physical page backing a given user VA. */ - down_read(¤t->mm->mmap_sem); - retval = get_user_pages(current, current->mm, - PAGE_ALIGN(uva), - 1, 1, 0, &page, NULL); - up_read(¤t->mm->mmap_sem); - if (retval != 1) + retval = get_user_pages_fast(uva, 1, 1, &context->notify_page); + if (retval != 1) { + context->notify_page = NULL; return VMCI_ERROR_GENERIC; + } /* * Map the locked page and set up notify pointer. */ - context->notify = kmap(page) + (uva & (PAGE_SIZE - 1)); + context->notify = kmap(context->notify_page) + (uva & (PAGE_SIZE - 1)); vmci_ctx_check_signal_notify(context); return VMCI_SUCCESS; @@ -398,6 +395,12 @@ return -EFAULT; } + if (VMCI_DG_SIZE(dg) != send_info.len) { + vmci_ioctl_err("datagram size mismatch\n"); + kfree(dg); + return -EINVAL; + } + pr_devel("Datagram dst (handle=0x%x:0x%x) src (handle=0x%x:0x%x), payload (size=%llu bytes)\n", dg->dst.context, dg->dst.resource, dg->src.context, dg->src.resource, @@ -1028,14 +1031,9 @@ void __exit vmci_host_exit(void) { - int error; - vmci_host_device_initialized = false; - error = misc_deregister(&vmci_host_miscdev); - if (error) - pr_warn("Error unregistering character device: %d\n", error); - + misc_deregister(&vmci_host_miscdev); vmci_ctx_destroy(host_context); vmci_qp_broker_exit();