From: David Howells The attached patch makes the keyring functions calculate the new size of a keyring's payload based on the size of pointer to the key struct, not the size of the key struct itself. Signed-Off-By: David Howells Signed-off-by: Andrew Morton --- security/keys/keyring.c | 15 ++++++++------- 1 files changed, 8 insertions(+), 7 deletions(-) diff -puN security/keys/keyring.c~keys-base-keyring-size-on-key-pointer-not-key-struct security/keys/keyring.c --- 25/security/keys/keyring.c~keys-base-keyring-size-on-key-pointer-not-key-struct Wed Jul 6 13:30:00 2005 +++ 25-akpm/security/keys/keyring.c Wed Jul 6 13:30:00 2005 @@ -129,7 +129,7 @@ static int keyring_duplicate(struct key int loop, ret; const unsigned limit = - (PAGE_SIZE - sizeof(*klist)) / sizeof(struct key); + (PAGE_SIZE - sizeof(*klist)) / sizeof(struct key *); ret = 0; @@ -150,7 +150,7 @@ static int keyring_duplicate(struct key max = limit; ret = -ENOMEM; - size = sizeof(*klist) + sizeof(struct key) * max; + size = sizeof(*klist) + sizeof(struct key *) * max; klist = kmalloc(size, GFP_KERNEL); if (!klist) goto error; @@ -163,7 +163,7 @@ static int keyring_duplicate(struct key klist->nkeys = sklist->nkeys; memcpy(klist->keys, sklist->keys, - sklist->nkeys * sizeof(struct key)); + sklist->nkeys * sizeof(struct key *)); for (loop = klist->nkeys - 1; loop >= 0; loop--) atomic_inc(&klist->keys[loop]->usage); @@ -783,7 +783,7 @@ int __key_link(struct key *keyring, stru ret = -ENFILE; if (max > 65535) goto error3; - size = sizeof(*klist) + sizeof(*key) * max; + size = sizeof(*klist) + sizeof(struct key *) * max; if (size > PAGE_SIZE) goto error3; @@ -895,7 +895,8 @@ int key_unlink(struct key *keyring, stru key_is_present: /* we need to copy the key list for RCU purposes */ - nklist = kmalloc(sizeof(*klist) + sizeof(*key) * klist->maxkeys, + nklist = kmalloc(sizeof(*klist) + + sizeof(struct key *) * klist->maxkeys, GFP_KERNEL); if (!nklist) goto nomem; @@ -905,12 +906,12 @@ key_is_present: if (loop > 0) memcpy(&nklist->keys[0], &klist->keys[0], - loop * sizeof(klist->keys[0])); + loop * sizeof(struct key *)); if (loop < nklist->nkeys) memcpy(&nklist->keys[loop], &klist->keys[loop + 1], - (nklist->nkeys - loop) * sizeof(klist->keys[0])); + (nklist->nkeys - loop) * sizeof(struct key *)); /* adjust the user's quota */ key_payload_reserve(keyring, _