Merge tag 'overflow-v4.18-rc1-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull more overflow updates from Kees Cook:
"The rest of the overflow changes for v4.18-rc1.
This includes the explicit overflow fixes from Silvio, further
struct_size() conversions from Matthew, and a bug fix from Dan.
But the bulk of it is the treewide conversions to use either the
2-factor argument allocators (e.g. kmalloc(a * b, ...) into
kmalloc_array(a, b, ...) or the array_size() macros (e.g. vmalloc(a *
b) into vmalloc(array_size(a, b)).
Coccinelle was fighting me on several fronts, so I've done a bunch of
manual whitespace updates in the patches as well.
Summary:
- Error path bug fix for overflow tests (Dan)
- Additional struct_size() conversions (Matthew, Kees)
- Explicitly reported overflow fixes (Silvio, Kees)
- Add missing kvcalloc() function (Kees)
- Treewide conversions of allocators to use either 2-factor argument
variant when available, or array_size() and array3_size() as needed
(Kees)"
* tag 'overflow-v4.18-rc1-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: (26 commits)
treewide: Use array_size in f2fs_kvzalloc()
treewide: Use array_size() in f2fs_kzalloc()
treewide: Use array_size() in f2fs_kmalloc()
treewide: Use array_size() in sock_kmalloc()
treewide: Use array_size() in kvzalloc_node()
treewide: Use array_size() in vzalloc_node()
treewide: Use array_size() in vzalloc()
treewide: Use array_size() in vmalloc()
treewide: devm_kzalloc() -> devm_kcalloc()
treewide: devm_kmalloc() -> devm_kmalloc_array()
treewide: kvzalloc() -> kvcalloc()
treewide: kvmalloc() -> kvmalloc_array()
treewide: kzalloc_node() -> kcalloc_node()
treewide: kzalloc() -> kcalloc()
treewide: kmalloc() -> kmalloc_array()
mm: Introduce kvcalloc()
video: uvesafb: Fix integer overflow in allocation
UBIFS: Fix potential integer overflow in allocation
leds: Use struct_size() in allocation
Convert intel uncore to struct_size
...
This commit is contained in:
Linus Torvalds
@@ -69,7 +69,7 @@ char **argv_split(gfp_t gfp, const char *str, int *argcp)
|
||||
return NULL;
|
||||
|
||||
argc = count_argc(argv_str);
|
||||
argv = kmalloc(sizeof(*argv) * (argc + 2), gfp);
|
||||
argv = kmalloc_array(argc + 2, sizeof(*argv), gfp);
|
||||
if (!argv) {
|
||||
kfree(argv_str);
|
||||
return NULL;
|
||||
|
||||
@@ -64,11 +64,12 @@ static int interval_tree_test_init(void)
|
||||
unsigned long results;
|
||||
cycles_t time1, time2, time;
|
||||
|
||||
nodes = kmalloc(nnodes * sizeof(struct interval_tree_node), GFP_KERNEL);
|
||||
nodes = kmalloc_array(nnodes, sizeof(struct interval_tree_node),
|
||||
GFP_KERNEL);
|
||||
if (!nodes)
|
||||
return -ENOMEM;
|
||||
|
||||
queries = kmalloc(nsearches * sizeof(int), GFP_KERNEL);
|
||||
queries = kmalloc_array(nsearches, sizeof(int), GFP_KERNEL);
|
||||
if (!queries) {
|
||||
kfree(nodes);
|
||||
return -ENOMEM;
|
||||
|
||||
@@ -54,7 +54,7 @@ int __kfifo_alloc(struct __kfifo *fifo, unsigned int size,
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
fifo->data = kmalloc(size * esize, gfp_mask);
|
||||
fifo->data = kmalloc_array(esize, size, gfp_mask);
|
||||
|
||||
if (!fifo->data) {
|
||||
fifo->mask = 0;
|
||||
|
||||
@@ -119,7 +119,7 @@ struct lru_cache *lc_create(const char *name, struct kmem_cache *cache,
|
||||
slot = kcalloc(e_count, sizeof(struct hlist_head), GFP_KERNEL);
|
||||
if (!slot)
|
||||
goto out_fail;
|
||||
element = kzalloc(e_count * sizeof(struct lc_element *), GFP_KERNEL);
|
||||
element = kcalloc(e_count, sizeof(struct lc_element *), GFP_KERNEL);
|
||||
if (!element)
|
||||
goto out_fail;
|
||||
|
||||
|
||||
@@ -91,14 +91,14 @@ int mpi_resize(MPI a, unsigned nlimbs)
|
||||
return 0; /* no need to do it */
|
||||
|
||||
if (a->d) {
|
||||
p = kmalloc(nlimbs * sizeof(mpi_limb_t), GFP_KERNEL);
|
||||
p = kmalloc_array(nlimbs, sizeof(mpi_limb_t), GFP_KERNEL);
|
||||
if (!p)
|
||||
return -ENOMEM;
|
||||
memcpy(p, a->d, a->alloced * sizeof(mpi_limb_t));
|
||||
kzfree(a->d);
|
||||
a->d = p;
|
||||
} else {
|
||||
a->d = kzalloc(nlimbs * sizeof(mpi_limb_t), GFP_KERNEL);
|
||||
a->d = kcalloc(nlimbs, sizeof(mpi_limb_t), GFP_KERNEL);
|
||||
if (!a->d)
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
@@ -247,7 +247,7 @@ static int __init rbtree_test_init(void)
|
||||
cycles_t time1, time2, time;
|
||||
struct rb_node *node;
|
||||
|
||||
nodes = kmalloc(nnodes * sizeof(*nodes), GFP_KERNEL);
|
||||
nodes = kmalloc_array(nnodes, sizeof(*nodes), GFP_KERNEL);
|
||||
if (!nodes)
|
||||
return -ENOMEM;
|
||||
|
||||
|
||||
@@ -88,15 +88,15 @@ static struct rs_codec *codec_init(int symsize, int gfpoly, int (*gffunc)(int),
|
||||
rs->gffunc = gffunc;
|
||||
|
||||
/* Allocate the arrays */
|
||||
rs->alpha_to = kmalloc(sizeof(uint16_t) * (rs->nn + 1), gfp);
|
||||
rs->alpha_to = kmalloc_array(rs->nn + 1, sizeof(uint16_t), gfp);
|
||||
if (rs->alpha_to == NULL)
|
||||
goto err;
|
||||
|
||||
rs->index_of = kmalloc(sizeof(uint16_t) * (rs->nn + 1), gfp);
|
||||
rs->index_of = kmalloc_array(rs->nn + 1, sizeof(uint16_t), gfp);
|
||||
if (rs->index_of == NULL)
|
||||
goto err;
|
||||
|
||||
rs->genpoly = kmalloc(sizeof(uint16_t) * (rs->nroots + 1), gfp);
|
||||
rs->genpoly = kmalloc_array(rs->nroots + 1, sizeof(uint16_t), gfp);
|
||||
if(rs->genpoly == NULL)
|
||||
goto err;
|
||||
|
||||
|
||||
@@ -52,7 +52,7 @@ int sbitmap_init_node(struct sbitmap *sb, unsigned int depth, int shift,
|
||||
return 0;
|
||||
}
|
||||
|
||||
sb->map = kzalloc_node(sb->map_nr * sizeof(*sb->map), flags, node);
|
||||
sb->map = kcalloc_node(sb->map_nr, sizeof(*sb->map), flags, node);
|
||||
if (!sb->map)
|
||||
return -ENOMEM;
|
||||
|
||||
|
||||
@@ -170,7 +170,8 @@ static struct scatterlist *sg_kmalloc(unsigned int nents, gfp_t gfp_mask)
|
||||
kmemleak_alloc(ptr, PAGE_SIZE, 1, gfp_mask);
|
||||
return ptr;
|
||||
} else
|
||||
return kmalloc(nents * sizeof(struct scatterlist), gfp_mask);
|
||||
return kmalloc_array(nents, sizeof(struct scatterlist),
|
||||
gfp_mask);
|
||||
}
|
||||
|
||||
static void sg_kfree(struct scatterlist *sg, unsigned int nents)
|
||||
|
||||
@@ -618,8 +618,9 @@ static ssize_t trigger_batched_requests_store(struct device *dev,
|
||||
|
||||
mutex_lock(&test_fw_mutex);
|
||||
|
||||
test_fw_config->reqs = vzalloc(sizeof(struct test_batched_req) *
|
||||
test_fw_config->num_requests * 2);
|
||||
test_fw_config->reqs =
|
||||
vzalloc(array3_size(sizeof(struct test_batched_req),
|
||||
test_fw_config->num_requests, 2));
|
||||
if (!test_fw_config->reqs) {
|
||||
rc = -ENOMEM;
|
||||
goto out_unlock;
|
||||
@@ -720,8 +721,9 @@ ssize_t trigger_batched_requests_async_store(struct device *dev,
|
||||
|
||||
mutex_lock(&test_fw_mutex);
|
||||
|
||||
test_fw_config->reqs = vzalloc(sizeof(struct test_batched_req) *
|
||||
test_fw_config->num_requests * 2);
|
||||
test_fw_config->reqs =
|
||||
vzalloc(array3_size(sizeof(struct test_batched_req),
|
||||
test_fw_config->num_requests, 2));
|
||||
if (!test_fw_config->reqs) {
|
||||
rc = -ENOMEM;
|
||||
goto out;
|
||||
|
||||
@@ -779,8 +779,9 @@ static int kmod_config_sync_info(struct kmod_test_device *test_dev)
|
||||
struct test_config *config = &test_dev->config;
|
||||
|
||||
free_test_dev_info(test_dev);
|
||||
test_dev->info = vzalloc(config->num_threads *
|
||||
sizeof(struct kmod_test_device_info));
|
||||
test_dev->info =
|
||||
vzalloc(array_size(sizeof(struct kmod_test_device_info),
|
||||
config->num_threads));
|
||||
if (!test_dev->info)
|
||||
return -ENOMEM;
|
||||
|
||||
|
||||
@@ -367,7 +367,7 @@ static int __init test_overflow_allocation(void)
|
||||
|
||||
/* Create dummy device for devm_kmalloc()-family tests. */
|
||||
dev = root_device_register(device_name);
|
||||
if (!dev) {
|
||||
if (IS_ERR(dev)) {
|
||||
pr_warn("Cannot register test device\n");
|
||||
return 1;
|
||||
}
|
||||
|
||||
@@ -285,12 +285,14 @@ static int __init test_rhltable(unsigned int entries)
|
||||
if (entries == 0)
|
||||
entries = 1;
|
||||
|
||||
rhl_test_objects = vzalloc(sizeof(*rhl_test_objects) * entries);
|
||||
rhl_test_objects = vzalloc(array_size(entries,
|
||||
sizeof(*rhl_test_objects)));
|
||||
if (!rhl_test_objects)
|
||||
return -ENOMEM;
|
||||
|
||||
ret = -ENOMEM;
|
||||
obj_in_table = vzalloc(BITS_TO_LONGS(entries) * sizeof(unsigned long));
|
||||
obj_in_table = vzalloc(array_size(sizeof(unsigned long),
|
||||
BITS_TO_LONGS(entries)));
|
||||
if (!obj_in_table)
|
||||
goto out_free;
|
||||
|
||||
@@ -706,7 +708,8 @@ static int __init test_rht_init(void)
|
||||
test_rht_params.max_size = max_size ? : roundup_pow_of_two(entries);
|
||||
test_rht_params.nelem_hint = size;
|
||||
|
||||
objs = vzalloc((test_rht_params.max_size + 1) * sizeof(struct test_obj));
|
||||
objs = vzalloc(array_size(sizeof(struct test_obj),
|
||||
test_rht_params.max_size + 1));
|
||||
if (!objs)
|
||||
return -ENOMEM;
|
||||
|
||||
@@ -753,10 +756,10 @@ static int __init test_rht_init(void)
|
||||
pr_info("Testing concurrent rhashtable access from %d threads\n",
|
||||
tcount);
|
||||
sema_init(&prestart_sem, 1 - tcount);
|
||||
tdata = vzalloc(tcount * sizeof(struct thread_data));
|
||||
tdata = vzalloc(array_size(tcount, sizeof(struct thread_data)));
|
||||
if (!tdata)
|
||||
return -ENOMEM;
|
||||
objs = vzalloc(tcount * entries * sizeof(struct test_obj));
|
||||
objs = vzalloc(array3_size(sizeof(struct test_obj), tcount, entries));
|
||||
if (!objs) {
|
||||
vfree(tdata);
|
||||
return -ENOMEM;
|
||||
|
||||
Reference in New Issue
Block a user