Re: [PATCH] fuse: convert page array allocation to kcalloc()

Next message: Andy Shevchenko: "Re: [PATCH v2 1/2] software node: fix refcount leak in software_node_get_next_child()"
Previous message: Pablo Neira Ayuso: "Re: [PATCH nf] netfilter: nf_conntrack: destroy stale expectfn expectations on unregister"
In reply to: William Theesfeld: "[PATCH] fuse: convert page array allocation to kcalloc()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Miklos Szeredi

Date: Wed Jun 03 2026 - 05:47:52 EST

On Mon, 1 Jun 2026 at 21:29, William Theesfeld <william@xxxxxxxxxxxxx> wrote:
>
> fuse_get_user_pages() allocates the temporary pages[] array used by
> iov_iter_extract_pages() with the open-coded kzalloc(n * sizeof(*p),
> ...) form. max_pages is derived from the inbound iov_iter and is not
> bounded at compile time, so the multiplication can overflow on
> sufficiently large iter counts; the resulting too-small allocation
> would then be written past by iov_iter_extract_pages().
>
> Switch to kcalloc(), which carries the same zero-on-allocation
> semantics and adds the standard size_mul overflow check. No
> functional change for non-overflow inputs.
>
> Signed-off-by: William Theesfeld <william@xxxxxxxxxxxxx>

Applied, thanks.

Miklos