kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE

chan->n_subbufs is set by the user and relay_create_buf() does a kmalloc() of chan->n_subbufs * sizeof(size_t *). kmalloc_slab() will generate a warning when this fails if chan->subbufs * sizeof(size_t *) > KMALLOC_MAX_SIZE. Limit chan->n_subbufs to the maximum allowed kmalloc() size. Link: http://lkml.kernel.org/r/[email protected] Fixes: f6302f1bcd75 ("relay: prevent integer overflow in relay_open()") Signed-off-by: David Rientjes <[email protected]> Reviewed-by: Andrew Morton <[email protected]> Cc: Jens Axboe <[email protected]> Cc: Dave Jiang <[email protected]> Cc: Al Viro <[email protected]> Cc: Dan Carpenter <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>
author: David Rientjes <[email protected]> 2018-02-21 14:45:32 -0800
committer: Linus Torvalds <[email protected]> 2018-02-21 15:35:43 -0800
commit: 88913bd8ea2a75d7e460a4bed5f75e1c32660d7e (patch)
tree: 7e7f3c91c5fcf133cef4071edb2d887d649844e8
parent: 9c4e6b1a7027f102990c0395296015a812525f4d (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/relay.c b/kernel/relay.c
index c3029402f15c..c955b10c973c 100644
--- a/kernel/relay.c
+++ b/kernel/relay.c
@@ -163,7 +163,7 @@ static struct rchan_buf *relay_create_buf(struct rchan *chan)
 {
 	struct rchan_buf *buf;
 
-	if (chan->n_subbufs > UINT_MAX / sizeof(size_t *))
+	if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *))
 		return NULL;
 
 	buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
author	David Rientjes <[email protected]>	2018-02-21 14:45:32 -0800
committer	Linus Torvalds <[email protected]>	2018-02-21 15:35:43 -0800
commit	88913bd8ea2a75d7e460a4bed5f75e1c32660d7e (patch)
tree	7e7f3c91c5fcf133cef4071edb2d887d649844e8
parent	9c4e6b1a7027f102990c0395296015a812525f4d (diff)