diff options
| author | William Theesfeld <william@theesfeld.net> | 2026-06-01 22:29:34 +0300 |
|---|---|---|
| committer | Miklos Szeredi <mszeredi@redhat.com> | 2026-06-15 15:06:19 +0300 |
| commit | 03728af4aeef6ee9914f93d60936db351e106863 (patch) | |
| tree | 83b37a89ef71e98a69ad0dc5ffc19750732163dc | |
| parent | c51248524a0f546b9a9b44710038f5663688ed10 (diff) | |
| download | linux-03728af4aeef6ee9914f93d60936db351e106863.tar.xz | |
fuse: convert page array allocation to kcalloc()
fuse_get_user_pages() allocates the temporary pages[] array used by
iov_iter_extract_pages() with the open-coded kzalloc(n * sizeof(*p),
...) form. max_pages is derived from the inbound iov_iter and is not
bounded at compile time, so the multiplication can overflow on
sufficiently large iter counts; the resulting too-small allocation
would then be written past by iov_iter_extract_pages().
Switch to kcalloc(), which carries the same zero-on-allocation
semantics and adds the standard size_mul overflow check. No
functional change for non-overflow inputs.
Signed-off-by: William Theesfeld <william@theesfeld.net>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
| -rw-r--r-- | fs/fuse/file.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/fuse/file.c b/fs/fuse/file.c index e8833e2a6610..cbd02fa3cb74 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -1590,7 +1590,7 @@ static int fuse_get_user_pages(struct fuse_args_pages *ap, struct iov_iter *ii, * manually extract pages using iov_iter_extract_pages() and then * copy that to a folios array. */ - struct page **pages = kzalloc(max_pages * sizeof(struct page *), + struct page **pages = kcalloc(max_pages, sizeof(struct page *), GFP_KERNEL); if (!pages) { ret = -ENOMEM; |