* [PATCH 0/2] mtdchar_write_ioctl(): prevent integer overflow, use kvmalloc() @ 2022-05-16 7:05 ` Michał Kępień 0 siblings, 0 replies; 14+ messages in thread From: Michał Kępień @ 2022-05-16 7:05 UTC (permalink / raw) To: Miquel Raynal, Richard Weinberger, Vignesh Raghavendra Cc: linux-mtd, linux-kernel This patch series addresses two flaws in mtdchar_write_ioctl() found by Richard Weinberger while he was reviewing v3 of the patch series proposing a new MEMREAD ioctl [1]. Richard, I included a Suggested-by tag crediting you in both of the patches in this series. I hope that is okay with you, but please let me know if it isn't. Once this patch series is reviewed and accepted, I will apply similar fixes in v4 of the MEMREAD ioctl patch series. [1] https://lists.infradead.org/pipermail/linux-mtd/2022-February/091276.html Michał Kępień (2): mtdchar: prevent integer overflow in a safety check mtdchar: use kvmalloc() for potentially large allocations drivers/mtd/mtdchar.c | 13 ++++++++----- include/uapi/mtd/mtd-abi.h | 4 ++-- 2 files changed, 10 insertions(+), 7 deletions(-) -- 2.36.1 ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/ ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 0/2] mtdchar_write_ioctl(): prevent integer overflow, use kvmalloc() @ 2022-05-16 7:05 ` Michał Kępień 0 siblings, 0 replies; 14+ messages in thread From: Michał Kępień @ 2022-05-16 7:05 UTC (permalink / raw) To: Miquel Raynal, Richard Weinberger, Vignesh Raghavendra Cc: linux-mtd, linux-kernel This patch series addresses two flaws in mtdchar_write_ioctl() found by Richard Weinberger while he was reviewing v3 of the patch series proposing a new MEMREAD ioctl [1]. Richard, I included a Suggested-by tag crediting you in both of the patches in this series. I hope that is okay with you, but please let me know if it isn't. Once this patch series is reviewed and accepted, I will apply similar fixes in v4 of the MEMREAD ioctl patch series. [1] https://lists.infradead.org/pipermail/linux-mtd/2022-February/091276.html Michał Kępień (2): mtdchar: prevent integer overflow in a safety check mtdchar: use kvmalloc() for potentially large allocations drivers/mtd/mtdchar.c | 13 ++++++++----- include/uapi/mtd/mtd-abi.h | 4 ++-- 2 files changed, 10 insertions(+), 7 deletions(-) -- 2.36.1 ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 1/2] mtdchar: prevent integer overflow in a safety check 2022-05-16 7:05 ` Michał Kępień @ 2022-05-16 7:06 ` Michał Kępień -1 siblings, 0 replies; 14+ messages in thread From: Michał Kępień @ 2022-05-16 7:06 UTC (permalink / raw) To: Miquel Raynal, Richard Weinberger, Vignesh Raghavendra Cc: linux-mtd, linux-kernel Commit 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl") added a safety check to mtdchar_write_ioctl() which attempts to ensure that the write request sent by user space does not extend beyond the MTD device's size. However, that check contains an addition of two struct mtd_write_req fields, 'start' and 'len', both of which are u64 variables. The result of that addition can overflow, allowing the safety check to be bypassed. The arguably simplest fix - changing the data types of the relevant struct mtd_write_req fields - is not feasible as it would break user space. Fix by making mtdchar_write_ioctl() truncate the value provided by user space in the 'len' field of struct mtd_write_req, so that only the lower 32 bits of that field are used, preventing the overflow. While the 'ooblen' field of struct mtd_write_req is not currently used in any similarly flawed safety check, also truncate it to 32 bits, for consistency with the 'len' field and with other MTD routines handling OOB data. Update include/uapi/mtd/mtd-abi.h accordingly. Suggested-by: Richard Weinberger <richard@nod.at> Signed-off-by: Michał Kępień <kernel@kempniu.pl> --- drivers/mtd/mtdchar.c | 3 +++ include/uapi/mtd/mtd-abi.h | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c index d0f9c4b0285c..b2700f8467ff 100644 --- a/drivers/mtd/mtdchar.c +++ b/drivers/mtd/mtdchar.c @@ -615,6 +615,9 @@ static int mtdchar_write_ioctl(struct mtd_info *mtd, if (!usr_oob) req.ooblen = 0; + req.len &= 0xffffffff; + req.ooblen &= 0xffffffff; + if (req.start + req.len > mtd->size) return -EINVAL; diff --git a/include/uapi/mtd/mtd-abi.h b/include/uapi/mtd/mtd-abi.h index b869990c2db2..890d9e5b76d7 100644 --- a/include/uapi/mtd/mtd-abi.h +++ b/include/uapi/mtd/mtd-abi.h @@ -69,8 +69,8 @@ enum { * struct mtd_write_req - data structure for requesting a write operation * * @start: start address - * @len: length of data buffer - * @ooblen: length of OOB buffer + * @len: length of data buffer (only lower 32 bits are used) + * @ooblen: length of OOB buffer (only lower 32 bits are used) * @usr_data: user-provided data buffer * @usr_oob: user-provided OOB buffer * @mode: MTD mode (see "MTD operation modes") -- 2.36.1 ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/ ^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 1/2] mtdchar: prevent integer overflow in a safety check @ 2022-05-16 7:06 ` Michał Kępień 0 siblings, 0 replies; 14+ messages in thread From: Michał Kępień @ 2022-05-16 7:06 UTC (permalink / raw) To: Miquel Raynal, Richard Weinberger, Vignesh Raghavendra Cc: linux-mtd, linux-kernel Commit 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE ioctl") added a safety check to mtdchar_write_ioctl() which attempts to ensure that the write request sent by user space does not extend beyond the MTD device's size. However, that check contains an addition of two struct mtd_write_req fields, 'start' and 'len', both of which are u64 variables. The result of that addition can overflow, allowing the safety check to be bypassed. The arguably simplest fix - changing the data types of the relevant struct mtd_write_req fields - is not feasible as it would break user space. Fix by making mtdchar_write_ioctl() truncate the value provided by user space in the 'len' field of struct mtd_write_req, so that only the lower 32 bits of that field are used, preventing the overflow. While the 'ooblen' field of struct mtd_write_req is not currently used in any similarly flawed safety check, also truncate it to 32 bits, for consistency with the 'len' field and with other MTD routines handling OOB data. Update include/uapi/mtd/mtd-abi.h accordingly. Suggested-by: Richard Weinberger <richard@nod.at> Signed-off-by: Michał Kępień <kernel@kempniu.pl> --- drivers/mtd/mtdchar.c | 3 +++ include/uapi/mtd/mtd-abi.h | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c index d0f9c4b0285c..b2700f8467ff 100644 --- a/drivers/mtd/mtdchar.c +++ b/drivers/mtd/mtdchar.c @@ -615,6 +615,9 @@ static int mtdchar_write_ioctl(struct mtd_info *mtd, if (!usr_oob) req.ooblen = 0; + req.len &= 0xffffffff; + req.ooblen &= 0xffffffff; + if (req.start + req.len > mtd->size) return -EINVAL; diff --git a/include/uapi/mtd/mtd-abi.h b/include/uapi/mtd/mtd-abi.h index b869990c2db2..890d9e5b76d7 100644 --- a/include/uapi/mtd/mtd-abi.h +++ b/include/uapi/mtd/mtd-abi.h @@ -69,8 +69,8 @@ enum { * struct mtd_write_req - data structure for requesting a write operation * * @start: start address - * @len: length of data buffer - * @ooblen: length of OOB buffer + * @len: length of data buffer (only lower 32 bits are used) + * @ooblen: length of OOB buffer (only lower 32 bits are used) * @usr_data: user-provided data buffer * @usr_oob: user-provided OOB buffer * @mode: MTD mode (see "MTD operation modes") -- 2.36.1 ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH 1/2] mtdchar: prevent integer overflow in a safety check 2022-05-16 7:06 ` Michał Kępień @ 2022-06-07 20:23 ` Richard Weinberger -1 siblings, 0 replies; 14+ messages in thread From: Richard Weinberger @ 2022-06-07 20:23 UTC (permalink / raw) To: Michał Kępień Cc: Miquel Raynal, Vignesh Raghavendra, linux-mtd, linux-kernel ----- Ursprüngliche Mail ----- > Von: "Michał Kępień" <kernel@kempniu.pl> > An: "Miquel Raynal" <miquel.raynal@bootlin.com>, "richard" <richard@nod.at>, "Vignesh Raghavendra" <vigneshr@ti.com> > CC: "linux-mtd" <linux-mtd@lists.infradead.org>, "linux-kernel" <linux-kernel@vger.kernel.org> > Gesendet: Montag, 16. Mai 2022 09:06:00 > Betreff: [PATCH 1/2] mtdchar: prevent integer overflow in a safety check > Commit 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE > ioctl") added a safety check to mtdchar_write_ioctl() which attempts to > ensure that the write request sent by user space does not extend beyond > the MTD device's size. However, that check contains an addition of two > struct mtd_write_req fields, 'start' and 'len', both of which are u64 > variables. The result of that addition can overflow, allowing the > safety check to be bypassed. > > The arguably simplest fix - changing the data types of the relevant > struct mtd_write_req fields - is not feasible as it would break user > space. > > Fix by making mtdchar_write_ioctl() truncate the value provided by user > space in the 'len' field of struct mtd_write_req, so that only the lower > 32 bits of that field are used, preventing the overflow. > > While the 'ooblen' field of struct mtd_write_req is not currently used > in any similarly flawed safety check, also truncate it to 32 bits, for > consistency with the 'len' field and with other MTD routines handling > OOB data. > > Update include/uapi/mtd/mtd-abi.h accordingly. > > Suggested-by: Richard Weinberger <richard@nod.at> > Signed-off-by: Michał Kępień <kernel@kempniu.pl> > --- > drivers/mtd/mtdchar.c | 3 +++ > include/uapi/mtd/mtd-abi.h | 4 ++-- > 2 files changed, 5 insertions(+), 2 deletions(-) > > diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c > index d0f9c4b0285c..b2700f8467ff 100644 > --- a/drivers/mtd/mtdchar.c > +++ b/drivers/mtd/mtdchar.c > @@ -615,6 +615,9 @@ static int mtdchar_write_ioctl(struct mtd_info *mtd, > if (!usr_oob) > req.ooblen = 0; > > + req.len &= 0xffffffff; > + req.ooblen &= 0xffffffff; > + Yeah, I think it is reasonable to limit write requests to 4GiB. Thanks, //richard ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/ ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 1/2] mtdchar: prevent integer overflow in a safety check @ 2022-06-07 20:23 ` Richard Weinberger 0 siblings, 0 replies; 14+ messages in thread From: Richard Weinberger @ 2022-06-07 20:23 UTC (permalink / raw) To: Michał Kępień Cc: Miquel Raynal, Vignesh Raghavendra, linux-mtd, linux-kernel ----- Ursprüngliche Mail ----- > Von: "Michał Kępień" <kernel@kempniu.pl> > An: "Miquel Raynal" <miquel.raynal@bootlin.com>, "richard" <richard@nod.at>, "Vignesh Raghavendra" <vigneshr@ti.com> > CC: "linux-mtd" <linux-mtd@lists.infradead.org>, "linux-kernel" <linux-kernel@vger.kernel.org> > Gesendet: Montag, 16. Mai 2022 09:06:00 > Betreff: [PATCH 1/2] mtdchar: prevent integer overflow in a safety check > Commit 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE > ioctl") added a safety check to mtdchar_write_ioctl() which attempts to > ensure that the write request sent by user space does not extend beyond > the MTD device's size. However, that check contains an addition of two > struct mtd_write_req fields, 'start' and 'len', both of which are u64 > variables. The result of that addition can overflow, allowing the > safety check to be bypassed. > > The arguably simplest fix - changing the data types of the relevant > struct mtd_write_req fields - is not feasible as it would break user > space. > > Fix by making mtdchar_write_ioctl() truncate the value provided by user > space in the 'len' field of struct mtd_write_req, so that only the lower > 32 bits of that field are used, preventing the overflow. > > While the 'ooblen' field of struct mtd_write_req is not currently used > in any similarly flawed safety check, also truncate it to 32 bits, for > consistency with the 'len' field and with other MTD routines handling > OOB data. > > Update include/uapi/mtd/mtd-abi.h accordingly. > > Suggested-by: Richard Weinberger <richard@nod.at> > Signed-off-by: Michał Kępień <kernel@kempniu.pl> > --- > drivers/mtd/mtdchar.c | 3 +++ > include/uapi/mtd/mtd-abi.h | 4 ++-- > 2 files changed, 5 insertions(+), 2 deletions(-) > > diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c > index d0f9c4b0285c..b2700f8467ff 100644 > --- a/drivers/mtd/mtdchar.c > +++ b/drivers/mtd/mtdchar.c > @@ -615,6 +615,9 @@ static int mtdchar_write_ioctl(struct mtd_info *mtd, > if (!usr_oob) > req.ooblen = 0; > > + req.len &= 0xffffffff; > + req.ooblen &= 0xffffffff; > + Yeah, I think it is reasonable to limit write requests to 4GiB. Thanks, //richard ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 1/2] mtdchar: prevent integer overflow in a safety check 2022-05-16 7:06 ` Michał Kępień @ 2022-06-09 13:10 ` Miquel Raynal -1 siblings, 0 replies; 14+ messages in thread From: Miquel Raynal @ 2022-06-09 13:10 UTC (permalink / raw) To: Michał Kępień, Miquel Raynal, Richard Weinberger, Vignesh Raghavendra Cc: linux-mtd, linux-kernel On Mon, 2022-05-16 at 07:06:00 UTC, =?utf-8?b?TWljaGHFgiBLxJlwaWXFhA==?= wrote: > Commit 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE > ioctl") added a safety check to mtdchar_write_ioctl() which attempts to > ensure that the write request sent by user space does not extend beyond > the MTD device's size. However, that check contains an addition of two > struct mtd_write_req fields, 'start' and 'len', both of which are u64 > variables. The result of that addition can overflow, allowing the > safety check to be bypassed. > > The arguably simplest fix - changing the data types of the relevant > struct mtd_write_req fields - is not feasible as it would break user > space. > > Fix by making mtdchar_write_ioctl() truncate the value provided by user > space in the 'len' field of struct mtd_write_req, so that only the lower > 32 bits of that field are used, preventing the overflow. > > While the 'ooblen' field of struct mtd_write_req is not currently used > in any similarly flawed safety check, also truncate it to 32 bits, for > consistency with the 'len' field and with other MTD routines handling > OOB data. > > Update include/uapi/mtd/mtd-abi.h accordingly. > > Suggested-by: Richard Weinberger <richard@nod.at> > Signed-off-by: Michał Kępień <kernel@kempniu.pl> Applied to https://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux.git mtd/next, thanks. Miquel ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 1/2] mtdchar: prevent integer overflow in a safety check @ 2022-06-09 13:10 ` Miquel Raynal 0 siblings, 0 replies; 14+ messages in thread From: Miquel Raynal @ 2022-06-09 13:10 UTC (permalink / raw) To: Michał Kępień, Miquel Raynal, Richard Weinberger, Vignesh Raghavendra Cc: linux-mtd, linux-kernel On Mon, 2022-05-16 at 07:06:00 UTC, =?utf-8?b?TWljaGHFgiBLxJlwaWXFhA==?= wrote: > Commit 6420ac0af95d ("mtdchar: prevent unbounded allocation in MEMWRITE > ioctl") added a safety check to mtdchar_write_ioctl() which attempts to > ensure that the write request sent by user space does not extend beyond > the MTD device's size. However, that check contains an addition of two > struct mtd_write_req fields, 'start' and 'len', both of which are u64 > variables. The result of that addition can overflow, allowing the > safety check to be bypassed. > > The arguably simplest fix - changing the data types of the relevant > struct mtd_write_req fields - is not feasible as it would break user > space. > > Fix by making mtdchar_write_ioctl() truncate the value provided by user > space in the 'len' field of struct mtd_write_req, so that only the lower > 32 bits of that field are used, preventing the overflow. > > While the 'ooblen' field of struct mtd_write_req is not currently used > in any similarly flawed safety check, also truncate it to 32 bits, for > consistency with the 'len' field and with other MTD routines handling > OOB data. > > Update include/uapi/mtd/mtd-abi.h accordingly. > > Suggested-by: Richard Weinberger <richard@nod.at> > Signed-off-by: Michał Kępień <kernel@kempniu.pl> Applied to https://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux.git mtd/next, thanks. Miquel ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/ ^ permalink raw reply [flat|nested] 14+ messages in thread
* [PATCH 2/2] mtdchar: use kvmalloc() for potentially large allocations 2022-05-16 7:05 ` Michał Kępień @ 2022-05-16 7:06 ` Michał Kępień -1 siblings, 0 replies; 14+ messages in thread From: Michał Kępień @ 2022-05-16 7:06 UTC (permalink / raw) To: Miquel Raynal, Richard Weinberger, Vignesh Raghavendra Cc: linux-mtd, linux-kernel mtdchar_write_ioctl() calls kmalloc() with the 'size' argument set to the smaller of two values: the write request's data/OOB length provided by user space and the erase block size of the MTD device. If the latter is large, kmalloc() may not be able to serve such allocation requests. Use kvmalloc() instead. Correspondingly, replace kfree() calls with kvfree() calls. Suggested-by: Richard Weinberger <richard@nod.at> Signed-off-by: Michał Kępień <kernel@kempniu.pl> --- drivers/mtd/mtdchar.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c index b2700f8467ff..05860288a7af 100644 --- a/drivers/mtd/mtdchar.c +++ b/drivers/mtd/mtdchar.c @@ -623,16 +623,16 @@ static int mtdchar_write_ioctl(struct mtd_info *mtd, datbuf_len = min_t(size_t, req.len, mtd->erasesize); if (datbuf_len > 0) { - datbuf = kmalloc(datbuf_len, GFP_KERNEL); + datbuf = kvmalloc(datbuf_len, GFP_KERNEL); if (!datbuf) return -ENOMEM; } oobbuf_len = min_t(size_t, req.ooblen, mtd->erasesize); if (oobbuf_len > 0) { - oobbuf = kmalloc(oobbuf_len, GFP_KERNEL); + oobbuf = kvmalloc(oobbuf_len, GFP_KERNEL); if (!oobbuf) { - kfree(datbuf); + kvfree(datbuf); return -ENOMEM; } } @@ -682,8 +682,8 @@ static int mtdchar_write_ioctl(struct mtd_info *mtd, usr_oob += ops.oobretlen; } - kfree(datbuf); - kfree(oobbuf); + kvfree(datbuf); + kvfree(oobbuf); return ret; } -- 2.36.1 ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/ ^ permalink raw reply related [flat|nested] 14+ messages in thread
* [PATCH 2/2] mtdchar: use kvmalloc() for potentially large allocations @ 2022-05-16 7:06 ` Michał Kępień 0 siblings, 0 replies; 14+ messages in thread From: Michał Kępień @ 2022-05-16 7:06 UTC (permalink / raw) To: Miquel Raynal, Richard Weinberger, Vignesh Raghavendra Cc: linux-mtd, linux-kernel mtdchar_write_ioctl() calls kmalloc() with the 'size' argument set to the smaller of two values: the write request's data/OOB length provided by user space and the erase block size of the MTD device. If the latter is large, kmalloc() may not be able to serve such allocation requests. Use kvmalloc() instead. Correspondingly, replace kfree() calls with kvfree() calls. Suggested-by: Richard Weinberger <richard@nod.at> Signed-off-by: Michał Kępień <kernel@kempniu.pl> --- drivers/mtd/mtdchar.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c index b2700f8467ff..05860288a7af 100644 --- a/drivers/mtd/mtdchar.c +++ b/drivers/mtd/mtdchar.c @@ -623,16 +623,16 @@ static int mtdchar_write_ioctl(struct mtd_info *mtd, datbuf_len = min_t(size_t, req.len, mtd->erasesize); if (datbuf_len > 0) { - datbuf = kmalloc(datbuf_len, GFP_KERNEL); + datbuf = kvmalloc(datbuf_len, GFP_KERNEL); if (!datbuf) return -ENOMEM; } oobbuf_len = min_t(size_t, req.ooblen, mtd->erasesize); if (oobbuf_len > 0) { - oobbuf = kmalloc(oobbuf_len, GFP_KERNEL); + oobbuf = kvmalloc(oobbuf_len, GFP_KERNEL); if (!oobbuf) { - kfree(datbuf); + kvfree(datbuf); return -ENOMEM; } } @@ -682,8 +682,8 @@ static int mtdchar_write_ioctl(struct mtd_info *mtd, usr_oob += ops.oobretlen; } - kfree(datbuf); - kfree(oobbuf); + kvfree(datbuf); + kvfree(oobbuf); return ret; } -- 2.36.1 ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] mtdchar: use kvmalloc() for potentially large allocations 2022-05-16 7:06 ` Michał Kępień @ 2022-06-07 20:30 ` Richard Weinberger -1 siblings, 0 replies; 14+ messages in thread From: Richard Weinberger @ 2022-06-07 20:30 UTC (permalink / raw) To: Michał Kępień Cc: Miquel Raynal, Vignesh Raghavendra, linux-mtd, linux-kernel ----- Ursprüngliche Mail ----- > Von: "Michał Kępień" <kernel@kempniu.pl> > An: "Miquel Raynal" <miquel.raynal@bootlin.com>, "richard" <richard@nod.at>, "Vignesh Raghavendra" <vigneshr@ti.com> > CC: "linux-mtd" <linux-mtd@lists.infradead.org>, "linux-kernel" <linux-kernel@vger.kernel.org> > Gesendet: Montag, 16. Mai 2022 09:06:01 > Betreff: [PATCH 2/2] mtdchar: use kvmalloc() for potentially large allocations > mtdchar_write_ioctl() calls kmalloc() with the 'size' argument set to > the smaller of two values: the write request's data/OOB length provided > by user space and the erase block size of the MTD device. If the latter > is large, kmalloc() may not be able to serve such allocation requests. > Use kvmalloc() instead. Correspondingly, replace kfree() calls with > kvfree() calls. > > Suggested-by: Richard Weinberger <richard@nod.at> > Signed-off-by: Michał Kępień <kernel@kempniu.pl> Looks good to me. Acked-by: Richard Weinberger <richard@nod.at> Thanks, //richard ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/ ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] mtdchar: use kvmalloc() for potentially large allocations @ 2022-06-07 20:30 ` Richard Weinberger 0 siblings, 0 replies; 14+ messages in thread From: Richard Weinberger @ 2022-06-07 20:30 UTC (permalink / raw) To: Michał Kępień Cc: Miquel Raynal, Vignesh Raghavendra, linux-mtd, linux-kernel ----- Ursprüngliche Mail ----- > Von: "Michał Kępień" <kernel@kempniu.pl> > An: "Miquel Raynal" <miquel.raynal@bootlin.com>, "richard" <richard@nod.at>, "Vignesh Raghavendra" <vigneshr@ti.com> > CC: "linux-mtd" <linux-mtd@lists.infradead.org>, "linux-kernel" <linux-kernel@vger.kernel.org> > Gesendet: Montag, 16. Mai 2022 09:06:01 > Betreff: [PATCH 2/2] mtdchar: use kvmalloc() for potentially large allocations > mtdchar_write_ioctl() calls kmalloc() with the 'size' argument set to > the smaller of two values: the write request's data/OOB length provided > by user space and the erase block size of the MTD device. If the latter > is large, kmalloc() may not be able to serve such allocation requests. > Use kvmalloc() instead. Correspondingly, replace kfree() calls with > kvfree() calls. > > Suggested-by: Richard Weinberger <richard@nod.at> > Signed-off-by: Michał Kępień <kernel@kempniu.pl> Looks good to me. Acked-by: Richard Weinberger <richard@nod.at> Thanks, //richard ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] mtdchar: use kvmalloc() for potentially large allocations 2022-05-16 7:06 ` Michał Kępień @ 2022-06-09 13:10 ` Miquel Raynal -1 siblings, 0 replies; 14+ messages in thread From: Miquel Raynal @ 2022-06-09 13:10 UTC (permalink / raw) To: Michał Kępień, Miquel Raynal, Richard Weinberger, Vignesh Raghavendra Cc: linux-mtd, linux-kernel On Mon, 2022-05-16 at 07:06:01 UTC, =?utf-8?b?TWljaGHFgiBLxJlwaWXFhA==?= wrote: > mtdchar_write_ioctl() calls kmalloc() with the 'size' argument set to > the smaller of two values: the write request's data/OOB length provided > by user space and the erase block size of the MTD device. If the latter > is large, kmalloc() may not be able to serve such allocation requests. > Use kvmalloc() instead. Correspondingly, replace kfree() calls with > kvfree() calls. > > Suggested-by: Richard Weinberger <richard@nod.at> > Signed-off-by: Michał Kępień <kernel@kempniu.pl> > Acked-by: Richard Weinberger <richard@nod.at> Applied to https://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux.git mtd/next, thanks. Miquel ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [PATCH 2/2] mtdchar: use kvmalloc() for potentially large allocations @ 2022-06-09 13:10 ` Miquel Raynal 0 siblings, 0 replies; 14+ messages in thread From: Miquel Raynal @ 2022-06-09 13:10 UTC (permalink / raw) To: Michał Kępień, Miquel Raynal, Richard Weinberger, Vignesh Raghavendra Cc: linux-mtd, linux-kernel On Mon, 2022-05-16 at 07:06:01 UTC, =?utf-8?b?TWljaGHFgiBLxJlwaWXFhA==?= wrote: > mtdchar_write_ioctl() calls kmalloc() with the 'size' argument set to > the smaller of two values: the write request's data/OOB length provided > by user space and the erase block size of the MTD device. If the latter > is large, kmalloc() may not be able to serve such allocation requests. > Use kvmalloc() instead. Correspondingly, replace kfree() calls with > kvfree() calls. > > Suggested-by: Richard Weinberger <richard@nod.at> > Signed-off-by: Michał Kępień <kernel@kempniu.pl> > Acked-by: Richard Weinberger <richard@nod.at> Applied to https://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux.git mtd/next, thanks. Miquel ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/ ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2022-06-09 13:14 UTC | newest] Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-05-16 7:05 [PATCH 0/2] mtdchar_write_ioctl(): prevent integer overflow, use kvmalloc() Michał Kępień 2022-05-16 7:05 ` Michał Kępień 2022-05-16 7:06 ` [PATCH 1/2] mtdchar: prevent integer overflow in a safety check Michał Kępień 2022-05-16 7:06 ` Michał Kępień 2022-06-07 20:23 ` Richard Weinberger 2022-06-07 20:23 ` Richard Weinberger 2022-06-09 13:10 ` Miquel Raynal 2022-06-09 13:10 ` Miquel Raynal 2022-05-16 7:06 ` [PATCH 2/2] mtdchar: use kvmalloc() for potentially large allocations Michał Kępień 2022-05-16 7:06 ` Michał Kępień 2022-06-07 20:30 ` Richard Weinberger 2022-06-07 20:30 ` Richard Weinberger 2022-06-09 13:10 ` Miquel Raynal 2022-06-09 13:10 ` Miquel Raynal
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.