linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2] usb: iowarrior: replace kmalloc with kmalloc_array
@ 2018-08-23 17:44 Gustavo A. R. Silva
  2018-08-27  9:13 ` Oliver Neukum
  0 siblings, 1 reply; 2+ messages in thread
From: Gustavo A. R. Silva @ 2018-08-23 17:44 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-usb, linux-kernel, Kees Cook, Gustavo A. R. Silva

A common flaw in the kernel is integer overflow during memory allocation
size calculations. In an effort to reduce the frequency of these bugs,
kmalloc_array was implemented, which allocates memory for an array,
while at the same time detects integer overflow.

This patch replaces cases of:

kmalloc(a * b, gfp)

with:
	kmalloc_array(a * b, gfp)

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
---
Changes in v2:
 - Align GFP_KERNEL to open parenthesis.

 drivers/usb/misc/iowarrior.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index c2991b8..ba05dd8 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -808,8 +808,8 @@ static int iowarrior_probe(struct usb_interface *interface,
 			 dev->int_in_endpoint->bInterval);
 	/* create an internal buffer for interrupt data from the device */
 	dev->read_queue =
-	    kmalloc(((dev->report_size + 1) * MAX_INTERRUPT_BUFFER),
-		    GFP_KERNEL);
+	    kmalloc_array(dev->report_size + 1, MAX_INTERRUPT_BUFFER,
+			  GFP_KERNEL);
 	if (!dev->read_queue)
 		goto error;
 	/* Get the serial-number of the chip */
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH v2] usb: iowarrior: replace kmalloc with kmalloc_array
  2018-08-23 17:44 [PATCH v2] usb: iowarrior: replace kmalloc with kmalloc_array Gustavo A. R. Silva
@ 2018-08-27  9:13 ` Oliver Neukum
  0 siblings, 0 replies; 2+ messages in thread
From: Oliver Neukum @ 2018-08-27  9:13 UTC (permalink / raw)
  To: Gustavo A. R. Silva, Greg Kroah-Hartman
  Cc: Kees Cook, linux-kernel, linux-usb

On Do, 2018-08-23 at 12:44 -0500,  Gustavo A. R. Silva  wrote:
> A common flaw in the kernel is integer overflow during memory allocation
> size calculations. In an effort to reduce the frequency of these bugs,
> kmalloc_array was implemented, which allocates memory for an array,
> while at the same time detects integer overflow.
> 
> This patch replaces cases of:
> 
> kmalloc(a * b, gfp)
> 
> with:
> 	kmalloc_array(a * b, gfp)

I am afraid there is a problem here. The driver currently is a gross
violation of the DMA rules. Unfortunately your patch does not fix that.

That is on anyrhing other than x86 you cannot take the size of a
report,
but you must use the size of a cache line.

	Regards
		Oliver


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-08-27  9:21 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-23 17:44 [PATCH v2] usb: iowarrior: replace kmalloc with kmalloc_array Gustavo A. R. Silva
2018-08-27  9:13 ` Oliver Neukum

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).