* [PATCH v2] usb: iowarrior: replace kmalloc with kmalloc_array
@ 2018-08-23 17:44 Gustavo A. R. Silva
2018-08-27 9:13 ` Oliver Neukum
0 siblings, 1 reply; 2+ messages in thread
From: Gustavo A. R. Silva @ 2018-08-23 17:44 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-usb, linux-kernel, Kees Cook, Gustavo A. R. Silva
A common flaw in the kernel is integer overflow during memory allocation
size calculations. In an effort to reduce the frequency of these bugs,
kmalloc_array was implemented, which allocates memory for an array,
while at the same time detects integer overflow.
This patch replaces cases of:
kmalloc(a * b, gfp)
with:
kmalloc_array(a * b, gfp)
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
---
Changes in v2:
- Align GFP_KERNEL to open parenthesis.
drivers/usb/misc/iowarrior.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
index c2991b8..ba05dd8 100644
--- a/drivers/usb/misc/iowarrior.c
+++ b/drivers/usb/misc/iowarrior.c
@@ -808,8 +808,8 @@ static int iowarrior_probe(struct usb_interface *interface,
dev->int_in_endpoint->bInterval);
/* create an internal buffer for interrupt data from the device */
dev->read_queue =
- kmalloc(((dev->report_size + 1) * MAX_INTERRUPT_BUFFER),
- GFP_KERNEL);
+ kmalloc_array(dev->report_size + 1, MAX_INTERRUPT_BUFFER,
+ GFP_KERNEL);
if (!dev->read_queue)
goto error;
/* Get the serial-number of the chip */
--
2.7.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v2] usb: iowarrior: replace kmalloc with kmalloc_array
2018-08-23 17:44 [PATCH v2] usb: iowarrior: replace kmalloc with kmalloc_array Gustavo A. R. Silva
@ 2018-08-27 9:13 ` Oliver Neukum
0 siblings, 0 replies; 2+ messages in thread
From: Oliver Neukum @ 2018-08-27 9:13 UTC (permalink / raw)
To: Gustavo A. R. Silva, Greg Kroah-Hartman
Cc: Kees Cook, linux-kernel, linux-usb
On Do, 2018-08-23 at 12:44 -0500, Gustavo A. R. Silva wrote:
> A common flaw in the kernel is integer overflow during memory allocation
> size calculations. In an effort to reduce the frequency of these bugs,
> kmalloc_array was implemented, which allocates memory for an array,
> while at the same time detects integer overflow.
>
> This patch replaces cases of:
>
> kmalloc(a * b, gfp)
>
> with:
> kmalloc_array(a * b, gfp)
I am afraid there is a problem here. The driver currently is a gross
violation of the DMA rules. Unfortunately your patch does not fix that.
That is on anyrhing other than x86 you cannot take the size of a
report,
but you must use the size of a cache line.
Regards
Oliver
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-08-27 9:21 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-08-23 17:44 [PATCH v2] usb: iowarrior: replace kmalloc with kmalloc_array Gustavo A. R. Silva
2018-08-27 9:13 ` Oliver Neukum
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).