Pandora Sourcecodes - pandora-kernel.git/commit

author	David Rientjes <rientjes@google.com>
	Wed, 21 Feb 2018 22:45:32 +0000 (14:45 -0800)
committer	Ben Hutchings <ben@decadent.org.uk>
	Thu, 31 May 2018 23:30:17 +0000 (00:30 +0100)
commit	53e4051f34a4fd8b56a8b98cce38610bf2257a0a
tree	80e387d81413e51d3298ae594c9a01cc97674bf8	tree \| snapshot
parent	3df2313052df34114c77900aa7e36ac2a870c968	commit \| diff

kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE

commit 88913bd8ea2a75d7e460a4bed5f75e1c32660d7e upstream.

chan->n_subbufs is set by the user and relay_create_buf() does a kmalloc()
of chan->n_subbufs * sizeof(size_t *).

kmalloc_slab() will generate a warning when this fails if
chan->subbufs * sizeof(size_t *) > KMALLOC_MAX_SIZE.

Limit chan->n_subbufs to the maximum allowed kmalloc() size.

Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1802061216100.122576@chino.kir.corp.google.com
Fixes: f6302f1bcd75 ("relay: prevent integer overflow in relay_open()")
Signed-off-by: David Rientjes <rientjes@google.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Dave Jiang <dave.jiang@intel.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>