2023-06-23 21:27:55

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 00/26] use array_size

Use array_size to protect against multiplication overflows.

This follows up on the following patches by Kees Cook from 2018.

42bc47b35320 ("treewide: Use array_size() in vmalloc()")
fad953ce0b22 ("treewide: Use array_size() in vzalloc()")

The changes were done using the following Coccinelle semantic patch,
adapted from the one posted by Kees.

// Drop single-byte sizes and redundant parens.
@@
expression COUNT;
typedef u8;
typedef __u8;
type t = {u8,__u8,char,unsigned char};
identifier alloc = {vmalloc,vzalloc};
@@
alloc(
- (sizeof(t)) * (COUNT)
+ COUNT
, ...)

// 3-factor product with 2 sizeof(variable), with redundant parens removed.
@@
expression COUNT;
size_t e1, e2, e3;
identifier alloc = {vmalloc,vzalloc};
@@

(
alloc(
- (e1) * (e2) * (e3)
+ array3_size(e1, e2, e3)
,...)
|
alloc(
- (e1) * (e2) * (COUNT)
+ array3_size(COUNT, e1, e2)
,...)
)

// 3-factor product with 1 sizeof(type) or sizeof(expression), with
// redundant parens removed.
@@
expression STRIDE, COUNT;
size_t e;
identifier alloc = {vmalloc,vzalloc};
@@

alloc(
- (e) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, e)
,...)

// Any remaining multi-factor products, first at least 3-factor products
// when they're not all constants...
@@
expression E1, E2, E3;
constant C1, C2, C3;
identifier alloc = {vmalloc,vzalloc};
@@

(
alloc(C1 * C2 * C3,...)
|
alloc(
- (E1) * (E2) * (E3)
+ array3_size(E1, E2, E3)
,...)
)

// 2-factor product with sizeof(type/expression) and identifier or constant.
@@
size_t e1,e2;
expression COUNT;
identifier alloc = {vmalloc,vzalloc};
@@

(
alloc(
- (e1) * (e2)
+ array_size(e1, e2)
,...)
|
alloc(
- (e1) * (COUNT)
+ array_size(COUNT, e1)
,...)
)

// And then all remaining 2 factors products when they're not all constants.
@@
expression E1, E2;
constant C1, C2;
identifier alloc = {vmalloc,vzalloc};
@@

(
alloc(C1 * C2,...)
|
alloc(
- (E1) * (E2)
+ array_size(E1, E2)
,...)
)


---

arch/x86/kernel/cpu/sgx/main.c | 3 ++-
drivers/accel/habanalabs/common/device.c | 3 ++-
drivers/accel/habanalabs/common/state_dump.c | 6 +++---
drivers/bus/mhi/host/init.c | 4 ++--
drivers/comedi/comedi_buf.c | 4 ++--
drivers/dma-buf/heaps/system_heap.c | 2 +-
drivers/gpu/drm/gud/gud_pipe.c | 2 +-
drivers/gpu/drm/i915/gvt/gtt.c | 6 ++++--
drivers/gpu/drm/vmwgfx/vmwgfx_devcaps.c | 2 +-
drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 ++--
drivers/infiniband/hw/erdma/erdma_verbs.c | 4 ++--
drivers/infiniband/sw/siw/siw_qp.c | 4 ++--
drivers/infiniband/sw/siw/siw_verbs.c | 6 +++---
drivers/iommu/tegra-gart.c | 4 ++--
drivers/net/ethernet/amd/pds_core/core.c | 4 ++--
drivers/net/ethernet/freescale/enetc/enetc.c | 4 ++--
drivers/net/ethernet/google/gve/gve_tx.c | 2 +-
drivers/net/ethernet/marvell/octeon_ep/octep_rx.c | 2 +-
drivers/net/ethernet/microsoft/mana/hw_channel.c | 2 +-
drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 ++--
drivers/scsi/fnic/fnic_trace.c | 2 +-
drivers/scsi/qla2xxx/qla_init.c | 4 ++--
drivers/staging/media/ipu3/ipu3-mmu.c | 2 +-
drivers/vdpa/vdpa_user/iova_domain.c | 3 +--
drivers/virtio/virtio_mem.c | 6 +++---
fs/btrfs/zoned.c | 5 +++--
kernel/kcov.c | 2 +-
lib/test_vmalloc.c | 12 ++++++------
28 files changed, 56 insertions(+), 52 deletions(-)


2023-06-23 21:27:55

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 24/26] scsi: qla2xxx: use array_size

Use array_size to protect against multiplication overflows.

The changes were done using the following Coccinelle semantic patch:

// <smpl>
@@
expression E1, E2;
constant C1, C2;
identifier alloc = {vmalloc,vzalloc};
@@

(
alloc(C1 * C2,...)
|
alloc(
- (E1) * (E2)
+ array_size(E1, E2)
,...)
)
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>

---
drivers/scsi/qla2xxx/qla_init.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c
index 1a955c3ff3d6..72569ed6c825 100644
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -8219,7 +8219,7 @@ qla24xx_load_risc_flash(scsi_qla_host_t *vha, uint32_t *srisc_addr,
ql_dbg(ql_dbg_init, vha, 0x0163,
"-> fwdt%u template allocate template %#x words...\n",
j, risc_size);
- fwdt->template = vmalloc(risc_size * sizeof(*dcode));
+ fwdt->template = vmalloc(array_size(risc_size, sizeof(*dcode)));
if (!fwdt->template) {
ql_log(ql_log_warn, vha, 0x0164,
"-> fwdt%u failed allocate template.\n", j);
@@ -8474,7 +8474,7 @@ qla24xx_load_risc_blob(scsi_qla_host_t *vha, uint32_t *srisc_addr)
ql_dbg(ql_dbg_init, vha, 0x0173,
"-> fwdt%u template allocate template %#x words...\n",
j, risc_size);
- fwdt->template = vmalloc(risc_size * sizeof(*dcode));
+ fwdt->template = vmalloc(array_size(risc_size, sizeof(*dcode)));
if (!fwdt->template) {
ql_log(ql_log_warn, vha, 0x0174,
"-> fwdt%u failed allocate template.\n", j);


2023-06-23 21:28:42

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 12/26] btrfs: zoned: use array_size

Use array_size to protect against multiplication overflows.

The changes were done using the following Coccinelle semantic patch:

// <smpl>
@@
size_t e1,e2;
expression COUNT;
identifier alloc = {vmalloc,vzalloc,kvmalloc,kvzalloc};
@@

(
alloc(
- (e1) * (e2)
+ array_size(e1, e2)
,...)
|
alloc(
- (e1) * (COUNT)
+ array_size(COUNT, e1)
,...)
)
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>

---
fs/btrfs/zoned.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/btrfs/zoned.c b/fs/btrfs/zoned.c
index 39828af4a4e8..0550ce98dcae 100644
--- a/fs/btrfs/zoned.c
+++ b/fs/btrfs/zoned.c
@@ -464,8 +464,9 @@ int btrfs_get_dev_zone_info(struct btrfs_device *device, bool populate_cache)
* use the cache.
*/
if (populate_cache && bdev_is_zoned(device->bdev)) {
- zone_info->zone_cache = vzalloc(sizeof(struct blk_zone) *
- zone_info->nr_zones);
+ zone_info->zone_cache =
+ vzalloc(array_size(zone_info->nr_zones,
+ sizeof(struct blk_zone)));
if (!zone_info->zone_cache) {
btrfs_err_in_rcu(device->fs_info,
"zoned: failed to allocate zone cache for %s",


2023-06-23 21:28:52

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 09/26] pds_core: use array_size

Use array_size to protect against multiplication overflows.

The changes were done using the following Coccinelle semantic patch:

// <smpl>
@@
expression E1, E2;
constant C1, C2;
identifier alloc = {vmalloc,vzalloc};
@@

(
alloc(C1 * C2,...)
|
alloc(
- (E1) * (E2)
+ array_size(E1, E2)
,...)
)
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>

---
drivers/net/ethernet/amd/pds_core/core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/amd/pds_core/core.c b/drivers/net/ethernet/amd/pds_core/core.c
index 483a070d96fa..d87f45a1ee2f 100644
--- a/drivers/net/ethernet/amd/pds_core/core.c
+++ b/drivers/net/ethernet/amd/pds_core/core.c
@@ -196,7 +196,7 @@ int pdsc_qcq_alloc(struct pdsc *pdsc, unsigned int type, unsigned int index,
dma_addr_t q_base_pa;
int err;

- qcq->q.info = vzalloc(num_descs * sizeof(*qcq->q.info));
+ qcq->q.info = vzalloc(array_size(num_descs, sizeof(*qcq->q.info)));
if (!qcq->q.info) {
err = -ENOMEM;
goto err_out;
@@ -219,7 +219,7 @@ int pdsc_qcq_alloc(struct pdsc *pdsc, unsigned int type, unsigned int index,
if (err)
goto err_out_free_q_info;

- qcq->cq.info = vzalloc(num_descs * sizeof(*qcq->cq.info));
+ qcq->cq.info = vzalloc(array_size(num_descs, sizeof(*qcq->cq.info)));
if (!qcq->cq.info) {
err = -ENOMEM;
goto err_out_free_irq;


2023-06-23 21:33:59

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 21/26] x86/sgx: use array_size

Use array_size to protect against multiplication overflows.

The changes were done using the following Coccinelle semantic patch:

// <smpl>
@@
expression E1, E2;
constant C1, C2;
identifier alloc = {vmalloc,vzalloc};
@@

(
alloc(C1 * C2,...)
|
alloc(
- (E1) * (E2)
+ array_size(E1, E2)
,...)
)
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>

---
arch/x86/kernel/cpu/sgx/main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c
index 166692f2d501..3a234942c586 100644
--- a/arch/x86/kernel/cpu/sgx/main.c
+++ b/arch/x86/kernel/cpu/sgx/main.c
@@ -628,7 +628,8 @@ static bool __init sgx_setup_epc_section(u64 phys_addr, u64 size,
if (!section->virt_addr)
return false;

- section->pages = vmalloc(nr_pages * sizeof(struct sgx_epc_page));
+ section->pages = vmalloc(array_size(nr_pages,
+ sizeof(struct sgx_epc_page)));
if (!section->pages) {
memunmap(section->virt_addr);
return false;


2023-06-23 21:36:04

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 19/26] RDMA/bnxt_re: use array_size

Use array_size to protect against multiplication overflows.

The changes were done using the following Coccinelle semantic patch:

// <smpl>
@@
expression E1, E2;
constant C1, C2;
identifier alloc = {vmalloc,vzalloc};
@@

(
alloc(C1 * C2,...)
|
alloc(
- (E1) * (E2)
+ array_size(E1, E2)
,...)
)
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>

---
drivers/infiniband/hw/bnxt_re/qplib_res.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/hw/bnxt_re/qplib_res.c b/drivers/infiniband/hw/bnxt_re/qplib_res.c
index 81b0c5e879f9..f049b627e734 100644
--- a/drivers/infiniband/hw/bnxt_re/qplib_res.c
+++ b/drivers/infiniband/hw/bnxt_re/qplib_res.c
@@ -118,11 +118,11 @@ static int __alloc_pbl(struct bnxt_qplib_res *res,
else
pages = sginfo->npages;
/* page ptr arrays */
- pbl->pg_arr = vmalloc(pages * sizeof(void *));
+ pbl->pg_arr = vmalloc(array_size(pages, sizeof(void *)));
if (!pbl->pg_arr)
return -ENOMEM;

- pbl->pg_map_arr = vmalloc(pages * sizeof(dma_addr_t));
+ pbl->pg_map_arr = vmalloc(array_size(pages, sizeof(dma_addr_t)));
if (!pbl->pg_map_arr) {
vfree(pbl->pg_arr);
pbl->pg_arr = NULL;


2023-06-23 21:36:25

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 26/26] comedi: use array_size

Use array_size to protect against multiplication overflows.

The changes were done using the following Coccinelle semantic patch:

// <smpl>
@@
size_t e1,e2;
expression COUNT;
identifier alloc = {vmalloc,vzalloc,kvmalloc,kvzalloc};
@@

(
alloc(
- (e1) * (e2)
+ array_size(e1, e2)
,...)
|
alloc(
- (e1) * (COUNT)
+ array_size(COUNT, e1)
,...)
)
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>

---
drivers/comedi/comedi_buf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/comedi/comedi_buf.c b/drivers/comedi/comedi_buf.c
index 393966c09740..32ad3e6e1ce8 100644
--- a/drivers/comedi/comedi_buf.c
+++ b/drivers/comedi/comedi_buf.c
@@ -89,7 +89,7 @@ comedi_buf_map_alloc(struct comedi_device *dev, enum dma_data_direction dma_dir,
bm->dma_hw_dev = get_device(dev->hw_dev);
}

- bm->page_list = vzalloc(sizeof(*buf) * n_pages);
+ bm->page_list = vzalloc(array_size(n_pages, sizeof(*buf)));
if (!bm->page_list)
goto err;

@@ -169,7 +169,7 @@ static void __comedi_buf_alloc(struct comedi_device *dev,
buf = &bm->page_list[0];
async->prealloc_buf = buf->virt_addr;
} else {
- pages = vmalloc(sizeof(struct page *) * n_pages);
+ pages = vmalloc(array_size(n_pages, sizeof(struct page *)));
if (!pages)
return;



2023-06-23 21:36:31

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 17/26] kcov: use array_size

Use array_size to protect against multiplication overflows.

The changes were done using the following Coccinelle semantic patch:

// <smpl>
@@
expression E1, E2;
constant C1, C2;
identifier alloc = {vmalloc,vzalloc};
@@

(
alloc(C1 * C2,...)
|
alloc(
- (E1) * (E2)
+ array_size(E1, E2)
,...)
)
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>

---
kernel/kcov.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/kcov.c b/kernel/kcov.c
index 84c717337df0..631444760644 100644
--- a/kernel/kcov.c
+++ b/kernel/kcov.c
@@ -900,7 +900,7 @@ void kcov_remote_start(u64 handle)
/* Can only happen when in_task(). */
if (!area) {
local_unlock_irqrestore(&kcov_percpu_data.lock, flags);
- area = vmalloc(size * sizeof(unsigned long));
+ area = vmalloc(array_size(size, sizeof(unsigned long)));
if (!area) {
kcov_put(kcov);
return;


2023-06-23 21:37:18

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 06/26] dma-buf: system_heap: use array_size

Use array_size to protect against multiplication overflows.

The changes were done using the following Coccinelle semantic patch:

// <smpl>
@@
size_t e1,e2;
expression COUNT;
identifier alloc = {vmalloc,vzalloc,kvmalloc,kvzalloc};
@@

(
alloc(
- (e1) * (e2)
+ array_size(e1, e2)
,...)
|
alloc(
- (e1) * (COUNT)
+ array_size(COUNT, e1)
,...)
)
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>

---
drivers/dma-buf/heaps/system_heap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/dma-buf/heaps/system_heap.c b/drivers/dma-buf/heaps/system_heap.c
index ee7059399e9c..fb7867599874 100644
--- a/drivers/dma-buf/heaps/system_heap.c
+++ b/drivers/dma-buf/heaps/system_heap.c
@@ -221,7 +221,7 @@ static void *system_heap_do_vmap(struct system_heap_buffer *buffer)
{
struct sg_table *table = &buffer->sg_table;
int npages = PAGE_ALIGN(buffer->len) / PAGE_SIZE;
- struct page **pages = vmalloc(sizeof(struct page *) * npages);
+ struct page **pages = vmalloc(array_size(npages, sizeof(struct page *)));
struct page **tmp = pages;
struct sg_page_iter piter;
void *vaddr;


2023-06-23 21:37:38

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 07/26] scsi: fnic: use array_size

Use array_size to protect against multiplication overflows.

The changes were done using the following Coccinelle semantic patch:

// <smpl>
@@
expression E1, E2;
constant C1, C2;
identifier alloc = {vmalloc,vzalloc};
@@

(
alloc(C1 * C2,...)
|
alloc(
- (E1) * (E2)
+ array_size(E1, E2)
,...)
)
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>

---
drivers/scsi/fnic/fnic_trace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/fnic/fnic_trace.c b/drivers/scsi/fnic/fnic_trace.c
index f3c3a26a1384..74d428c9f7d3 100644
--- a/drivers/scsi/fnic/fnic_trace.c
+++ b/drivers/scsi/fnic/fnic_trace.c
@@ -465,7 +465,7 @@ int fnic_trace_buf_init(void)
fnic_max_trace_entries = (trace_max_pages * PAGE_SIZE)/
FNIC_ENTRY_SIZE_BYTES;

- fnic_trace_buf_p = (unsigned long)vzalloc(trace_max_pages * PAGE_SIZE);
+ fnic_trace_buf_p = (unsigned long)vzalloc(array_size(trace_max_pages, PAGE_SIZE));
if (!fnic_trace_buf_p) {
printk(KERN_ERR PFX "Failed to allocate memory "
"for fnic_trace_buf_p\n");


2023-06-23 21:37:46

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 02/26] octeon_ep: use array_size

Use array_size to protect against multiplication overflows.

The changes were done using the following Coccinelle semantic patch:

// <smpl>
@@
expression E1, E2;
constant C1, C2;
identifier alloc = {vmalloc,vzalloc};
@@

(
alloc(C1 * C2,...)
|
alloc(
- (E1) * (E2)
+ array_size(E1, E2)
,...)
)
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>

---
drivers/net/ethernet/marvell/octeon_ep/octep_rx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c b/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c
index 392d9b0da0d7..185b7e50ee77 100644
--- a/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c
+++ b/drivers/net/ethernet/marvell/octeon_ep/octep_rx.c
@@ -158,7 +158,7 @@ static int octep_setup_oq(struct octep_device *oct, int q_no)
goto desc_dma_alloc_err;
}

- oq->buff_info = vzalloc(oq->max_count * OCTEP_OQ_RECVBUF_SIZE);
+ oq->buff_info = vzalloc(array_size(oq->max_count, OCTEP_OQ_RECVBUF_SIZE));
if (unlikely(!oq->buff_info)) {
dev_err(&oct->pdev->dev,
"Failed to allocate buffer info for OQ-%d\n", q_no);


2023-06-23 21:39:29

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 13/26] iommu/tegra: gart: use array_size

Use array_size to protect against multiplication overflows.

The changes were done using the following Coccinelle semantic patch:

// <smpl>
@@
expression E1, E2;
constant C1, C2;
identifier alloc = {vmalloc,vzalloc};
@@

(
alloc(C1 * C2,...)
|
alloc(
- (E1) * (E2)
+ array_size(E1, E2)
,...)
)
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>

---
drivers/iommu/tegra-gart.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/iommu/tegra-gart.c b/drivers/iommu/tegra-gart.c
index a482ff838b53..def222da83f1 100644
--- a/drivers/iommu/tegra-gart.c
+++ b/drivers/iommu/tegra-gart.c
@@ -348,8 +348,8 @@ struct gart_device *tegra_gart_probe(struct device *dev, struct tegra_mc *mc)
if (err)
goto remove_sysfs;

- gart->savedata = vmalloc(resource_size(res) / GART_PAGE_SIZE *
- sizeof(u32));
+ gart->savedata = vmalloc(array_size(resource_size(res) / GART_PAGE_SIZE,
+ sizeof(u32)));
if (!gart->savedata) {
err = -ENOMEM;
goto unregister_iommu;


2023-06-23 21:40:03

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 11/26] ionic: use array_size

Use array_size to protect against multiplication overflows.

The changes were done using the following Coccinelle semantic patch:

// <smpl>
@@
expression E1, E2;
constant C1, C2;
identifier alloc = {vmalloc,vzalloc};
@@

(
alloc(C1 * C2,...)
|
alloc(
- (E1) * (E2)
+ array_size(E1, E2)
,...)
)
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>

---
drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
index 957027e546b3..f2e2c6853536 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
@@ -560,7 +560,7 @@ static int ionic_qcq_alloc(struct ionic_lif *lif, unsigned int type,
new->q.dev = dev;
new->flags = flags;

- new->q.info = vzalloc(num_descs * sizeof(*new->q.info));
+ new->q.info = vzalloc(array_size(num_descs, sizeof(*new->q.info)));
if (!new->q.info) {
netdev_err(lif->netdev, "Cannot allocate queue info\n");
err = -ENOMEM;
@@ -581,7 +581,7 @@ static int ionic_qcq_alloc(struct ionic_lif *lif, unsigned int type,
if (err)
goto err_out;

- new->cq.info = vzalloc(num_descs * sizeof(*new->cq.info));
+ new->cq.info = vzalloc(array_size(num_descs, sizeof(*new->cq.info)));
if (!new->cq.info) {
netdev_err(lif->netdev, "Cannot allocate completion queue info\n");
err = -ENOMEM;


2023-06-23 21:40:19

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 18/26] net: enetc: use array_size

Use array_size to protect against multiplication overflows.

The changes were done using the following Coccinelle semantic patch:

// <smpl>
@@
expression E1, E2;
constant C1, C2;
identifier alloc = {vmalloc,vzalloc};
@@

(
alloc(C1 * C2,...)
|
alloc(
- (E1) * (E2)
+ array_size(E1, E2)
,...)
)
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>

---
drivers/net/ethernet/freescale/enetc/enetc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/freescale/enetc/enetc.c b/drivers/net/ethernet/freescale/enetc/enetc.c
index 9e1b2536e9a9..7231f8ea1ba4 100644
--- a/drivers/net/ethernet/freescale/enetc/enetc.c
+++ b/drivers/net/ethernet/freescale/enetc/enetc.c
@@ -1790,7 +1790,7 @@ static int enetc_alloc_tx_resource(struct enetc_bdr_resource *res,
res->bd_count = bd_count;
res->bd_size = sizeof(union enetc_tx_bd);

- res->tx_swbd = vzalloc(bd_count * sizeof(*res->tx_swbd));
+ res->tx_swbd = vzalloc(array_size(bd_count, sizeof(*res->tx_swbd)));
if (!res->tx_swbd)
return -ENOMEM;

@@ -1878,7 +1878,7 @@ static int enetc_alloc_rx_resource(struct enetc_bdr_resource *res,
if (extended)
res->bd_size *= 2;

- res->rx_swbd = vzalloc(bd_count * sizeof(struct enetc_rx_swbd));
+ res->rx_swbd = vzalloc(array_size(bd_count, sizeof(struct enetc_rx_swbd)));
if (!res->rx_swbd)
return -ENOMEM;



2023-06-23 21:42:45

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 05/26] RDMA/erdma: use array_size

Use array_size to protect against multiplication overflows.

The changes were done using the following Coccinelle semantic patch:

// <smpl>
@@
expression E1, E2;
constant C1, C2;
identifier alloc = {vmalloc,vzalloc};
@@

(
alloc(C1 * C2,...)
|
alloc(
- (E1) * (E2)
+ array_size(E1, E2)
,...)
)
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>

---
drivers/infiniband/hw/erdma/erdma_verbs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/hw/erdma/erdma_verbs.c b/drivers/infiniband/hw/erdma/erdma_verbs.c
index 83e1b0d55977..c49160f6ff27 100644
--- a/drivers/infiniband/hw/erdma/erdma_verbs.c
+++ b/drivers/infiniband/hw/erdma/erdma_verbs.c
@@ -462,8 +462,8 @@ static int init_kernel_qp(struct erdma_dev *dev, struct erdma_qp *qp,
dev->func_bar + (ERDMA_SDB_SHARED_PAGE_INDEX << PAGE_SHIFT);
kqp->hw_rq_db = dev->func_bar + ERDMA_BAR_RQDB_SPACE_OFFSET;

- kqp->swr_tbl = vmalloc(qp->attrs.sq_size * sizeof(u64));
- kqp->rwr_tbl = vmalloc(qp->attrs.rq_size * sizeof(u64));
+ kqp->swr_tbl = vmalloc(array_size(qp->attrs.sq_size, sizeof(u64)));
+ kqp->rwr_tbl = vmalloc(array_size(qp->attrs.rq_size, sizeof(u64)));
if (!kqp->swr_tbl || !kqp->rwr_tbl)
goto err_out;



2023-06-23 21:43:42

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 25/26] vduse: use array_size

Use array_size to protect against multiplication overflows.

The changes were done using the following Coccinelle semantic patch:

// <smpl>
@@
expression E1, E2;
constant C1, C2;
identifier alloc = {vmalloc,vzalloc};
@@

(
alloc(C1 * C2,...)
|
alloc(
- (E1) * (E2)
+ array_size(E1, E2)
,...)
)
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>

---
drivers/vdpa/vdpa_user/iova_domain.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/vdpa/vdpa_user/iova_domain.c b/drivers/vdpa/vdpa_user/iova_domain.c
index 5e4a77b9bae6..ee395e013086 100644
--- a/drivers/vdpa/vdpa_user/iova_domain.c
+++ b/drivers/vdpa/vdpa_user/iova_domain.c
@@ -571,8 +571,9 @@ vduse_domain_create(unsigned long iova_limit, size_t bounce_size)

domain->iova_limit = iova_limit;
domain->bounce_size = PAGE_ALIGN(bounce_size);
- domain->bounce_maps = vzalloc(bounce_pfns *
- sizeof(struct vduse_bounce_map));
+ domain->bounce_maps =
+ vzalloc(array_size(bounce_pfns,
+ sizeof(struct vduse_bounce_map)));
if (!domain->bounce_maps)
goto err_map;


2023-06-23 21:43:43

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 20/26] drm/vmwgfx: use array_size

Use array_size to protect against multiplication overflows.

The changes were done using the following Coccinelle semantic patch:

// <smpl>
@@
size_t e1,e2;
expression COUNT;
identifier alloc = {vmalloc,vzalloc,kvmalloc,kvzalloc};
@@

(
alloc(
- (e1) * (e2)
+ array_size(e1, e2)
,...)
|
alloc(
- (e1) * (COUNT)
+ array_size(COUNT, e1)
,...)
)
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>

---
drivers/gpu/drm/vmwgfx/vmwgfx_devcaps.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_devcaps.c b/drivers/gpu/drm/vmwgfx/vmwgfx_devcaps.c
index 829df395c2ed..c72fc8111a11 100644
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_devcaps.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_devcaps.c
@@ -88,7 +88,7 @@ int vmw_devcaps_create(struct vmw_private *vmw)
uint32_t i;

if (gb_objects) {
- vmw->devcaps = vzalloc(sizeof(uint32_t) * SVGA3D_DEVCAP_MAX);
+ vmw->devcaps = vzalloc(array_size(SVGA3D_DEVCAP_MAX, sizeof(uint32_t)));
if (!vmw->devcaps)
return -ENOMEM;
for (i = 0; i < SVGA3D_DEVCAP_MAX; ++i) {


2023-06-23 21:44:04

by Julia Lawall

[permalink] [raw]
Subject: [PATCH 03/26] drm/gud: use array_size

Use array_size to protect against multiplication overflows.

The changes were done using the following Coccinelle semantic patch:

// <smpl>
@@
expression E1, E2;
constant C1, C2;
identifier alloc = {vmalloc,vzalloc};
@@

(
alloc(C1 * C2,...)
|
alloc(
- (E1) * (E2)
+ array_size(E1, E2)
,...)
)
// </smpl>

Signed-off-by: Julia Lawall <[email protected]>

---
drivers/gpu/drm/gud/gud_pipe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/gud/gud_pipe.c b/drivers/gpu/drm/gud/gud_pipe.c
index dc16a92625d4..34df847bd829 100644
--- a/drivers/gpu/drm/gud/gud_pipe.c
+++ b/drivers/gpu/drm/gud/gud_pipe.c
@@ -390,7 +390,7 @@ static int gud_fb_queue_damage(struct gud_device *gdrm, struct drm_framebuffer *
mutex_lock(&gdrm->damage_lock);

if (!gdrm->shadow_buf) {
- gdrm->shadow_buf = vzalloc(fb->pitches[0] * fb->height);
+ gdrm->shadow_buf = vzalloc(array_size(fb->pitches[0], fb->height));
if (!gdrm->shadow_buf) {
mutex_unlock(&gdrm->damage_lock);
return -ENOMEM;


2023-06-23 22:01:17

by John Stultz

[permalink] [raw]
Subject: Re: [PATCH 06/26] dma-buf: system_heap: use array_size

On Fri, Jun 23, 2023 at 2:15 PM Julia Lawall <[email protected]> wrote:
>
> Use array_size to protect against multiplication overflows.
>
> The changes were done using the following Coccinelle semantic patch:
>
> // <smpl>
> @@
> size_t e1,e2;
> expression COUNT;
> identifier alloc = {vmalloc,vzalloc,kvmalloc,kvzalloc};
> @@
>
> (
> alloc(
> - (e1) * (e2)
> + array_size(e1, e2)
> ,...)
> |
> alloc(
> - (e1) * (COUNT)
> + array_size(COUNT, e1)
> ,...)
> )
> // </smpl>
>
> Signed-off-by: Julia Lawall <[email protected]>

Thanks for sending this out!

Acked-by: John Stultz <[email protected]>

2023-06-24 06:18:33

by Dmitry Vyukov

[permalink] [raw]
Subject: Re: [PATCH 17/26] kcov: use array_size

On Fri, 23 Jun 2023 at 23:15, Julia Lawall <[email protected]> wrote:
>
> Use array_size to protect against multiplication overflows.
>
> The changes were done using the following Coccinelle semantic patch:
>
> // <smpl>
> @@
> expression E1, E2;
> constant C1, C2;
> identifier alloc = {vmalloc,vzalloc};
> @@
>
> (
> alloc(C1 * C2,...)
> |
> alloc(
> - (E1) * (E2)
> + array_size(E1, E2)
> ,...)
> )
> // </smpl>
>
> Signed-off-by: Julia Lawall <[email protected]>

Reviewed-by: Dmitry Vyukov <[email protected]>

> ---
> kernel/kcov.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/kcov.c b/kernel/kcov.c
> index 84c717337df0..631444760644 100644
> --- a/kernel/kcov.c
> +++ b/kernel/kcov.c
> @@ -900,7 +900,7 @@ void kcov_remote_start(u64 handle)
> /* Can only happen when in_task(). */
> if (!area) {
> local_unlock_irqrestore(&kcov_percpu_data.lock, flags);
> - area = vmalloc(size * sizeof(unsigned long));
> + area = vmalloc(array_size(size, sizeof(unsigned long)));
> if (!area) {
> kcov_put(kcov);
> return;
>

2023-06-24 15:51:01

by Simon Horman

[permalink] [raw]
Subject: Re: [PATCH 02/26] octeon_ep: use array_size

On Fri, Jun 23, 2023 at 11:14:33PM +0200, Julia Lawall wrote:
> Use array_size to protect against multiplication overflows.
>
> The changes were done using the following Coccinelle semantic patch:
>
> // <smpl>
> @@
> expression E1, E2;
> constant C1, C2;
> identifier alloc = {vmalloc,vzalloc};
> @@
>
> (
> alloc(C1 * C2,...)
> |
> alloc(
> - (E1) * (E2)
> + array_size(E1, E2)
> ,...)
> )
> // </smpl>
>
> Signed-off-by: Julia Lawall <[email protected]>

Reviewed-by: Simon Horman <[email protected]>


2023-06-24 15:51:41

by Simon Horman

[permalink] [raw]
Subject: Re: [PATCH 09/26] pds_core: use array_size

On Fri, Jun 23, 2023 at 11:14:40PM +0200, Julia Lawall wrote:
> Use array_size to protect against multiplication overflows.
>
> The changes were done using the following Coccinelle semantic patch:
>
> // <smpl>
> @@
> expression E1, E2;
> constant C1, C2;
> identifier alloc = {vmalloc,vzalloc};
> @@
>
> (
> alloc(C1 * C2,...)
> |
> alloc(
> - (E1) * (E2)
> + array_size(E1, E2)
> ,...)
> )
> // </smpl>
>
> Signed-off-by: Julia Lawall <[email protected]>

Reviewed-by: Simon Horman <[email protected]>


2023-06-24 16:03:04

by Simon Horman

[permalink] [raw]
Subject: Re: [PATCH 18/26] net: enetc: use array_size

On Fri, Jun 23, 2023 at 11:14:49PM +0200, Julia Lawall wrote:
> Use array_size to protect against multiplication overflows.
>
> The changes were done using the following Coccinelle semantic patch:
>
> // <smpl>
> @@
> expression E1, E2;
> constant C1, C2;
> identifier alloc = {vmalloc,vzalloc};
> @@
>
> (
> alloc(C1 * C2,...)
> |
> alloc(
> - (E1) * (E2)
> + array_size(E1, E2)
> ,...)
> )
> // </smpl>
>
> Signed-off-by: Julia Lawall <[email protected]>

Reviewed-by: Simon Horman <[email protected]>


2023-06-24 16:03:33

by Simon Horman

[permalink] [raw]
Subject: Re: [PATCH 11/26] ionic: use array_size

On Fri, Jun 23, 2023 at 11:14:42PM +0200, Julia Lawall wrote:
> Use array_size to protect against multiplication overflows.
>
> The changes were done using the following Coccinelle semantic patch:
>
> // <smpl>
> @@
> expression E1, E2;
> constant C1, C2;
> identifier alloc = {vmalloc,vzalloc};
> @@
>
> (
> alloc(C1 * C2,...)
> |
> alloc(
> - (E1) * (E2)
> + array_size(E1, E2)
> ,...)
> )
> // </smpl>
>
> Signed-off-by: Julia Lawall <[email protected]>

Reviewed-by: Simon Horman <[email protected]>


2023-06-24 23:34:51

by Jakub Kicinski

[permalink] [raw]
Subject: Re: [PATCH 02/26] octeon_ep: use array_size

On Fri, 23 Jun 2023 23:14:33 +0200 Julia Lawall wrote:
> - oq->buff_info = vzalloc(oq->max_count * OCTEP_OQ_RECVBUF_SIZE);
> + oq->buff_info = vzalloc(array_size(oq->max_count, OCTEP_OQ_RECVBUF_SIZE));

vcalloc seems to exist, is there a reason array_size() is preferred?
--
pw-bot: cr

2023-06-25 20:30:25

by Julia Lawall

[permalink] [raw]
Subject: Re: [PATCH 02/26] octeon_ep: use array_size



On Sun, 25 Jun 2023, Christophe JAILLET wrote:

> Le 25/06/2023 à 00:28, Jakub Kicinski a écrit :
> > On Fri, 23 Jun 2023 23:14:33 +0200 Julia Lawall wrote:
> > > - oq->buff_info = vzalloc(oq->max_count * OCTEP_OQ_RECVBUF_SIZE);
> > > + oq->buff_info = vzalloc(array_size(oq->max_count,
> > > OCTEP_OQ_RECVBUF_SIZE));
> >
> > vcalloc seems to exist, is there a reason array_size() is preferred?
>
> Hi,
>
> just for your information, I've just sent [1].
>
> CJ
>
> [1]:
> https://lore.kernel.org/all/3484e46180dd2cf05d993ff1a78b481bc2ad1f71.1687723931.git.christophe.jaillet@wanadoo.fr/

For some reason, I have only received Christophe's mail, not Jakub's...

In any case, thanks for pointing out the existence of these functions. I
just redid what Kees did in 2018, when I guess these functions didn't
exist. I will look more carefully to see what functions are now available
and resend the whole thing.

Thanks!

julia

2023-06-25 20:32:56

by Christophe JAILLET

[permalink] [raw]
Subject: Re: [PATCH 02/26] octeon_ep: use array_size

Le 25/06/2023 à 00:28, Jakub Kicinski a écrit :
> On Fri, 23 Jun 2023 23:14:33 +0200 Julia Lawall wrote:
>> - oq->buff_info = vzalloc(oq->max_count * OCTEP_OQ_RECVBUF_SIZE);
>> + oq->buff_info = vzalloc(array_size(oq->max_count, OCTEP_OQ_RECVBUF_SIZE));
>
> vcalloc seems to exist, is there a reason array_size() is preferred?

Hi,

just for your information, I've just sent [1].

CJ

[1]:
https://lore.kernel.org/all/3484e46180dd2cf05d993ff1a78b481bc2ad1f71.1687723931.git.christophe.jaillet@wanadoo.fr/


2023-06-25 20:37:33

by Christophe JAILLET

[permalink] [raw]
Subject: Re: [PATCH 02/26] octeon_ep: use array_size

Le 25/06/2023 à 22:25, Julia Lawall a écrit :
>
>
> On Sun, 25 Jun 2023, Christophe JAILLET wrote:
>
>> Le 25/06/2023 à 00:28, Jakub Kicinski a écrit :
>>> On Fri, 23 Jun 2023 23:14:33 +0200 Julia Lawall wrote:
>>>> - oq->buff_info = vzalloc(oq->max_count * OCTEP_OQ_RECVBUF_SIZE);
>>>> + oq->buff_info = vzalloc(array_size(oq->max_count,
>>>> OCTEP_OQ_RECVBUF_SIZE));
>>>
>>> vcalloc seems to exist, is there a reason array_size() is preferred?
>>
>> Hi,
>>
>> just for your information, I've just sent [1].
>>
>> CJ
>>
>> [1]:
>> https://lore.kernel.org/all/3484e46180dd2cf05d993ff1a78b481bc2ad1f71.1687723931.git.christophe.jaillet@wanadoo.fr/
>
> For some reason, I have only received Christophe's mail, not Jakub's...
>
> In any case, thanks for pointing out the existence of these functions. I
> just redid what Kees did in 2018, when I guess these functions didn't
> exist. I will look more carefully to see what functions are now available
> and resend the whole thing.

Hi,

should you want to go 1 step further and simplify some code:

git grep v[mz]alloc.*array_size\( | wc -l
174

CJ

>
> Thanks!
>
> julia


2023-06-25 21:27:45

by Julia Lawall

[permalink] [raw]
Subject: Re: [PATCH 02/26] octeon_ep: use array_size



On Sun, 25 Jun 2023, Christophe JAILLET wrote:

> Le 25/06/2023 à 22:25, Julia Lawall a écrit :
> >
> >
> > On Sun, 25 Jun 2023, Christophe JAILLET wrote:
> >
> > > Le 25/06/2023 à 00:28, Jakub Kicinski a écrit :
> > > > On Fri, 23 Jun 2023 23:14:33 +0200 Julia Lawall wrote:
> > > > > - oq->buff_info = vzalloc(oq->max_count *
> > > > > OCTEP_OQ_RECVBUF_SIZE);
> > > > > + oq->buff_info = vzalloc(array_size(oq->max_count,
> > > > > OCTEP_OQ_RECVBUF_SIZE));
> > > >
> > > > vcalloc seems to exist, is there a reason array_size() is preferred?
> > >
> > > Hi,
> > >
> > > just for your information, I've just sent [1].
> > >
> > > CJ
> > >
> > > [1]:
> > > https://lore.kernel.org/all/3484e46180dd2cf05d993ff1a78b481bc2ad1f71.1687723931.git.christophe.jaillet@wanadoo.fr/
> >
> > For some reason, I have only received Christophe's mail, not Jakub's...
> >
> > In any case, thanks for pointing out the existence of these functions. I
> > just redid what Kees did in 2018, when I guess these functions didn't
> > exist. I will look more carefully to see what functions are now available
> > and resend the whole thing.
>
> Hi,
>
> should you want to go 1 step further and simplify some code:
>
> git grep v[mz]alloc.*array_size\( | wc -l
> 174

Yes, thanks for the suggestion.

julia

>
> CJ
>
> >
> > Thanks!
> >
> > julia
>
>

2023-06-26 06:18:45

by Johannes Thumshirn

[permalink] [raw]
Subject: Re: [PATCH 12/26] btrfs: zoned: use array_size

Looks good,
Reviewed-by: Johannes Thumshirn <[email protected]>

2023-06-26 08:43:53

by Naohiro Aota

[permalink] [raw]
Subject: Re: [PATCH 12/26] btrfs: zoned: use array_size

On Fri, Jun 23, 2023 at 11:14:43PM +0200, Julia Lawall wrote:
> Use array_size to protect against multiplication overflows.
>
> The changes were done using the following Coccinelle semantic patch:
>
> // <smpl>
> @@
> size_t e1,e2;
> expression COUNT;
> identifier alloc = {vmalloc,vzalloc,kvmalloc,kvzalloc};
> @@
>
> (
> alloc(
> - (e1) * (e2)
> + array_size(e1, e2)
> ,...)
> |
> alloc(
> - (e1) * (COUNT)
> + array_size(COUNT, e1)
> ,...)
> )
> // </smpl>
>
> Signed-off-by: Julia Lawall <[email protected]>

Looks good.

Reviewed-by: Naohiro Aota <[email protected]>

2023-06-26 16:16:31

by Nelson, Shannon

[permalink] [raw]
Subject: Re: [PATCH 09/26] pds_core: use array_size

On 6/23/23 2:14 PM, Julia Lawall wrote:
>
> Use array_size to protect against multiplication overflows.
>
> The changes were done using the following Coccinelle semantic patch:
>
> // <smpl>
> @@
> expression E1, E2;
> constant C1, C2;
> identifier alloc = {vmalloc,vzalloc};
> @@
>
> (
> alloc(C1 * C2,...)
> |
> alloc(
> - (E1) * (E2)
> + array_size(E1, E2)
> ,...)
> )
> // </smpl>
>
> Signed-off-by: Julia Lawall <[email protected]>

Thanks,
Acked-by: Shannon Nelson <[email protected]>

>
> ---
> drivers/net/ethernet/amd/pds_core/core.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/amd/pds_core/core.c b/drivers/net/ethernet/amd/pds_core/core.c
> index 483a070d96fa..d87f45a1ee2f 100644
> --- a/drivers/net/ethernet/amd/pds_core/core.c
> +++ b/drivers/net/ethernet/amd/pds_core/core.c
> @@ -196,7 +196,7 @@ int pdsc_qcq_alloc(struct pdsc *pdsc, unsigned int type, unsigned int index,
> dma_addr_t q_base_pa;
> int err;
>
> - qcq->q.info = vzalloc(num_descs * sizeof(*qcq->q.info));
> + qcq->q.info = vzalloc(array_size(num_descs, sizeof(*qcq->q.info)));
> if (!qcq->q.info) {
> err = -ENOMEM;
> goto err_out;
> @@ -219,7 +219,7 @@ int pdsc_qcq_alloc(struct pdsc *pdsc, unsigned int type, unsigned int index,
> if (err)
> goto err_out_free_q_info;
>
> - qcq->cq.info = vzalloc(num_descs * sizeof(*qcq->cq.info));
> + qcq->cq.info = vzalloc(array_size(num_descs, sizeof(*qcq->cq.info)));
> if (!qcq->cq.info) {
> err = -ENOMEM;
> goto err_out_free_irq;
>

2023-06-26 16:16:32

by Nelson, Shannon

[permalink] [raw]
Subject: Re: [PATCH 11/26] ionic: use array_size

On 6/23/23 2:14 PM, Julia Lawall wrote:
>
> Use array_size to protect against multiplication overflows.
>
> The changes were done using the following Coccinelle semantic patch:
>
> // <smpl>
> @@
> expression E1, E2;
> constant C1, C2;
> identifier alloc = {vmalloc,vzalloc};
> @@
>
> (
> alloc(C1 * C2,...)
> |
> alloc(
> - (E1) * (E2)
> + array_size(E1, E2)
> ,...)
> )
> // </smpl>
>
> Signed-off-by: Julia Lawall <[email protected]>

Thanks,
Acked-by: Shannon Nelson <[email protected]>

>
> ---
> drivers/net/ethernet/pensando/ionic/ionic_lif.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
> index 957027e546b3..f2e2c6853536 100644
> --- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c
> +++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
> @@ -560,7 +560,7 @@ static int ionic_qcq_alloc(struct ionic_lif *lif, unsigned int type,
> new->q.dev = dev;
> new->flags = flags;
>
> - new->q.info = vzalloc(num_descs * sizeof(*new->q.info));
> + new->q.info = vzalloc(array_size(num_descs, sizeof(*new->q.info)));
> if (!new->q.info) {
> netdev_err(lif->netdev, "Cannot allocate queue info\n");
> err = -ENOMEM;
> @@ -581,7 +581,7 @@ static int ionic_qcq_alloc(struct ionic_lif *lif, unsigned int type,
> if (err)
> goto err_out;
>
> - new->cq.info = vzalloc(num_descs * sizeof(*new->cq.info));
> + new->cq.info = vzalloc(array_size(num_descs, sizeof(*new->cq.info)));
> if (!new->cq.info) {
> netdev_err(lif->netdev, "Cannot allocate completion queue info\n");
> err = -ENOMEM;
>
> --
> You received this message because you are subscribed to the Google Groups "Pensando Drivers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
> To view this discussion on the web visit https://groups.google.com/a/pensando.io/d/msgid/drivers/20230623211457.102544-12-Julia.Lawall%40inria.fr.

2023-06-27 09:53:07

by Cheng Xu

[permalink] [raw]
Subject: Re: [PATCH 05/26] RDMA/erdma: use array_size



On 6/24/23 5:14 AM, Julia Lawall wrote:
> Use array_size to protect against multiplication overflows.
>
> The changes were done using the following Coccinelle semantic patch:
>
> // <smpl>
> @@
> expression E1, E2;
> constant C1, C2;
> identifier alloc = {vmalloc,vzalloc};
> @@
>
> (
> alloc(C1 * C2,...)
> |
> alloc(
> - (E1) * (E2)
> + array_size(E1, E2)
> ,...)
> )
> // </smpl>
>
> Signed-off-by: Julia Lawall <[email protected]>
>
> ---
> drivers/infiniband/hw/erdma/erdma_verbs.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)

Thanks,

Acked-by: Cheng Xu <[email protected]>

2023-06-27 18:02:55

by Julia Lawall

[permalink] [raw]
Subject: Re: [PATCH 20/26] drm/vmwgfx: use array_size



On Fri, 23 Jun 2023, Julia Lawall wrote:

> Use array_size to protect against multiplication overflows.
>
> The changes were done using the following Coccinelle semantic patch:
>
> // <smpl>
> @@
> size_t e1,e2;
> expression COUNT;
> identifier alloc = {vmalloc,vzalloc,kvmalloc,kvzalloc};
> @@
>
> (
> alloc(
> - (e1) * (e2)
> + array_size(e1, e2)
> ,...)
> |
> alloc(
> - (e1) * (COUNT)
> + array_size(COUNT, e1)
> ,...)
> )
> // </smpl>
>
> Signed-off-by: Julia Lawall <[email protected]>
>
> ---
> drivers/gpu/drm/vmwgfx/vmwgfx_devcaps.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_devcaps.c b/drivers/gpu/drm/vmwgfx/vmwgfx_devcaps.c
> index 829df395c2ed..c72fc8111a11 100644
> --- a/drivers/gpu/drm/vmwgfx/vmwgfx_devcaps.c
> +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_devcaps.c
> @@ -88,7 +88,7 @@ int vmw_devcaps_create(struct vmw_private *vmw)
> uint32_t i;
>
> if (gb_objects) {
> - vmw->devcaps = vzalloc(sizeof(uint32_t) * SVGA3D_DEVCAP_MAX);
> + vmw->devcaps = vzalloc(array_size(SVGA3D_DEVCAP_MAX, sizeof(uint32_t)));
> if (!vmw->devcaps)
> return -ENOMEM;
> for (i = 0; i < SVGA3D_DEVCAP_MAX; ++i) {

Hello,

I think this patch can be dropped, since it's a multiplication of two
constants and no overflow should be possible.

julia

2023-06-29 15:08:01

by David Sterba

[permalink] [raw]
Subject: Re: [PATCH 12/26] btrfs: zoned: use array_size

On Fri, Jun 23, 2023 at 11:14:43PM +0200, Julia Lawall wrote:
> Use array_size to protect against multiplication overflows.
>
> The changes were done using the following Coccinelle semantic patch:
>
> // <smpl>
> @@
> size_t e1,e2;
> expression COUNT;
> identifier alloc = {vmalloc,vzalloc,kvmalloc,kvzalloc};
> @@
>
> (
> alloc(
> - (e1) * (e2)
> + array_size(e1, e2)
> ,...)
> |
> alloc(
> - (e1) * (COUNT)
> + array_size(COUNT, e1)
> ,...)
> )
> // </smpl>
>
> Signed-off-by: Julia Lawall <[email protected]>

Added to misc-next with updated subject and changelog, thanks.

2023-07-10 22:21:05

by Jarkko Sakkinen

[permalink] [raw]
Subject: Re: [PATCH 21/26] x86/sgx: use array_size

On Fri, 2023-06-23 at 23:14 +0200, Julia Lawall wrote:
> Use array_size to protect against multiplication overflows.
>
> The changes were done using the following Coccinelle semantic patch:
>
> // <smpl>
> @@
> expression E1, E2;
> constant C1, C2;
> identifier alloc = {vmalloc,vzalloc};
> @@
>
> (
> alloc(C1 * C2,...)
> >
> alloc(
> - (E1) * (E2)
> + array_size(E1, E2)
> ,...)
> )
> // </smpl>
>
> Signed-off-by: Julia Lawall <[email protected]>
>
> ---
> arch/x86/kernel/cpu/sgx/main.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c
> index 166692f2d501..3a234942c586 100644
> --- a/arch/x86/kernel/cpu/sgx/main.c
> +++ b/arch/x86/kernel/cpu/sgx/main.c
> @@ -628,7 +628,8 @@ static bool __init sgx_setup_epc_section(u64 phys_addr, u64 size,
> if (!section->virt_addr)
> return false;
>
> - section->pages = vmalloc(nr_pages * sizeof(struct sgx_epc_page));
> + section->pages = vmalloc(array_size(nr_pages,
> + sizeof(struct sgx_epc_page)));
> if (!section->pages) {
> memunmap(section->virt_addr);
> return false;
>

Reviewed-by: Jarkko Sakkinen <[email protected]>

BR, Jarkko