Use array_size to protect against multiplication overflows.
The changes were done using the following Coccinelle semantic patch:
// <smpl>
@@
expression E1, E2;
constant C1, C2;
identifier alloc = {vmalloc,vzalloc};
@@
(
alloc(C1 * C2,...)
|
alloc(
- (E1) * (E2)
+ array_size(E1, E2)
,...)
)
// </smpl>
Signed-off-by: Julia Lawall <[email protected]>
---
drivers/staging/media/ipu3/ipu3-mmu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/media/ipu3/ipu3-mmu.c b/drivers/staging/media/ipu3/ipu3-mmu.c
index cb9bf5fb29a5..9c4adb815c94 100644
--- a/drivers/staging/media/ipu3/ipu3-mmu.c
+++ b/drivers/staging/media/ipu3/ipu3-mmu.c
@@ -464,7 +464,7 @@ struct imgu_mmu_info *imgu_mmu_init(struct device *parent, void __iomem *base)
* Allocate the array of L2PT CPU pointers, initialized to zero,
* which means the dummy L2PT allocated above.
*/
- mmu->l2pts = vzalloc(IPU3_PT_PTES * sizeof(*mmu->l2pts));
+ mmu->l2pts = vzalloc(array_size(IPU3_PT_PTES, sizeof(*mmu->l2pts)));
if (!mmu->l2pts)
goto fail_l2pt;
Julia,
Thanks for your patch.
On 6/24/23 5:14 AM, Julia Lawall wrote:
> Use array_size to protect against multiplication overflows.
>
> The changes were done using the following Coccinelle semantic patch:
>
> // <smpl>
> @@
> expression E1, E2;
> constant C1, C2;
> identifier alloc = {vmalloc,vzalloc};
> @@
>
> (
> alloc(C1 * C2,...)
> |
> alloc(
> - (E1) * (E2)
> + array_size(E1, E2)
> ,...)
> )
> // </smpl>
>
> Signed-off-by: Julia Lawall <[email protected]>
>
> ---
> drivers/staging/media/ipu3/ipu3-mmu.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/staging/media/ipu3/ipu3-mmu.c b/drivers/staging/media/ipu3/ipu3-mmu.c
> index cb9bf5fb29a5..9c4adb815c94 100644
> --- a/drivers/staging/media/ipu3/ipu3-mmu.c
> +++ b/drivers/staging/media/ipu3/ipu3-mmu.c
> @@ -464,7 +464,7 @@ struct imgu_mmu_info *imgu_mmu_init(struct device *parent, void __iomem *base)
> * Allocate the array of L2PT CPU pointers, initialized to zero,
> * which means the dummy L2PT allocated above.
> */
> - mmu->l2pts = vzalloc(IPU3_PT_PTES * sizeof(*mmu->l2pts));
> + mmu->l2pts = vzalloc(array_size(IPU3_PT_PTES, sizeof(*mmu->l2pts)));
> if (!mmu->l2pts)
> goto fail_l2pt;
>
>
Reviewed-by: Bingbu Cao <[email protected]>
--
Best regards,
Bingbu Cao
On Fri, 23 Jun 2023, Julia Lawall wrote:
> Use array_size to protect against multiplication overflows.
>
> The changes were done using the following Coccinelle semantic patch:
>
> // <smpl>
> @@
> expression E1, E2;
> constant C1, C2;
> identifier alloc = {vmalloc,vzalloc};
> @@
>
> (
> alloc(C1 * C2,...)
> |
> alloc(
> - (E1) * (E2)
> + array_size(E1, E2)
> ,...)
> )
> // </smpl>
>
> Signed-off-by: Julia Lawall <[email protected]>
>
> ---
> drivers/staging/media/ipu3/ipu3-mmu.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/staging/media/ipu3/ipu3-mmu.c b/drivers/staging/media/ipu3/ipu3-mmu.c
> index cb9bf5fb29a5..9c4adb815c94 100644
> --- a/drivers/staging/media/ipu3/ipu3-mmu.c
> +++ b/drivers/staging/media/ipu3/ipu3-mmu.c
> @@ -464,7 +464,7 @@ struct imgu_mmu_info *imgu_mmu_init(struct device *parent, void __iomem *base)
> * Allocate the array of L2PT CPU pointers, initialized to zero,
> * which means the dummy L2PT allocated above.
> */
> - mmu->l2pts = vzalloc(IPU3_PT_PTES * sizeof(*mmu->l2pts));
> + mmu->l2pts = vzalloc(array_size(IPU3_PT_PTES, sizeof(*mmu->l2pts)));
> if (!mmu->l2pts)
> goto fail_l2pt;
I think that this patch can be dropped. Since it is a multiplcation of
two constants, if there is an overflow, I guess the compiler would detect
it?
julia
Hi Julia, Bingbu,
On Tue, Jun 27, 2023 at 07:35:47PM +0200, Julia Lawall wrote:
>
>
> On Fri, 23 Jun 2023, Julia Lawall wrote:
>
> > Use array_size to protect against multiplication overflows.
> >
> > The changes were done using the following Coccinelle semantic patch:
> >
> > // <smpl>
> > @@
> > expression E1, E2;
> > constant C1, C2;
> > identifier alloc = {vmalloc,vzalloc};
> > @@
> >
> > (
> > alloc(C1 * C2,...)
> > |
> > alloc(
> > - (E1) * (E2)
> > + array_size(E1, E2)
> > ,...)
> > )
> > // </smpl>
> >
> > Signed-off-by: Julia Lawall <[email protected]>
> >
> > ---
> > drivers/staging/media/ipu3/ipu3-mmu.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/staging/media/ipu3/ipu3-mmu.c b/drivers/staging/media/ipu3/ipu3-mmu.c
> > index cb9bf5fb29a5..9c4adb815c94 100644
> > --- a/drivers/staging/media/ipu3/ipu3-mmu.c
> > +++ b/drivers/staging/media/ipu3/ipu3-mmu.c
> > @@ -464,7 +464,7 @@ struct imgu_mmu_info *imgu_mmu_init(struct device *parent, void __iomem *base)
> > * Allocate the array of L2PT CPU pointers, initialized to zero,
> > * which means the dummy L2PT allocated above.
> > */
> > - mmu->l2pts = vzalloc(IPU3_PT_PTES * sizeof(*mmu->l2pts));
> > + mmu->l2pts = vzalloc(array_size(IPU3_PT_PTES, sizeof(*mmu->l2pts)));
> > if (!mmu->l2pts)
> > goto fail_l2pt;
>
> I think that this patch can be dropped. Since it is a multiplcation of
> two constants, if there is an overflow, I guess the compiler would detect
> it?
Indeed. vcalloc() would be perhaps nicer but the original isn't wrong
either.
--
Kind regards,
Sakari Ailus