Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp3371779pxk; Mon, 21 Sep 2020 11:52:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzzSwVDFT3an5MmWp5m4q1z/66cwltYWQzPNB7JGfnG2/x632sKOKsd+uk0w4DQicMzedsq X-Received: by 2002:a05:6402:1697:: with SMTP id a23mr303241edv.195.1600714347856; Mon, 21 Sep 2020 11:52:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600714347; cv=none; d=google.com; s=arc-20160816; b=pLUrOycUL886QcO3VxcrLzZEsSLI1oeU/IEN6i/jJOlnwRAVUo3bePMkQgTeDzprUx 11PRIOFQ6USrhW1F0l6y/TzVmIeIGS3aS/KxDSASvox0nDNaRgdFHG6TGYjlklVazkzX 6k0eA4VljCZs6naMw52wwtGadPcBNqncJ+dyGRvESzXw3izuWBkdyg4BpU1VjA08VtkF pXrxcyTMZK9sPYbufr1kJvpk+hmEnf472dgRpr/XaNlHDp7WSDX14MJtuUNIE7vPSo+k /rfr0Bxps95ohpxdcjJQEQOxuNHbRY/1nOm66j5fs17SJdP7AM4cGUGZFRX3RHIc2pgi ZT2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:mail-followup-to:reply-to:message-id :subject:cc:to:from:date; bh=+07r4iM5Wx4gP39eXE1NnG8oiUsY8BJiBQPHXaEngY8=; b=BPjudWzoxsWkFFcMpA74f911MuHsmV6Nu+VFonizKwFXwtMxdJ0sk4reXh6fk118LT xeIJCAWsRWrLJLrEhiEbYS3jsPaG7i4LktLdR+TvIkjgjaGLl/U6OSoUeBtpB1hhGfT8 WPVXUhu90Tz3VjLgGO/r9NAWwvufPdPZmExjxHEdcEMEBbaUJlf97KNrGxqz7gjqlgGD auDmLlF8+8dhsvxEkYjjPB5s1PWse/z9DmkUTRtkTqSlMjWBIFefTvhUMimEN1BXeyWv 5aQpx+ah3rhz8TB7lLI+HH/dLtvZip4ahSC0NVxo3vaG2NI/tUS4RQsNUF8fLb3vpUe0 ELbg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d25si8718598eje.181.2020.09.21.11.52.04; Mon, 21 Sep 2020 11:52:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727869AbgIUSui (ORCPT + 99 others); Mon, 21 Sep 2020 14:50:38 -0400 Received: from mx2.suse.de ([195.135.220.15]:32998 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726395AbgIUSui (ORCPT ); Mon, 21 Sep 2020 14:50:38 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id CE685B1FE; Mon, 21 Sep 2020 18:51:12 +0000 (UTC) Received: by ds.suse.cz (Postfix, from userid 10065) id B96B8DA6E0; Mon, 21 Sep 2020 20:49:21 +0200 (CEST) Date: Mon, 21 Sep 2020 20:49:21 +0200 From: David Sterba To: Denis Efremov Cc: David Sterba , Josef Bacik , Chris Mason , linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, Kees Cook Subject: Re: [PATCH 2/2] btrfs: check allocation size in btrfs_ioctl_send() Message-ID: <20200921184921.GR6756@twin.jikos.cz> Reply-To: dsterba@suse.cz Mail-Followup-To: dsterba@suse.cz, Denis Efremov , David Sterba , Josef Bacik , Chris Mason , linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, Kees Cook References: <20200921170336.82643-1-efremov@linux.com> <20200921170336.82643-2-efremov@linux.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200921170336.82643-2-efremov@linux.com> User-Agent: Mutt/1.5.23.1-rc1 (2014-03-12) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Sep 21, 2020 at 08:03:36PM +0300, Denis Efremov wrote: > Replace kvzalloc() call with kvcalloc() that checks > the size internally. Use array_size() helper to compute > the memory size for clone_sources_tmp. > > Cc: Kees Cook > Signed-off-by: Denis Efremov > --- > fs/btrfs/send.c | 11 ++++++----- > 1 file changed, 6 insertions(+), 5 deletions(-) > > diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c > index c874ddda6252..9e02aba30651 100644 > --- a/fs/btrfs/send.c > +++ b/fs/btrfs/send.c > @@ -7087,7 +7087,7 @@ long btrfs_ioctl_send(struct file *mnt_file, struct btrfs_ioctl_send_args *arg) > u32 i; > u64 *clone_sources_tmp = NULL; > int clone_sources_to_rollback = 0; > - unsigned alloc_size; > + size_t alloc_size; > int sort_clone_roots = 0; > > if (!capable(CAP_SYS_ADMIN)) > @@ -7179,15 +7179,16 @@ long btrfs_ioctl_send(struct file *mnt_file, struct btrfs_ioctl_send_args *arg) > sctx->waiting_dir_moves = RB_ROOT; > sctx->orphan_dirs = RB_ROOT; > > - alloc_size = sizeof(struct clone_root) * (arg->clone_sources_count + 1); > - > - sctx->clone_roots = kvzalloc(alloc_size, GFP_KERNEL); > + sctx->clone_roots = kvcalloc(sizeof(*sctx->clone_roots), > + arg->clone_sources_count + 1, > + GFP_KERNEL); There is an overflow check in btrfs_ioctl_send a few lines above, it won't overflow at the allocation so this more like a cleanup than adding a missing check, as the subject suggests. Patches added to misc-next, thanks.