summaryrefslogtreecommitdiff
path: root/fs/btrfs
diff options
context:
space:
mode:
authorDenis Efremov <efremov@linux.com>2020-09-21 20:03:36 +0300
committerDavid Sterba <dsterba@suse.com>2020-10-07 12:13:22 +0200
commitbae12df966f0e1a9b40a2c46d01a0ad79b2c865c (patch)
treeb3646bc6434e34f90442e5eda3849236f8d32e91 /fs/btrfs
parent8eb2fd00153a3a96a19c62ac9c6d48c2efebe5e8 (diff)
downloadlwn-bae12df966f0e1a9b40a2c46d01a0ad79b2c865c.tar.gz
lwn-bae12df966f0e1a9b40a2c46d01a0ad79b2c865c.zip
btrfs: use kvcalloc for allocation in btrfs_ioctl_send()
Replace kvzalloc() call with kvcalloc() that also checks the size internally. There's a standalone overflow check in the function so we can return invalid parameter combination. Use array_size() helper to compute the memory size for clone_sources_tmp. Cc: Kees Cook <keescook@chromium.org> Signed-off-by: Denis Efremov <efremov@linux.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com>
Diffstat (limited to 'fs/btrfs')
-rw-r--r--fs/btrfs/send.c11
1 files changed, 6 insertions, 5 deletions
diff --git a/fs/btrfs/send.c b/fs/btrfs/send.c
index 79b7d15ca50f..b84f921ed6c0 100644
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -7061,7 +7061,7 @@ long btrfs_ioctl_send(struct file *mnt_file, struct btrfs_ioctl_send_args *arg)
u32 i;
u64 *clone_sources_tmp = NULL;
int clone_sources_to_rollback = 0;
- unsigned alloc_size;
+ size_t alloc_size;
int sort_clone_roots = 0;
if (!capable(CAP_SYS_ADMIN))
@@ -7147,15 +7147,16 @@ long btrfs_ioctl_send(struct file *mnt_file, struct btrfs_ioctl_send_args *arg)
sctx->waiting_dir_moves = RB_ROOT;
sctx->orphan_dirs = RB_ROOT;
- alloc_size = sizeof(struct clone_root) * (arg->clone_sources_count + 1);
-
- sctx->clone_roots = kvzalloc(alloc_size, GFP_KERNEL);
+ sctx->clone_roots = kvcalloc(sizeof(*sctx->clone_roots),
+ arg->clone_sources_count + 1,
+ GFP_KERNEL);
if (!sctx->clone_roots) {
ret = -ENOMEM;
goto out;
}
- alloc_size = arg->clone_sources_count * sizeof(*arg->clone_sources);
+ alloc_size = array_size(sizeof(*arg->clone_sources),
+ arg->clone_sources_count);
if (arg->clone_sources_count) {
clone_sources_tmp = kvmalloc(alloc_size, GFP_KERNEL);