Commit 88913bd8 authored by David Rientjes's avatar David Rientjes Committed by Linus Torvalds

kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE

chan->n_subbufs is set by the user and relay_create_buf() does a kmalloc()
of chan->n_subbufs * sizeof(size_t *).

kmalloc_slab() will generate a warning when this fails if
chan->subbufs * sizeof(size_t *) > KMALLOC_MAX_SIZE.

Limit chan->n_subbufs to the maximum allowed kmalloc() size.

Fixes: f6302f1b ("relay: prevent integer overflow in relay_open()")
Signed-off-by: default avatarDavid Rientjes <>
Reviewed-by: default avatarAndrew Morton <>
Cc: Jens Axboe <>
Cc: Dave Jiang <>
Cc: Al Viro <>
Cc: Dan Carpenter <>
Signed-off-by: default avatarAndrew Morton <>
Signed-off-by: default avatarLinus Torvalds <>
parent 9c4e6b1a
......@@ -163,7 +163,7 @@ static struct rchan_buf *relay_create_buf(struct rchan *chan)
struct rchan_buf *buf;
if (chan->n_subbufs > UINT_MAX / sizeof(size_t *))
if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *))
return NULL;
buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment