• Martin Kelly's avatar
    iio:kfifo_buf: check for uint overflow · 838f25e3
    Martin Kelly authored
    commit 3d13de4b upstream.
    
    Currently, the following causes a kernel OOPS in memcpy:
    
    echo 1073741825 > buffer/length
    echo 1 > buffer/enable
    
    Note that using 1073741824 instead of 1073741825 causes "write error:
    Cannot allocate memory" but no OOPS.
    
    This is because 1073741824 == 2^30 and 1073741825 == 2^30+1. Since kfifo
    rounds up to the nearest power of 2, it will actually call kmalloc with
    roundup_pow_of_two(length) * bytes_per_datum.
    
    Using length == 1073741825 and bytes_per_datum == 2, we get:
    
    kmalloc(roundup_pow_of_two(1073741825) * 2
    or kmalloc(2147483648 * 2)
    or kmalloc(4294967296)
    or kmalloc(UINT_MAX + 1)
    
    so this overflows to 0, causing kmalloc to return ZERO_SIZE_PTR and
    subsequent memcpy to fail once the device is enabled.
    
    Fix this by checking for overflow prior to allocating a kfifo. With this
    check added, the above code returns -EINVAL when enabling the buffer,
    rather than causing an OOPS.
    Signed-off-by: default avatarMartin Kelly <mkelly@xevo.com>
    cc: <Stable@vger.kernel.org>
    Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    838f25e3
kfifo_buf.c 5.04 KB