1. Patchew
  2. linux
  3. View series

[PATCH] relay: Fix type mismatch when allocating memory in relay_create_buf()

Gavrilov Ilia posted 1 patch 2 years, 9 months ago 
kernel/relay.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
[PATCH] relay: Fix type mismatch when allocating memory in relay_create_buf()
Posted by Gavrilov Ilia 2 years, 9 months ago 
The 'padding' field of the 'rchan_buf' structure is an array of 'size_t'
elements, but the memory is allocated for an array of 'size_t *' elements.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: b86ff981a825 ("[PATCH] relay: migrate from relayfs to a generic relay API")
Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
---
 kernel/relay.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/relay.c b/kernel/relay.c
index d7edc934c56d..88bcb09f0a1f 100644
--- a/kernel/relay.c
+++ b/kernel/relay.c
@@ -148,13 +148,13 @@ static struct rchan_buf *relay_create_buf(struct rchan *chan)
 {
 	struct rchan_buf *buf;
 
-	if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *))
+	if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t))
 		return NULL;
 
 	buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
 	if (!buf)
 		return NULL;
-	buf->padding = kmalloc_array(chan->n_subbufs, sizeof(size_t *),
+	buf->padding = kmalloc_array(chan->n_subbufs, sizeof(size_t),
 				     GFP_KERNEL);
 	if (!buf->padding)
 		goto free_buf;
-- 
2.30.2
Re: [PATCH] relay: Fix type mismatch when allocating memory in relay_create_buf()
Posted by Andrew Morton 2 years, 9 months ago 
On Tue, 29 Nov 2022 09:23:38 +0000 Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru> wrote:

> The 'padding' field of the 'rchan_buf' structure is an array of 'size_t'
> elements, but the memory is allocated for an array of 'size_t *' elements.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> --- a/kernel/relay.c
> +++ b/kernel/relay.c
> @@ -148,13 +148,13 @@ static struct rchan_buf *relay_create_buf(struct rchan *chan)
>  {
>  	struct rchan_buf *buf;
>  
> -	if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *))
> +	if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t))
>  		return NULL;
>  
>  	buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
>  	if (!buf)
>  		return NULL;
> -	buf->padding = kmalloc_array(chan->n_subbufs, sizeof(size_t *),
> +	buf->padding = kmalloc_array(chan->n_subbufs, sizeof(size_t),
>  				     GFP_KERNEL);

This is why I prefer kmalloc_array(N, sizeof(*(buf->padding)), ...)

Because the reviewer doesn't have to go check that the types match up,
and because the code doesn't need changing if the type of
*(buf->padding) is changed.

Others don't like this practice, but I forget why.

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.