fs/fuse/file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
fuse_get_user_pages() allocates the temporary pages[] array used by
iov_iter_extract_pages() with the open-coded kzalloc(n * sizeof(*p),
...) form. max_pages is derived from the inbound iov_iter and is not
bounded at compile time, so the multiplication can overflow on
sufficiently large iter counts; the resulting too-small allocation
would then be written past by iov_iter_extract_pages().
Switch to kcalloc(), which carries the same zero-on-allocation
semantics and adds the standard size_mul overflow check. No
functional change for non-overflow inputs.
Signed-off-by: William Theesfeld <william@theesfeld.net>
---
fs/fuse/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index f94f3dc08..9e258e53a 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1586,7 +1586,7 @@ static int fuse_get_user_pages(struct fuse_args_pages *ap, struct iov_iter *ii,
* manually extract pages using iov_iter_extract_pages() and then
* copy that to a folios array.
*/
- struct page **pages = kzalloc(max_pages * sizeof(struct page *),
+ struct page **pages = kcalloc(max_pages, sizeof(struct page *),
GFP_KERNEL);
if (!pages) {
ret = -ENOMEM;
--
2.54.0On Mon, 1 Jun 2026 at 21:29, William Theesfeld <william@theesfeld.net> wrote: > > fuse_get_user_pages() allocates the temporary pages[] array used by > iov_iter_extract_pages() with the open-coded kzalloc(n * sizeof(*p), > ...) form. max_pages is derived from the inbound iov_iter and is not > bounded at compile time, so the multiplication can overflow on > sufficiently large iter counts; the resulting too-small allocation > would then be written past by iov_iter_extract_pages(). > > Switch to kcalloc(), which carries the same zero-on-allocation > semantics and adds the standard size_mul overflow check. No > functional change for non-overflow inputs. > > Signed-off-by: William Theesfeld <william@theesfeld.net> Applied, thanks. Miklos
© 2016 - 2026 Red Hat, Inc.