summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@linaro.org>2023-09-14 17:59:10 +0300
committerKent Overstreet <kent.overstreet@linux.dev>2023-10-22 17:10:14 -0400
commit4ba985b84de627ba4f257c9843d0dd7146df2180 (patch)
tree57e1082aae9eddcc4c930508d207411c9406b9eb
parent301e0237cadfc7c446e16eab6df38073ade3631d (diff)
bcachefs: chardev: fix an integer overflow (32 bit only)
On 32 bit systems, "sizeof(*arg) + replica_entries_bytes" can have an integer overflow leading to memory corruption. Use size_add() to prevent this. Fixes: b44dd3797034 ("bcachefs: Redo filesystem usage ioctls") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
-rw-r--r--fs/bcachefs/chardev.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/bcachefs/chardev.c b/fs/bcachefs/chardev.c
index e5e9fddddfb5..51d671267741 100644
--- a/fs/bcachefs/chardev.c
+++ b/fs/bcachefs/chardev.c
@@ -421,7 +421,7 @@ static long bch2_ioctl_fs_usage(struct bch_fs *c,
if (get_user(replica_entries_bytes, &user_arg->replica_entries_bytes))
return -EFAULT;
- arg = kzalloc(sizeof(*arg) + replica_entries_bytes, GFP_KERNEL);
+ arg = kzalloc(size_add(sizeof(*arg), replica_entries_bytes), GFP_KERNEL);
if (!arg)
return -ENOMEM;