From: Artem Bityutskiy <dedekind1@gmail.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: kernel-janitors@vger.kernel.org, linux-mtd@lists.infradead.org,
Adrian Hunter <adrian.hunter@intel.com>
Subject: Re: [patch] UBIFS: use kmalloc_array() in recomp_data_node()
Date: Thu, 22 Nov 2012 13:24:10 +0200 [thread overview]
Message-ID: <1353583450.2701.44.camel@sauron.fi.intel.com> (raw)
In-Reply-To: <20121122111411.GJ6186@mwanda>
[-- Attachment #1: Type: text/plain, Size: 1567 bytes --]
On Thu, 2012-11-22 at 14:14 +0300, Dan Carpenter wrote:
> On Thu, Nov 22, 2012 at 12:31:37PM +0200, Artem Bityutskiy wrote:
> > On Sat, 2012-11-17 at 18:11 +0300, Dan Carpenter wrote:
> > > out_len = le32_to_cpu(dn->size);
> > > - buf = kmalloc(out_len * WORST_COMPR_FACTOR, GFP_NOFS);
> > > + buf = kmalloc_array(out_len, WORST_COMPR_FACTOR, GFP_NOFS);
> > > if (!buf)
> > > return -ENOMEM;
> >
> > I think this makes the code unreadable, because we really allocate a
> > buffer, not an array.
>
> The problem with the original code is that the multiply looks very
> suspect. Everyone who reads it has to backtrack to find where
> dn->size is capped.
>
> I guess in one sense we never allocate an array, we always declare
> it on the stack. We debated the naming and there really isn't a
> good name. kmalloc_safe() isn't right either. But anyway, the
> intent is that eventually someone will right a coccinelle script
> which replaces all these allocations with kmalloc_array().
>
> When I look at this code more, I still don't see a place where
> dn->size is capped. So I think we *need* the integer overflow
> check as an integer overflow fix and not just as a cleanup.
It is validated in fs/ubifs/io.c in 'ubifs_check_node()'.
'dn' stands for 'direntry node'. We read it from the media and validate
it immediately after we've read it, including 'dn->len'.
The entire code is written with the following assumption that whatever
is read from the flash media is validated.
--
Best Regards,
Artem Bityutskiy
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
next prev parent reply other threads:[~2012-11-22 11:23 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-17 15:11 [patch] UBIFS: use kmalloc_array() in recomp_data_node() Dan Carpenter
2012-11-22 10:31 ` Artem Bityutskiy
2012-11-22 11:14 ` Dan Carpenter
2012-11-22 11:24 ` Artem Bityutskiy [this message]
2012-11-22 12:33 ` Dan Carpenter
2012-11-22 14:48 ` Artem Bityutskiy
2012-11-22 16:41 ` Dan Carpenter
2012-11-22 11:26 ` Artem Bityutskiy
2012-11-22 11:29 ` Artem Bityutskiy
2012-11-22 12:09 ` Dan Carpenter
2012-11-22 11:50 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1353583450.2701.44.camel@sauron.fi.intel.com \
--to=dedekind1@gmail.com \
--cc=adrian.hunter@intel.com \
--cc=dan.carpenter@oracle.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox