syzbot reported WARNING in max_vclocks_store. This occurs when the size argument fits into a u32 but is too large to allocate, i.e., when it's between KMALLOC_MAX_SIZE + 1 and UINT_MAX (both limits included) Add validation to kmalloc_array_noprof() and related functions to return early if the requested size exceeds KMALLOC_MAX_SIZE. This seems like the most reasonable place for this guard. Would it be a good idea to move the check down to the lower level functions like __kmalloc_node_noprof()? Moving it up is not a good idea because max_vclocks_store shouldn't reason around KMALLOC_MAX_SIZE, a mm specific macro. Should the Fixes: commit here be the one in which this file was added? Reported-by: syzbot+94d20db923b9f51be0df@syzkaller.appspotmail.com Tested-by: syzbot+94d20db923b9f51be0df@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=94d20db923b9f51be0df Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: I Viswanath --- include/linux/slab.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/linux/slab.h b/include/linux/slab.h index d5a8ab98035c..6db15c5b2ce7 100644 --- a/include/linux/slab.h +++ b/include/linux/slab.h @@ -943,7 +943,7 @@ static inline __alloc_size(1, 2) void *kmalloc_array_noprof(size_t n, size_t siz { size_t bytes; - if (unlikely(check_mul_overflow(n, size, &bytes))) + if (unlikely(check_mul_overflow(n, size, &bytes) || (bytes > KMALLOC_MAX_SIZE))) return NULL; return kmalloc_noprof(bytes, flags); } @@ -973,7 +973,7 @@ static inline __realloc_size(2, 3) void * __must_check krealloc_array_noprof(voi { size_t bytes; - if (unlikely(check_mul_overflow(new_n, new_size, &bytes))) + if (unlikely(check_mul_overflow(new_n, new_size, &bytes) || (bytes > KMALLOC_MAX_SIZE))) return NULL; return krealloc_noprof(p, bytes, flags); @@ -1013,7 +1013,7 @@ static inline __alloc_size(1, 2) void *kmalloc_array_node_noprof(size_t n, size_ { size_t bytes; - if (unlikely(check_mul_overflow(n, size, &bytes))) + if (unlikely(check_mul_overflow(n, size, &bytes) || (bytes > KMALLOC_MAX_SIZE))) return NULL; if (__builtin_constant_p(n) && __builtin_constant_p(size)) return kmalloc_node_noprof(bytes, flags, node); @@ -1059,7 +1059,7 @@ kvmalloc_array_node_noprof(size_t n, size_t size, gfp_t flags, int node) { size_t bytes; - if (unlikely(check_mul_overflow(n, size, &bytes))) + if (unlikely(check_mul_overflow(n, size, &bytes) || (bytes > KMALLOC_MAX_SIZE))) return NULL; return kvmalloc_node_noprof(bytes, flags, node); -- 2.47.3