Re: [PATCH] vmalloc: fix buffer overflow in vrealloc_node_align()

Next message: linux-kernel-dev: "Re: [PATCH v4 5/8] thermal: khadas-mcu-fan: Add fan config from platform data Add regulator support"
Previous message: Simon Horman: "Re: [PATCH iwl-next v3 3/3] igc: add support for forcing link speed without autonegotiation"
Next in thread: Marco Elver: "Re: [PATCH] vmalloc: fix buffer overflow in vrealloc_node_align()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andrew Morton

Date: Fri Apr 24 2026 - 10:00:33 EST

On Mon, 20 Apr 2026 13:47:26 +0200 Marco Elver <elver@xxxxxxxxxx> wrote:

> Commit 4c5d3365882d ("mm/vmalloc: allow to set node and align in
> vrealloc") added the ability to force a new allocation if the current
> pointer is on the wrong NUMA node, or if an alignment constraint is not
> met, even if the user is shrinking the allocation.
>
> On this path (need_realloc), the code allocates a new object of 'size'
> bytes and then memcpy()s 'old_size' bytes into it. If the request is to
> shrink the object (size < old_size), this results in an out-of-bounds
> write on the new buffer.
>
> Fix this by bounding the copy length by the new allocation size.

AI review is asking questions about the nearby code:
https://sashiko.dev/#/patchset/20260420114805.3572606-2-elver@xxxxxxxxxx