[PATCH] fuse: convert page array allocation to kcalloc()

Next message: William Theesfeld: "[PATCH] net/mlx5: convert miss_list allocation to kvmalloc_array()"
Previous message: Max Clinton: "[PATCH v2] crypto: algif_skcipher - snapshot IV for async skcipher requests"
Next in thread: Miklos Szeredi: "Re: [PATCH] fuse: convert page array allocation to kcalloc()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: William Theesfeld

Date: Mon Jun 01 2026 - 15:37:04 EST

fuse_get_user_pages() allocates the temporary pages[] array used by
iov_iter_extract_pages() with the open-coded kzalloc(n * sizeof(*p),
...) form. max_pages is derived from the inbound iov_iter and is not
bounded at compile time, so the multiplication can overflow on
sufficiently large iter counts; the resulting too-small allocation
would then be written past by iov_iter_extract_pages().

Switch to kcalloc(), which carries the same zero-on-allocation
semantics and adds the standard size_mul overflow check. No
functional change for non-overflow inputs.

Signed-off-by: William Theesfeld <william@xxxxxxxxxxxxx>
---
fs/fuse/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index f94f3dc08..9e258e53a 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1586,7 +1586,7 @@ static int fuse_get_user_pages(struct fuse_args_pages *ap, struct iov_iter *ii,
* manually extract pages using iov_iter_extract_pages() and then
* copy that to a folios array.
*/
- struct page **pages = kzalloc(max_pages * sizeof(struct page *),
+ struct page **pages = kcalloc(max_pages, sizeof(struct page *),
GFP_KERNEL);
if (!pages) {
ret = -ENOMEM;
--
2.54.0