[PATCH] mm/zsmalloc: prevent integer overflow in obj_free

From: Anastasia Belova
Date: Thu Mar 13 2025 - 07:53:53 EST

Next message: Maxime Ripard: "Re: [PATCH v5 04/16] drm/atomic: Introduce helper to lookup connector by encoder"
Previous message: Alessandro Carminati: "[PATCH v4 14/14] powerpc: Add support for suppressing warning backtraces"
Next in thread: Sergey Senozhatsky: "Re: [PATCH] mm/zsmalloc: prevent integer overflow in obj_free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The result of multiplication of class_size and f_objidx
may not fit unsigned integer. Add explicit casting to
unsigned long to prevent integer overflow.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: bfd093f5e7f0 ("zsmalloc: use freeobj for index")
Signed-off-by: Anastasia Belova <abelova@xxxxxxxxxxxxx>
---
mm/zsmalloc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c
index 6d0e47f7ae33..96e0b04ff278 100644
--- a/mm/zsmalloc.c
+++ b/mm/zsmalloc.c
@@ -1421,7 +1421,7 @@ static void obj_free(int class_size, unsigned long obj)

obj_to_location(obj, &f_zpdesc, &f_objidx);
- f_offset = offset_in_page(class_size * f_objidx);
+ f_offset = offset_in_page((unsigned long)class_size * f_objidx);
zspage = get_zspage(f_zpdesc);

vaddr = kmap_local_zpdesc(f_zpdesc);
--
2.43.0

Next message: Maxime Ripard: "Re: [PATCH v5 04/16] drm/atomic: Introduce helper to lookup connector by encoder"
Previous message: Alessandro Carminati: "[PATCH v4 14/14] powerpc: Add support for suppressing warning backtraces"
Next in thread: Sergey Senozhatsky: "Re: [PATCH] mm/zsmalloc: prevent integer overflow in obj_free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]