[PATCH] io_uring/rsrc: bound io_coalesce_buffer() page array allocation
From: Yi Xie
Date: Tue Jun 30 2026 - 03:11:48 EST
kvmalloc_objs() in io_coalesce_buffer() does not check for size overflow
when nr_folios is large. Mirror the check used in memmap.c before
allocating the page pointer array.
Signed-off-by: Yi Xie <xieyi@xxxxxxxxxx>
---
io_uring/rsrc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c
index 8d0f2ee24e0c..f1f8d6dd102c 100644
--- a/io_uring/rsrc.c
+++ b/io_uring/rsrc.c
@@ -776,6 +776,8 @@ static bool io_coalesce_buffer(struct page ***pages, int *nr_pages,
unsigned i, j;
/* Store head pages only*/
+ if (nr_folios > INT_MAX / sizeof(struct page *))
+ return false;
new_array = kvmalloc_objs(struct page *, nr_folios);
if (!new_array)
return false;
--
2.25.1