review.tizen.org Git - platform/kernel/linux-rpi.git/commit

author	Dan Carpenter <dan.carpenter@oracle.com>
	Thu, 21 Jul 2022 21:36:10 +0000 (14:36 -0700)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 29 Jul 2022 15:25:09 +0000 (17:25 +0200)
commit	44addae95ed747f270fa74c7e90036854203e37b
tree	1039c9283f5e9883ce873b4ed36286747e34a24c	tree \| snapshot
parent	1da0b50ea07114fe1fe85ca126f8df1065633d59	commit \| diff

xfs: prevent a WARN_ONCE() in xfs_ioc_attr_list()

[ Upstream commit 6ed6356b07714e0198be3bc3ecccc8b40a212de4 ]

The "bufsize" comes from the root user.  If "bufsize" is negative then,
because of type promotion, neither of the validation checks at the start
of the function are able to catch it:

if (bufsize < sizeof(struct xfs_attrlist) ||
    bufsize > XFS_XATTR_LIST_MAX)
return -EINVAL;

This means "bufsize" will trigger (WARN_ON_ONCE(size > INT_MAX)) in
kvmalloc_node().  Fix this by changing the type from int to size_t.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Leah Rumancik <leah.rumancik@gmail.com>
Acked-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

fs/xfs/xfs_ioctl.c		diff \| blob \| history
fs/xfs/xfs_ioctl.h		diff \| blob \| history