Hi Tetsuo, On Tue, Jul 30, 2024 at 02:38:19PM +0900, Tetsuo Handa wrote: > On 2024/07/30 2:59, Dmitry Torokhov wrote: > > Please do not. Or you will have to patch it again when we will still see > > the same allocation failures because someone requested an input device > > with "too many" slots (1024 results in 4Mb mt->red table for example). > > > > Just fix malloc/syzkaller not to trigger on benign memory allocation > > hickups. They are normal. > > I chose 1024 because as far as I know 4MB is max acceptable size for > all environments without triggering too large allocation warning. > > You worry about mt->red, but did you notice that syzbot was reporting that > memory allocation for mt->red has an integer overflow bug, which can cause > out of bounds write or ZERO_SIZE_PTR pointer dereference bug at input_mt_set_matrix() ? > > https://lkml.kernel.org/r/6d878e01-6c2f-8766-2578-c95030442369@xxxxxxxxxxxxxxxxxxx I'll happily take the change converting that to array_size(). > > Lucky thing is that the uinput interface is for only the "root" user... uinput also does not request in-kernel contact tracking so it will not allow hitting that overflow. Thanks. -- Dmitry
