On Thu, May 06, 2021 at 04:22:10PM +0200, Uladzislau Rezki wrote:
> Seems like vmalloc() is called with zero size passed:
>
> <snip>
> void *__vmalloc_node_range(unsigned long size, unsigned long align,
> unsigned long start, unsigned long end, gfp_t gfp_mask,
> pgprot_t prot, unsigned long vm_flags, int node,
> const void *caller)
> {
> struct vm_struct *area;
> void *addr;
> unsigned long real_size = size;
> unsigned long real_align = align;
> unsigned int shift = PAGE_SHIFT;
>
> 2873 if (WARN_ON_ONCE(!size))
> return NULL;
> <snip>
>
> from the dvb_dmx_init() driver:
>
> <snip>
> int dvb_dmx_init(struct dvb_demux *dvbdemux)
> {
> int i;
> struct dmx_demux *dmx = &dvbdemux->dmx;
>
> dvbdemux->cnt_storage = NULL;
> dvbdemux->users = 0;
> 1251 dvbdemux->filter = vmalloc(array_size(sizeof(struct dvb_demux_filter),
> <snip> dvbdemux->filternum));
Indeed.
It is a mystery because array_size() should never return less than
sizeof(struct dvb_demux_filter). That's the whole point of the
array_size() function is that it returns ULONG_MAX if there is an
integer overflow.
regards,
dan carpenter
