On Wed, Dec 01, 2021 at 07:46:01PM -0800, Kees Cook wrote: > If we're rejecting the value, then it's still a pathological size, so > shouldn't the check be happening in the caller? I think the WARN is > doing exactly what it was supposed to do: find the places where bad > sizes can reach vmalloc. I think it meshes very poorly with the overflow work: p = kzalloc(struct_size(p, regions, num_regions), GFP_KERNEL); If num_regions is user controlled data why should the calling driver hvae to somehow sanitize num_regions (without bugs!) instead of relying on struct_size() and kzalloc() to contain all the sanitation? What you are suggesting just pushes security sensitive coding into drivers, which I think is the opposite of what we all want? Jason
