This is a note to let you know that I've just added the patch titled ptr_ring: fail early if queue occupies more than KMALLOC_MAX_SIZE to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: ptr_ring-fail-early-if-queue-occupies-more-than-kmalloc_max_size.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 6e6e41c3112276288ccaf80c70916779b84bb276 Mon Sep 17 00:00:00 2001 From: Jason Wang <jasowang@xxxxxxxxxx> Date: Fri, 9 Feb 2018 17:45:49 +0800 Subject: ptr_ring: fail early if queue occupies more than KMALLOC_MAX_SIZE From: Jason Wang <jasowang@xxxxxxxxxx> commit 6e6e41c3112276288ccaf80c70916779b84bb276 upstream. To avoid slab to warn about exceeded size, fail early if queue occupies more than KMALLOC_MAX_SIZE. Reported-by: syzbot+e4d4f9ddd4295539735d@xxxxxxxxxxxxxxxxxxxxxxxxx Fixes: 2e0ab8ca83c12 ("ptr_ring: array based FIFO for pointers") Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx> Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- include/linux/ptr_ring.h | 2 ++ 1 file changed, 2 insertions(+) --- a/include/linux/ptr_ring.h +++ b/include/linux/ptr_ring.h @@ -351,6 +351,8 @@ static inline void *ptr_ring_consume_bh( static inline void **__ptr_ring_init_queue_alloc(unsigned int size, gfp_t gfp) { + if (size * sizeof(void *) > KMALLOC_MAX_SIZE) + return NULL; return kcalloc(size, sizeof(void *), gfp); } Patches currently in stable-queue which might be from jasowang@xxxxxxxxxx are queue-4.9/vhost-use-mutex_lock_nested-in-vhost_dev_lock_vqs.patch queue-4.9/ptr_ring-fail-early-if-queue-occupies-more-than-kmalloc_max_size.patch