If we are unlucky, n * size would overflow size_t and we'll instead
allocate a small truncated value, which may lead to memory corruption.
Fix this by using size_mul, which saturates at SIZE_MAX.
Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx>
---
include/linux/slab.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/include/linux/slab.h b/include/linux/slab.h
index dc80808938f4..36b93bdd2f1b 100644
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -4,6 +4,7 @@
#define _LINUX_SLAB_H
#include <malloc.h>
+#include <linux/overflow.h>
#include <linux/string.h>
#define SLAB_CONSISTENCY_CHECKS 0
@@ -98,7 +99,7 @@ static inline void *kzalloc(size_t size, gfp_t flags)
*/
static inline void *kmalloc_array(size_t n, size_t size, gfp_t flags)
{
- return kmalloc(n * size, flags);
+ return kmalloc(size_mul(n, size), flags);
}
static inline void *kcalloc(size_t n, size_t size, gfp_t flags)
--
2.39.2
