netfilter: ipset: Fix oversized kvmalloc() calls

commit 7661809d493b426e979f39ab512e3adf41fbcc69
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed Jul 14 09:45:49 2021 -0700

    mm: don't allow oversized kvmalloc() calls

limits the max allocatable memory via kvmalloc() to MAX_INT. Apply the
same limit in ipset.

Reported-by: syzbot+3493b1873fb3ea827986@syzkaller.appspotmail.com
Reported-by: syzbot+2b8443c35458a617c904@syzkaller.appspotmail.com
Reported-by: syzbot+ee5cb15f4a0e85e0d54e@syzkaller.appspotmail.com
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>

diff --git a/kernel/net/netfilter/ipset/ip_set_hash_gen.h b/kernel/net/netfilter/ipset/ip_set_hash_gen.h
index adf35fd65d00561ee6c3ef1b1609403ef882f31e..9789a4ed085c9305ce900fbbb8d785e27787a76d 100644 (file)
--- a/kernel/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/kernel/net/netfilter/ipset/ip_set_hash_gen.h
@@ -131,11 +131,11 @@ htable_size(u8 hbits)
 {
        size_t hsize;
 
-       /* We must fit both into u32 in jhash and size_t */
+       /* We must fit both into u32 in jhash and INT_MAX in kvmalloc_node() */
        if (hbits > 31)
                return 0;
        hsize = jhash_size(hbits);
-       if ((((size_t)-1) - sizeof(struct htable)) / sizeof(struct hbucket *)
+       if ((INT_MAX - sizeof(struct htable)) / sizeof(struct hbucket *)
            < hsize)
                return 0;