fuse: convert page array allocation to kcalloc()

fuse_get_user_pages() allocates the temporary pages[] array used by
iov_iter_extract_pages() with the open-coded kzalloc(n * sizeof(*p),
...) form.  max_pages is derived from the inbound iov_iter and is not
bounded at compile time, so the multiplication can overflow on
sufficiently large iter counts; the resulting too-small allocation
would then be written past by iov_iter_extract_pages().

Switch to kcalloc(), which carries the same zero-on-allocation
semantics and adds the standard size_mul overflow check.  No
functional change for non-overflow inputs.

Signed-off-by: William Theesfeld <william@theesfeld.net>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index e8833e2a6610f0987cb51166e421528dd6bdaa4b..cbd02fa3cb7403daffa045d18bff4cddd8b2521f 100644 (file)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1590,7 +1590,7 @@ static int fuse_get_user_pages(struct fuse_args_pages *ap, struct iov_iter *ii,
         * manually extract pages using iov_iter_extract_pages() and then
         * copy that to a folios array.
         */
-       struct page **pages = kzalloc(max_pages * sizeof(struct page *),
+       struct page **pages = kcalloc(max_pages, sizeof(struct page *),
                                      GFP_KERNEL);
        if (!pages) {
                ret = -ENOMEM;