From: William Theesfeld <william@theesfeld.net>
Date: Mon, 1 Jun 2026 19:29:34 +0000 (-0400)
Subject: fuse: convert page array allocation to kcalloc()
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=03728af4aeef6ee9914f93d60936db351e106863;p=thirdparty%2Fkernel%2Flinux.git

fuse: convert page array allocation to kcalloc()

fuse_get_user_pages() allocates the temporary pages[] array used by
iov_iter_extract_pages() with the open-coded kzalloc(n * sizeof(*p),
...) form.  max_pages is derived from the inbound iov_iter and is not
bounded at compile time, so the multiplication can overflow on
sufficiently large iter counts; the resulting too-small allocation
would then be written past by iov_iter_extract_pages().

Switch to kcalloc(), which carries the same zero-on-allocation
semantics and adds the standard size_mul overflow check.  No
functional change for non-overflow inputs.

Signed-off-by: William Theesfeld <william@theesfeld.net>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
---

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index e8833e2a6610f..cbd02fa3cb740 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1590,7 +1590,7 @@ static int fuse_get_user_pages(struct fuse_args_pages *ap, struct iov_iter *ii,
 	 * manually extract pages using iov_iter_extract_pages() and then
 	 * copy that to a folios array.
 	 */
-	struct page **pages = kzalloc(max_pages * sizeof(struct page *),
+	struct page **pages = kcalloc(max_pages, sizeof(struct page *),
 				      GFP_KERNEL);
 	if (!pages) {
 		ret = -ENOMEM;