From 62fddde3e3a741d55b7f6e168f9813f952b490bb Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 26 Apr 2021 08:49:42 +0200 Subject: [PATCH] 4.4-stable patches added patches: compiler.h-enable-builtin-overflow-checkers-and-add-fallback-code.patch overflow.h-add-allocation-size-calculation-helpers.patch x86-crash-fix-crash_setup_memmap_entries-out-of-bounds-access.patch --- ...rflow-checkers-and-add-fallback-code.patch | 325 ++++++++++++++++++ ...e-duplicate-definition-of-ia64_mf-on.patch | 7 +- ...-allocation-size-calculation-helpers.patch | 140 ++++++++ queue-4.4/series | 3 + ..._memmap_entries-out-of-bounds-access.patch | 69 ++++ 5 files changed, 538 insertions(+), 6 deletions(-) create mode 100644 queue-4.4/compiler.h-enable-builtin-overflow-checkers-and-add-fallback-code.patch create mode 100644 queue-4.4/overflow.h-add-allocation-size-calculation-helpers.patch create mode 100644 queue-4.4/x86-crash-fix-crash_setup_memmap_entries-out-of-bounds-access.patch diff --git a/queue-4.4/compiler.h-enable-builtin-overflow-checkers-and-add-fallback-code.patch b/queue-4.4/compiler.h-enable-builtin-overflow-checkers-and-add-fallback-code.patch new file mode 100644 index 00000000000..ff11f9f5d9f --- /dev/null +++ b/queue-4.4/compiler.h-enable-builtin-overflow-checkers-and-add-fallback-code.patch @@ -0,0 +1,325 @@ +From 1777fa9611fcf295e72f030ca4900c5356cb8bd3 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Tue, 8 May 2018 00:36:27 +0200 +Subject: compiler.h: enable builtin overflow checkers and add fallback code + +From: Rasmus Villemoes + +commit f0907827a8a9152aedac2833ed1b674a7b2a44f2 upstream. + +This adds wrappers for the __builtin overflow checkers present in gcc +5.1+ as well as fallback implementations for earlier compilers. It's not +that easy to implement the fully generic __builtin_X_overflow(T1 a, T2 +b, T3 *d) in macros, so the fallback code assumes that T1, T2 and T3 are +the same. We obviously don't want the wrappers to have different +semantics depending on $GCC_VERSION, so we also insist on that even when +using the builtins. + +There are a few problems with the 'a+b < a' idiom for checking for +overflow: For signed types, it relies on undefined behaviour and is +not actually complete (it doesn't check underflow; +e.g. INT_MIN+INT_MIN == 0 isn't caught). Due to type promotion it +is wrong for all types (signed and unsigned) narrower than +int. Similarly, when a and b does not have the same type, there are +subtle cases like + + u32 a; + + if (a + sizeof(foo) < a) + return -EOVERFLOW; + a += sizeof(foo); + +where the test is always false on 64 bit platforms. Add to that that it +is not always possible to determine the types involved at a glance. + +The new overflow.h is somewhat bulky, but that's mostly a result of +trying to be type-generic, complete (e.g. catching not only overflow +but also signed underflow) and not relying on undefined behaviour. + +Linus is of course right [1] that for unsigned subtraction a-b, the +right way to check for overflow (underflow) is "b > a" and not +"__builtin_sub_overflow(a, b, &d)", but that's just one out of six cases +covered here, and included mostly for completeness. + +So is it worth it? I think it is, if nothing else for the documentation +value of seeing + + if (check_add_overflow(a, b, &d)) + return -EGOAWAY; + do_stuff_with(d); + +instead of the open-coded (and possibly wrong and/or incomplete and/or +UBsan-tickling) + + if (a+b < a) + return -EGOAWAY; + do_stuff_with(a+b); + +While gcc does recognize the 'a+b < a' idiom for testing unsigned add +overflow, it doesn't do nearly as good for unsigned multiplication +(there's also no single well-established idiom). So using +check_mul_overflow in kcalloc and friends may also make gcc generate +slightly better code. + +[1] https://lkml.org/lkml/2015/11/2/658 + +Signed-off-by: Rasmus Villemoes +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/compiler-clang.h | 14 ++ + include/linux/compiler-gcc.h | 4 + include/linux/compiler-intel.h | 4 + include/linux/overflow.h | 205 +++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 227 insertions(+) + create mode 100644 include/linux/overflow.h + +--- a/include/linux/compiler-clang.h ++++ b/include/linux/compiler-clang.h +@@ -15,3 +15,17 @@ + * with any version that can compile the kernel + */ + #define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) ++ ++/* ++ * Not all versions of clang implement the the type-generic versions ++ * of the builtin overflow checkers. Fortunately, clang implements ++ * __has_builtin allowing us to avoid awkward version ++ * checks. Unfortunately, we don't know which version of gcc clang ++ * pretends to be, so the macro may or may not be defined. ++ */ ++#undef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW ++#if __has_builtin(__builtin_mul_overflow) && \ ++ __has_builtin(__builtin_add_overflow) && \ ++ __has_builtin(__builtin_sub_overflow) ++#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1 ++#endif +--- a/include/linux/compiler-gcc.h ++++ b/include/linux/compiler-gcc.h +@@ -321,3 +321,7 @@ + * code + */ + #define uninitialized_var(x) x = x ++ ++#if GCC_VERSION >= 50100 ++#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1 ++#endif +--- a/include/linux/compiler-intel.h ++++ b/include/linux/compiler-intel.h +@@ -43,3 +43,7 @@ + #define __builtin_bswap16 _bswap16 + #endif + ++/* ++ * icc defines __GNUC__, but does not implement the builtin overflow checkers. ++ */ ++#undef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW +--- /dev/null ++++ b/include/linux/overflow.h +@@ -0,0 +1,205 @@ ++/* SPDX-License-Identifier: GPL-2.0 OR MIT */ ++#ifndef __LINUX_OVERFLOW_H ++#define __LINUX_OVERFLOW_H ++ ++#include ++ ++/* ++ * In the fallback code below, we need to compute the minimum and ++ * maximum values representable in a given type. These macros may also ++ * be useful elsewhere, so we provide them outside the ++ * COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW block. ++ * ++ * It would seem more obvious to do something like ++ * ++ * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0) ++ * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0) ++ * ++ * Unfortunately, the middle expressions, strictly speaking, have ++ * undefined behaviour, and at least some versions of gcc warn about ++ * the type_max expression (but not if -fsanitize=undefined is in ++ * effect; in that case, the warning is deferred to runtime...). ++ * ++ * The slightly excessive casting in type_min is to make sure the ++ * macros also produce sensible values for the exotic type _Bool. [The ++ * overflow checkers only almost work for _Bool, but that's ++ * a-feature-not-a-bug, since people shouldn't be doing arithmetic on ++ * _Bools. Besides, the gcc builtins don't allow _Bool* as third ++ * argument.] ++ * ++ * Idea stolen from ++ * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html - ++ * credit to Christian Biere. ++ */ ++#define is_signed_type(type) (((type)(-1)) < (type)1) ++#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type))) ++#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T))) ++#define type_min(T) ((T)((T)-type_max(T)-(T)1)) ++ ++ ++#ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW ++/* ++ * For simplicity and code hygiene, the fallback code below insists on ++ * a, b and *d having the same type (similar to the min() and max() ++ * macros), whereas gcc's type-generic overflow checkers accept ++ * different types. Hence we don't just make check_add_overflow an ++ * alias for __builtin_add_overflow, but add type checks similar to ++ * below. ++ */ ++#define check_add_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ __builtin_add_overflow(__a, __b, __d); \ ++}) ++ ++#define check_sub_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ __builtin_sub_overflow(__a, __b, __d); \ ++}) ++ ++#define check_mul_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ __builtin_mul_overflow(__a, __b, __d); \ ++}) ++ ++#else ++ ++ ++/* Checking for unsigned overflow is relatively easy without causing UB. */ ++#define __unsigned_add_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ *__d = __a + __b; \ ++ *__d < __a; \ ++}) ++#define __unsigned_sub_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ *__d = __a - __b; \ ++ __a < __b; \ ++}) ++/* ++ * If one of a or b is a compile-time constant, this avoids a division. ++ */ ++#define __unsigned_mul_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ *__d = __a * __b; \ ++ __builtin_constant_p(__b) ? \ ++ __b > 0 && __a > type_max(typeof(__a)) / __b : \ ++ __a > 0 && __b > type_max(typeof(__b)) / __a; \ ++}) ++ ++/* ++ * For signed types, detecting overflow is much harder, especially if ++ * we want to avoid UB. But the interface of these macros is such that ++ * we must provide a result in *d, and in fact we must produce the ++ * result promised by gcc's builtins, which is simply the possibly ++ * wrapped-around value. Fortunately, we can just formally do the ++ * operations in the widest relevant unsigned type (u64) and then ++ * truncate the result - gcc is smart enough to generate the same code ++ * with and without the (u64) casts. ++ */ ++ ++/* ++ * Adding two signed integers can overflow only if they have the same ++ * sign, and overflow has happened iff the result has the opposite ++ * sign. ++ */ ++#define __signed_add_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ *__d = (u64)__a + (u64)__b; \ ++ (((~(__a ^ __b)) & (*__d ^ __a)) \ ++ & type_min(typeof(__a))) != 0; \ ++}) ++ ++/* ++ * Subtraction is similar, except that overflow can now happen only ++ * when the signs are opposite. In this case, overflow has happened if ++ * the result has the opposite sign of a. ++ */ ++#define __signed_sub_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ *__d = (u64)__a - (u64)__b; \ ++ ((((__a ^ __b)) & (*__d ^ __a)) \ ++ & type_min(typeof(__a))) != 0; \ ++}) ++ ++/* ++ * Signed multiplication is rather hard. gcc always follows C99, so ++ * division is truncated towards 0. This means that we can write the ++ * overflow check like this: ++ * ++ * (a > 0 && (b > MAX/a || b < MIN/a)) || ++ * (a < -1 && (b > MIN/a || b < MAX/a) || ++ * (a == -1 && b == MIN) ++ * ++ * The redundant casts of -1 are to silence an annoying -Wtype-limits ++ * (included in -Wextra) warning: When the type is u8 or u16, the ++ * __b_c_e in check_mul_overflow obviously selects ++ * __unsigned_mul_overflow, but unfortunately gcc still parses this ++ * code and warns about the limited range of __b. ++ */ ++ ++#define __signed_mul_overflow(a, b, d) ({ \ ++ typeof(a) __a = (a); \ ++ typeof(b) __b = (b); \ ++ typeof(d) __d = (d); \ ++ typeof(a) __tmax = type_max(typeof(a)); \ ++ typeof(a) __tmin = type_min(typeof(a)); \ ++ (void) (&__a == &__b); \ ++ (void) (&__a == __d); \ ++ *__d = (u64)__a * (u64)__b; \ ++ (__b > 0 && (__a > __tmax/__b || __a < __tmin/__b)) || \ ++ (__b < (typeof(__b))-1 && (__a > __tmin/__b || __a < __tmax/__b)) || \ ++ (__b == (typeof(__b))-1 && __a == __tmin); \ ++}) ++ ++ ++#define check_add_overflow(a, b, d) \ ++ __builtin_choose_expr(is_signed_type(typeof(a)), \ ++ __signed_add_overflow(a, b, d), \ ++ __unsigned_add_overflow(a, b, d)) ++ ++#define check_sub_overflow(a, b, d) \ ++ __builtin_choose_expr(is_signed_type(typeof(a)), \ ++ __signed_sub_overflow(a, b, d), \ ++ __unsigned_sub_overflow(a, b, d)) ++ ++#define check_mul_overflow(a, b, d) \ ++ __builtin_choose_expr(is_signed_type(typeof(a)), \ ++ __signed_mul_overflow(a, b, d), \ ++ __unsigned_mul_overflow(a, b, d)) ++ ++ ++#endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */ ++ ++#endif /* __LINUX_OVERFLOW_H */ diff --git a/queue-4.4/ia64-tools-remove-duplicate-definition-of-ia64_mf-on.patch b/queue-4.4/ia64-tools-remove-duplicate-definition-of-ia64_mf-on.patch index f2b9c1c4d86..91225186b96 100644 --- a/queue-4.4/ia64-tools-remove-duplicate-definition-of-ia64_mf-on.patch +++ b/queue-4.4/ia64-tools-remove-duplicate-definition-of-ia64_mf-on.patch @@ -37,11 +37,9 @@ Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- - tools/arch/ia64/include/asm/barrier.h | 3 --- + tools/arch/ia64/include/asm/barrier.h | 3 --- 1 file changed, 3 deletions(-) -diff --git a/tools/arch/ia64/include/asm/barrier.h b/tools/arch/ia64/include/asm/barrier.h -index e4422b4b634e..94ae4a333a35 100644 --- a/tools/arch/ia64/include/asm/barrier.h +++ b/tools/arch/ia64/include/asm/barrier.h @@ -38,9 +38,6 @@ @@ -54,6 +52,3 @@ index e4422b4b634e..94ae4a333a35 100644 #define mb() ia64_mf() #define rmb() mb() #define wmb() mb() --- -2.30.2 - diff --git a/queue-4.4/overflow.h-add-allocation-size-calculation-helpers.patch b/queue-4.4/overflow.h-add-allocation-size-calculation-helpers.patch new file mode 100644 index 00000000000..b70c1226112 --- /dev/null +++ b/queue-4.4/overflow.h-add-allocation-size-calculation-helpers.patch @@ -0,0 +1,140 @@ +From 610b15c50e86eb1e4b77274fabcaea29ac72d6a8 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 7 May 2018 16:47:02 -0700 +Subject: overflow.h: Add allocation size calculation helpers + +From: Kees Cook + +commit 610b15c50e86eb1e4b77274fabcaea29ac72d6a8 upstream. + +In preparation for replacing unchecked overflows for memory allocations, +this creates helpers for the 3 most common calculations: + +array_size(a, b): 2-dimensional array +array3_size(a, b, c): 3-dimensional array +struct_size(ptr, member, n): struct followed by n-many trailing members + +Each of these return SIZE_MAX on overflow instead of wrapping around. + +(Additionally renames a variable named "array_size" to avoid future +collision.) + +Co-developed-by: Matthew Wilcox +Signed-off-by: Kees Cook +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-table.c | 10 +++--- + include/linux/overflow.h | 73 +++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 78 insertions(+), 5 deletions(-) + +--- a/drivers/md/dm-table.c ++++ b/drivers/md/dm-table.c +@@ -516,14 +516,14 @@ static int adjoin(struct dm_table *table + * On the other hand, dm-switch needs to process bulk data using messages and + * excessive use of GFP_NOIO could cause trouble. + */ +-static char **realloc_argv(unsigned *array_size, char **old_argv) ++static char **realloc_argv(unsigned *size, char **old_argv) + { + char **argv; + unsigned new_size; + gfp_t gfp; + +- if (*array_size) { +- new_size = *array_size * 2; ++ if (*size) { ++ new_size = *size * 2; + gfp = GFP_KERNEL; + } else { + new_size = 8; +@@ -531,8 +531,8 @@ static char **realloc_argv(unsigned *arr + } + argv = kmalloc(new_size * sizeof(*argv), gfp); + if (argv) { +- memcpy(argv, old_argv, *array_size * sizeof(*argv)); +- *array_size = new_size; ++ memcpy(argv, old_argv, *size * sizeof(*argv)); ++ *size = new_size; + } + + kfree(old_argv); +--- a/include/linux/overflow.h ++++ b/include/linux/overflow.h +@@ -202,4 +202,77 @@ + + #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */ + ++/** ++ * array_size() - Calculate size of 2-dimensional array. ++ * ++ * @a: dimension one ++ * @b: dimension two ++ * ++ * Calculates size of 2-dimensional array: @a * @b. ++ * ++ * Returns: number of bytes needed to represent the array or SIZE_MAX on ++ * overflow. ++ */ ++static inline __must_check size_t array_size(size_t a, size_t b) ++{ ++ size_t bytes; ++ ++ if (check_mul_overflow(a, b, &bytes)) ++ return SIZE_MAX; ++ ++ return bytes; ++} ++ ++/** ++ * array3_size() - Calculate size of 3-dimensional array. ++ * ++ * @a: dimension one ++ * @b: dimension two ++ * @c: dimension three ++ * ++ * Calculates size of 3-dimensional array: @a * @b * @c. ++ * ++ * Returns: number of bytes needed to represent the array or SIZE_MAX on ++ * overflow. ++ */ ++static inline __must_check size_t array3_size(size_t a, size_t b, size_t c) ++{ ++ size_t bytes; ++ ++ if (check_mul_overflow(a, b, &bytes)) ++ return SIZE_MAX; ++ if (check_mul_overflow(bytes, c, &bytes)) ++ return SIZE_MAX; ++ ++ return bytes; ++} ++ ++static inline __must_check size_t __ab_c_size(size_t n, size_t size, size_t c) ++{ ++ size_t bytes; ++ ++ if (check_mul_overflow(n, size, &bytes)) ++ return SIZE_MAX; ++ if (check_add_overflow(bytes, c, &bytes)) ++ return SIZE_MAX; ++ ++ return bytes; ++} ++ ++/** ++ * struct_size() - Calculate size of structure with trailing array. ++ * @p: Pointer to the structure. ++ * @member: Name of the array member. ++ * @n: Number of elements in the array. ++ * ++ * Calculates size of memory needed for structure @p followed by an ++ * array of @n @member elements. ++ * ++ * Return: number of bytes needed or SIZE_MAX on overflow. ++ */ ++#define struct_size(p, member, n) \ ++ __ab_c_size(n, \ ++ sizeof(*(p)->member) + __must_be_array((p)->member),\ ++ sizeof(*(p))) ++ + #endif /* __LINUX_OVERFLOW_H */ diff --git a/queue-4.4/series b/queue-4.4/series index d06f2a03f7f..56448aeccb3 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -27,3 +27,6 @@ xen-netback-check-for-hotplug-status-existence-befor.patch cavium-liquidio-fix-duplicate-argument.patch ia64-fix-discontig.c-section-mismatches.patch ia64-tools-remove-duplicate-definition-of-ia64_mf-on.patch +compiler.h-enable-builtin-overflow-checkers-and-add-fallback-code.patch +overflow.h-add-allocation-size-calculation-helpers.patch +x86-crash-fix-crash_setup_memmap_entries-out-of-bounds-access.patch diff --git a/queue-4.4/x86-crash-fix-crash_setup_memmap_entries-out-of-bounds-access.patch b/queue-4.4/x86-crash-fix-crash_setup_memmap_entries-out-of-bounds-access.patch new file mode 100644 index 00000000000..91a8d1495a7 --- /dev/null +++ b/queue-4.4/x86-crash-fix-crash_setup_memmap_entries-out-of-bounds-access.patch @@ -0,0 +1,69 @@ +From 5849cdf8c120e3979c57d34be55b92d90a77a47e Mon Sep 17 00:00:00 2001 +From: Mike Galbraith +Date: Fri, 16 Apr 2021 14:02:07 +0200 +Subject: x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access + +From: Mike Galbraith + +commit 5849cdf8c120e3979c57d34be55b92d90a77a47e upstream. + +Commit in Fixes: added support for kexec-ing a kernel on panic using a +new system call. As part of it, it does prepare a memory map for the new +kernel. + +However, while doing so, it wrongly accesses memory it has not +allocated: it accesses the first element of the cmem->ranges[] array in +memmap_exclude_ranges() but it has not allocated the memory for it in +crash_setup_memmap_entries(). As KASAN reports: + + BUG: KASAN: vmalloc-out-of-bounds in crash_setup_memmap_entries+0x17e/0x3a0 + Write of size 8 at addr ffffc90000426008 by task kexec/1187 + + (gdb) list *crash_setup_memmap_entries+0x17e + 0xffffffff8107cafe is in crash_setup_memmap_entries (arch/x86/kernel/crash.c:322). + 317 unsigned long long mend) + 318 { + 319 unsigned long start, end; + 320 + 321 cmem->ranges[0].start = mstart; + 322 cmem->ranges[0].end = mend; + 323 cmem->nr_ranges = 1; + 324 + 325 /* Exclude elf header region */ + 326 start = image->arch.elf_load_addr; + (gdb) + +Make sure the ranges array becomes a single element allocated. + + [ bp: Write a proper commit message. ] + +Fixes: dd5f726076cc ("kexec: support for kexec on panic using new system call") +Signed-off-by: Mike Galbraith +Signed-off-by: Borislav Petkov +Reviewed-by: Dave Young +Cc: +Link: https://lkml.kernel.org/r/725fa3dc1da2737f0f6188a1a9701bead257ea9d.camel@gmx.de +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/crash.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/crash.c ++++ b/arch/x86/kernel/crash.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -572,7 +573,7 @@ int crash_setup_memmap_entries(struct ki + struct crash_memmap_data cmd; + struct crash_mem *cmem; + +- cmem = vzalloc(sizeof(struct crash_mem)); ++ cmem = vzalloc(struct_size(cmem, ranges, 1)); + if (!cmem) + return -ENOMEM; + -- 2.47.3