tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

ubd: Use pointer-to-pointers for io_thread_req arrays

Having an unbounded array for irq_req_buffer and io_req_buffer doesn't
provide any bounds safety, and confuses the needed allocation type,
which is returning a pointer to pointers. Instead of the implicit cast,
switch the variable types.

Reported-by: Nathan Chancellor <nathan@kernel.org>
Reported-by: Guenter Roeck <linux@roeck-us.net>
Closes: https://lore.kernel.org/all/b04b6c13-7d0e-4a89-9e68-b572b6c686ac@roeck-us.net
Fixes: 69050f8d6d07 ("treewide: Replace kmalloc with kmalloc_obj for non-scalar types")
Acked-by: Richard Weinberger <richard@nod.at>
Link: https://patch.msgid.link/20260223214341.work.846-kees@kernel.org
Signed-off-by: Kees Cook <kees@kernel.org>

Kees Cook 96a7b71c 6de23f81

+5 -5
+5 -5
arch/um/drivers/ubd_kern.c
··· 69 69 }; 70 70 71 71 72 - static struct io_thread_req * (*irq_req_buffer)[]; 72 + static struct io_thread_req **irq_req_buffer; 73 73 static struct io_thread_req *irq_remainder; 74 74 static int irq_remainder_size; 75 75 76 - static struct io_thread_req * (*io_req_buffer)[]; 76 + static struct io_thread_req **io_req_buffer; 77 77 static struct io_thread_req *io_remainder; 78 78 static int io_remainder_size; 79 79 ··· 398 398 399 399 static int bulk_req_safe_read( 400 400 int fd, 401 - struct io_thread_req * (*request_buffer)[], 401 + struct io_thread_req **request_buffer, 402 402 struct io_thread_req **remainder, 403 403 int *remainder_size, 404 404 int max_recs ··· 465 465 &irq_remainder, &irq_remainder_size, 466 466 UBD_REQ_BUFFER_SIZE)) >= 0) { 467 467 for (i = 0; i < len / sizeof(struct io_thread_req *); i++) 468 - ubd_end_request((*irq_req_buffer)[i]); 468 + ubd_end_request(irq_req_buffer[i]); 469 469 } 470 470 471 471 if (len < 0 && len != -EAGAIN) ··· 1512 1512 } 1513 1513 1514 1514 for (count = 0; count < n/sizeof(struct io_thread_req *); count++) { 1515 - struct io_thread_req *req = (*io_req_buffer)[count]; 1515 + struct io_thread_req *req = io_req_buffer[count]; 1516 1516 int i; 1517 1517 1518 1518 io_count++;