mfd: omap-usb-tll: Use struct_size to allocate tll
[ Upstream commit 40176714c818b0b6a2ca8213cdb7654fbd49b742 ] Commit16c2004d9e
("mfd: omap-usb-tll: Allocate driver data at once") changed the memory allocation of 'tll' to consolidate it into a single allocation, introducing an incorrect size calculation. In particular, the allocation for the array of pointers was converted into a single-pointer allocation. The memory allocation used to occur in two steps: tll = devm_kzalloc(dev, sizeof(struct usbtll_omap), GFP_KERNEL); tll->ch_clk = devm_kzalloc(dev, sizeof(struct clk *) * tll->nch, GFP_KERNEL); And it turned that into the following allocation: tll = devm_kzalloc(dev, sizeof(*tll) + sizeof(tll->ch_clk[nch]), GFP_KERNEL); sizeof(tll->ch_clk[nch]) returns the size of a single pointer instead of the expected nch pointers. This bug went unnoticed because the allocation size was small enough to fit within the minimum size of a memory allocation for this particular case [1]. The complete allocation can still be done at once with the struct_size macro, which comes in handy for structures with a trailing flexible array. Fix the memory allocation to obtain the original size again. Link: https://lore.kernel.org/all/202406261121.2FFD65647@keescook/ [1] Fixes:16c2004d9e
("mfd: omap-usb-tll: Allocate driver data at once") Reviewed-by: Kees Cook <kees@kernel.org> Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com> Fixes: commit16c2004d9e
("mfd: omap-usb-tll: Allocate driver data at once") Link: https://lore.kernel.org/r/20240626-omap-usb-tll-counted_by-v2-1-4bedf20d1b51@gmail.com Signed-off-by: Lee Jones <lee@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Родитель
359e5c05ba
Коммит
b0fece1682
|
@ -237,8 +237,7 @@ static int usbtll_omap_probe(struct platform_device *pdev)
|
|||
break;
|
||||
}
|
||||
|
||||
tll = devm_kzalloc(dev, sizeof(*tll) + sizeof(tll->ch_clk[nch]),
|
||||
GFP_KERNEL);
|
||||
tll = devm_kzalloc(dev, struct_size(tll, ch_clk, nch), GFP_KERNEL);
|
||||
if (!tll) {
|
||||
pm_runtime_put_sync(dev);
|
||||
pm_runtime_disable(dev);
|
||||
|
|
Загрузка…
Ссылка в новой задаче