From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DED45187E for ; Fri, 30 Jun 2023 07:36:06 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4A059C433C8; Fri, 30 Jun 2023 07:36:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1688110566; bh=Fo79Mj6tAA5XpINSMp2N6dUv1xlVL4akEk3gPGx0dq0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=okEUuHSt/tyxTU1r0FrapEnz44JIiWkOvAMenmfHzP76KamJahIygP6yozCxc/fND lwhMTvIz5Ykl+OfM5weJ8d0Ap8Z8LxidyvArUDPfNW+71o55UaF0GmrwN0Z0E5Sj7j BPnE4RtsP+QVBHhl81pLYx+QBtimhjxLvvh3VJ8oJlUJ3lD/vLUO5/K8RiuAiGPkeE toqoeedWhzPqqLYblbOkY0+9ZD2E/BrecuEG6RaNCBTTgjZTobSn3Gzcp/5LwQGHiK 9lnPHa1y3F/hRweIgot+rDXX9B53ESr6K8WSb07tf8ITs7Ad1RPBRY5RIuBxLCLO5l f55YL2HjfkTpA== Date: Fri, 30 Jun 2023 15:36:01 +0800 From: Tzung-Bi Shih To: Yiyuan Guo Cc: jic23@kernel.org, lars@metafoo.de, bleung@chromium.org, groeck@chromium.org, dianders@chromium.org, mazziesaccount@gmail.com, gwendal@chromium.org, linux-iio@vger.kernel.org, chrome-platform@lists.linux.dev Subject: Re: [PATCH v2] iio: cros_ec: Fix the allocation size for cros_ec_command Message-ID: References: <20230629132405.1237292-1-yguoaz@gmail.com> <20230630063132.314700-1-yguoaz@gmail.com> Precedence: bulk X-Mailing-List: chrome-platform@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230630063132.314700-1-yguoaz@gmail.com> On Fri, Jun 30, 2023 at 02:31:32PM +0800, Yiyuan Guo wrote: > The struct cros_ec_command contains several integer fields and a > trailing array. An allocation size neglecting the integer fields can > lead to buffer overrun. > > Signed-off-by: Yiyuan Guo You could attach my R-b tag as v2 has no major changes from v1. > --- Always a good practice to put changelog here. Search "changelog" in [1]. [1]: https://www.kernel.org/doc/html/latest/process/submitting-patches.html > @@ -253,8 +253,8 @@ int cros_ec_sensors_core_init(struct platform_device *pdev, > platform_set_drvdata(pdev, indio_dev); > > state->ec = ec->ec_dev; > - state->msg = devm_kzalloc(&pdev->dev, > - max((u16)sizeof(struct ec_params_motion_sense), > + state->msg = devm_kzalloc(&pdev->dev, sizeof(*state->msg) + > + max((u16)sizeof(struct ec_params_motion_sense), > state->ec->max_response), GFP_KERNEL); While looking at the patch again, I found a nit. Please align the code by adding an extra tab before "max".