From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
To: Tony Lindgren <tony@atomide.com>, Lee Jones <lee@kernel.org>,
Kees Cook <kees@kernel.org>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: linux-omap@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org,
Javier Carrasco <javier.carrasco.cruz@gmail.com>
Subject: [PATCH v2] mfd: omap-usb-tll: use struct_size to allocate tll
Date: Wed, 26 Jun 2024 21:37:03 +0200 [thread overview]
Message-ID: <20240626-omap-usb-tll-counted_by-v2-1-4bedf20d1b51@gmail.com> (raw)
Commit 16c2004d9e4d ("mfd: omap-usb-tll: Allocate driver data at once")
changed the memory allocation of 'tll' to consolidate it into a single
allocation, introducing an incorrect size calculation.
In particular, the allocation for the array of pointers was converted
into a single-pointer allocation.
The memory allocation used to occur in two steps:
tll = devm_kzalloc(dev, sizeof(struct usbtll_omap), GFP_KERNEL);
tll->ch_clk = devm_kzalloc(dev, sizeof(struct clk *) * tll->nch,
GFP_KERNEL);
And it turned that into the following allocation:
tll = devm_kzalloc(dev, sizeof(*tll) + sizeof(tll->ch_clk[nch]),
GFP_KERNEL);
sizeof(tll->ch_clk[nch]) returns the size of a single pointer instead of
the expected nch pointers.
This bug went unnoticed because the allocation size was small enough to
fit within the minimum size of a memory allocation for this particular
case [1].
The complete allocation can still be done at once with the struct_size
macro, which comes in handy for structures with a trailing flexible
array.
Fix the memory allocation to obtain the original size again.
Link: https://lore.kernel.org/all/202406261121.2FFD65647@keescook/ [1]
Fixes: 16c2004d9e4d ("mfd: omap-usb-tll: Allocate driver data at once")
Reviewed-by: Kees Cook <kees@kernel.org>
Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
---
Changes in v2:
- Patch 1/2: drop (applied).
- Patch 2/2: turn into fix.
- Link to v1: https://lore.kernel.org/r/20240620-omap-usb-tll-counted_by-v1-0-77797834bb9a@gmail.com
---
drivers/mfd/omap-usb-tll.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/mfd/omap-usb-tll.c b/drivers/mfd/omap-usb-tll.c
index b6303ddb013b..f68dd0281463 100644
--- a/drivers/mfd/omap-usb-tll.c
+++ b/drivers/mfd/omap-usb-tll.c
@@ -230,8 +230,7 @@ static int usbtll_omap_probe(struct platform_device *pdev)
break;
}
- tll = devm_kzalloc(dev, sizeof(*tll) + sizeof(tll->ch_clk[nch]),
- GFP_KERNEL);
+ tll = devm_kzalloc(dev, struct_size(tll, ch_clk, nch), GFP_KERNEL);
if (!tll) {
pm_runtime_put_sync(dev);
pm_runtime_disable(dev);
---
base-commit: b992b79ca8bc336fa8e2c80990b5af80ed8f36fd
change-id: 20240620-omap-usb-tll-counted_by-aac57c173018
Best regards,
--
Javier Carrasco <javier.carrasco.cruz@gmail.com>
next reply other threads:[~2024-06-26 19:37 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-26 19:37 Javier Carrasco [this message]
2024-06-27 7:14 ` (subset) [PATCH v2] mfd: omap-usb-tll: use struct_size to allocate tll Lee Jones
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240626-omap-usb-tll-counted_by-v2-1-4bedf20d1b51@gmail.com \
--to=javier.carrasco.cruz@gmail.com \
--cc=gustavoars@kernel.org \
--cc=kees@kernel.org \
--cc=lee@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-omap@vger.kernel.org \
--cc=tony@atomide.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).