[PATCH] dma-buf: use struct_size helper instead of kzalloc

Arvind Yadav <Arvind.Yadav@xxxxxxx> · Mon, 25 Jul 2022 14:34:59 +0530

Replace zero-length array allocation with flexible-array member
because Dynamic calculations should not be performed for memory
allocator due to the risk of them overflowing. So using struct_size()
helper instead of an open-coded version in order to avoid any potential
type mistakes.

Signed-off-by: Arvind Yadav <Arvind.Yadav@xxxxxxx>
---
 drivers/dma-buf/dma-fence-array.c | 6 ++----
 include/linux/dma-fence-array.h   | 2 ++
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/dma-buf/dma-fence-array.c b/drivers/dma-buf/dma-fence-array.c
index 5c8a7084577b..3ebb6c5fa287 100644
--- a/drivers/dma-buf/dma-fence-array.c
+++ b/drivers/dma-buf/dma-fence-array.c
@@ -70,7 +70,7 @@ static void dma_fence_array_cb_func(struct dma_fence *f,
 static bool dma_fence_array_enable_signaling(struct dma_fence *fence)
 {
 	struct dma_fence_array *array = to_dma_fence_array(fence);
-	struct dma_fence_array_cb *cb = (void *)(&array[1]);
+	struct dma_fence_array_cb *cb = array->array_cb;
 	unsigned i;
 
 	for (i = 0; i < array->num_fences; ++i) {
@@ -157,13 +157,11 @@ struct dma_fence_array *dma_fence_array_create(int num_fences,
 					       bool signal_on_any)
 {
 	struct dma_fence_array *array;
-	size_t size = sizeof(*array);
 
 	WARN_ON(!num_fences || !fences);
 
 	/* Allocate the callback structures behind the array. */
-	size += num_fences * sizeof(struct dma_fence_array_cb);
-	array = kzalloc(size, GFP_KERNEL);
+	array = kzalloc(struct_size(array, array_cb, num_fences), GFP_KERNEL);
 	if (!array)
 		return NULL;
 
diff --git a/include/linux/dma-fence-array.h b/include/linux/dma-fence-array.h
index ec7f25def392..bd2d2db55840 100644
--- a/include/linux/dma-fence-array.h
+++ b/include/linux/dma-fence-array.h
@@ -33,6 +33,7 @@ struct dma_fence_array_cb {
  * @num_pending: fences in the array still pending
  * @fences: array of the fences
  * @work: internal irq_work function
+ * @array_cb: callback helper for fence array
  */
 struct dma_fence_array {
 	struct dma_fence base;
@@ -43,6 +44,7 @@ struct dma_fence_array {
 	struct dma_fence **fences;
 
 	struct irq_work work;
+	struct dma_fence_array_cb array_cb[];
 };
 
 /**
-- 
2.25.1







