"struct_size() + n" may cause a integer overflow, use size_add() to handle it. Signed-off-by: Li Qiong <liqiong@xxxxxxxxxxxx> --- drivers/gpu/drm/msm/msm_gem_submit.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c index c9e4aeb14f4a..3dec87e46e50 100644 --- a/drivers/gpu/drm/msm/msm_gem_submit.c +++ b/drivers/gpu/drm/msm/msm_gem_submit.c @@ -30,8 +30,8 @@ static struct msm_gem_submit *submit_create(struct drm_device *dev, uint64_t sz; int ret; - sz = struct_size(submit, bos, nr_bos) + - ((u64)nr_cmds * sizeof(submit->cmd[0])); + sz = size_add(struct_size(submit, bos, nr_bos), + ((u64)nr_cmds * sizeof(submit->cmd[0]))); if (sz > SIZE_MAX) return ERR_PTR(-ENOMEM); -- 2.11.0
