On Fri, Jun 30, 2023 at 02:31:32PM +0800, Yiyuan Guo wrote: > The struct cros_ec_command contains several integer fields and a > trailing array. An allocation size neglecting the integer fields can > lead to buffer overrun. > > Signed-off-by: Yiyuan Guo <yguoaz@xxxxxxxxx> You could attach my R-b tag as v2 has no major changes from v1. > --- Always a good practice to put changelog here. Search "changelog" in [1]. [1]: https://www.kernel.org/doc/html/latest/process/submitting-patches.html > @@ -253,8 +253,8 @@ int cros_ec_sensors_core_init(struct platform_device *pdev, > platform_set_drvdata(pdev, indio_dev); > > state->ec = ec->ec_dev; > - state->msg = devm_kzalloc(&pdev->dev, > - max((u16)sizeof(struct ec_params_motion_sense), > + state->msg = devm_kzalloc(&pdev->dev, sizeof(*state->msg) + > + max((u16)sizeof(struct ec_params_motion_sense), > state->ec->max_response), GFP_KERNEL); While looking at the patch again, I found a nit. Please align the code by adding an extra tab before "max".