On Fri, Jun 30, 2023 at 1:31 AM Yiyuan Guo <yguoaz@xxxxxxxxx> wrote: > > The struct cros_ec_command contains several integer fields and a > trailing array. An allocation size neglecting the integer fields can > lead to buffer overrun. > > Reviewed-by: Tzung-Bi Shih <tzungbi@xxxxxxxxxx> > Signed-off-by: Yiyuan Guo <yguoaz@xxxxxxxxx> Please _never_ send a patch as reply to a previous one, much less with a Re: subject. Guenter > --- > v2->v3: > * Added R-b tag from Tzung-Bi Shih > * Aligned the code by adding an extra tab before "max" > * Added a patch changelog > v1->v2: Prefixed the commit title with "iio: cros_ec:" > > drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c > index 943e9e14d1e9..b72d39fc2434 100644 > --- a/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c > +++ b/drivers/iio/common/cros_ec_sensors/cros_ec_sensors_core.c > @@ -253,7 +253,7 @@ int cros_ec_sensors_core_init(struct platform_device *pdev, > platform_set_drvdata(pdev, indio_dev); > > state->ec = ec->ec_dev; > - state->msg = devm_kzalloc(&pdev->dev, > + state->msg = devm_kzalloc(&pdev->dev, sizeof(*state->msg) + > max((u16)sizeof(struct ec_params_motion_sense), > state->ec->max_response), GFP_KERNEL); > if (!state->msg) > -- > 2.25.1 >
