On Thu, Aug 23, 2018 at 6:12 PM, Gustavo A. R. Silva
<gustavo@xxxxxxxxxxxxxx> wrote:
> One of the more common cases of allocation size calculations is finding
> the size of a structure that has a zero-sized array at the end, along
> with memory for some number of elements for that array. For example:
>
> struct foo {
> int stuff;
> void *entry[];
> };
>
> instance = kzalloc(sizeof(struct foo) + sizeof(void *) * count, GFP_KERNEL);
>
> Instead of leaving these open-coded and prone to type mistakes, we can
> now use the new struct_size() helper:
>
> instance = kzalloc(struct_size(instance, entry, count), GFP_KERNEL);
>
> This issue was detected with the help of Coccinelle.
>
> Signed-off-by: Gustavo A. R. Silva <gustavo@xxxxxxxxxxxxxx>
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
-Kees
> ---
> drivers/net/wireless/ath/ath10k/ce.c | 24 ++++++++----------------
> 1 file changed, 8 insertions(+), 16 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath10k/ce.c b/drivers/net/wireless/ath/ath10k/ce.c
> index 18c709c..d0381aa 100644
> --- a/drivers/net/wireless/ath/ath10k/ce.c
> +++ b/drivers/net/wireless/ath/ath10k/ce.c
> @@ -1416,10 +1416,8 @@ ath10k_ce_alloc_src_ring(struct ath10k *ar, unsigned int ce_id,
>
> nentries = roundup_pow_of_two(nentries);
>
> - src_ring = kzalloc(sizeof(*src_ring) +
> - (nentries *
> - sizeof(*src_ring->per_transfer_context)),
> - GFP_KERNEL);
> + src_ring = kzalloc(struct_size(src_ring, per_transfer_context,
> + nentries), GFP_KERNEL);
> if (src_ring == NULL)
> return ERR_PTR(-ENOMEM);
>
> @@ -1476,10 +1474,8 @@ ath10k_ce_alloc_src_ring_64(struct ath10k *ar, unsigned int ce_id,
>
> nentries = roundup_pow_of_two(nentries);
>
> - src_ring = kzalloc(sizeof(*src_ring) +
> - (nentries *
> - sizeof(*src_ring->per_transfer_context)),
> - GFP_KERNEL);
> + src_ring = kzalloc(struct_size(src_ring, per_transfer_context,
> + nentries), GFP_KERNEL);
> if (!src_ring)
> return ERR_PTR(-ENOMEM);
>
> @@ -1534,10 +1530,8 @@ ath10k_ce_alloc_dest_ring(struct ath10k *ar, unsigned int ce_id,
>
> nentries = roundup_pow_of_two(attr->dest_nentries);
>
> - dest_ring = kzalloc(sizeof(*dest_ring) +
> - (nentries *
> - sizeof(*dest_ring->per_transfer_context)),
> - GFP_KERNEL);
> + dest_ring = kzalloc(struct_size(dest_ring, per_transfer_context,
> + nentries), GFP_KERNEL);
> if (dest_ring == NULL)
> return ERR_PTR(-ENOMEM);
>
> @@ -1580,10 +1574,8 @@ ath10k_ce_alloc_dest_ring_64(struct ath10k *ar, unsigned int ce_id,
>
> nentries = roundup_pow_of_two(attr->dest_nentries);
>
> - dest_ring = kzalloc(sizeof(*dest_ring) +
> - (nentries *
> - sizeof(*dest_ring->per_transfer_context)),
> - GFP_KERNEL);
> + dest_ring = kzalloc(struct_size(dest_ring, per_transfer_context,
> + nentries), GFP_KERNEL);
> if (!dest_ring)
> return ERR_PTR(-ENOMEM);
>
> --
> 2.7.4
>
--
Kees Cook
Pixel Security
