On 2/28/2023 9:46 AM, Johannes Berg wrote: > On Tue, 2023-02-28 at 09:44 -0800, Jacob Keller wrote: >> >> Previous to this change, error struct has two pointers to sections of >> memory allocated at the end of the buffer. >> >> The code used to be: >> >> - error = kmalloc(sizeof(*error) + >> - sizeof(*error->elem) * elem_len + >> - sizeof(*error->log) * log_len, GFP_ATOMIC); >> >> i.e. the elem_len is multiplying sizeof(*error->elem). >> >> The code is essentially trying to get two flexible arrays in the same >> allocation, and its a bit messy to do that. I don't see how elem_len >> could be anything other than "number of elems" given this code I removed. > > Yeah, you're right. I was thinking of more modern HW/FW too much I > guess, I see now even in the driver we have an array walk here (and it > trusts the elem_len from firmware... ahrg!) > Ouch.. that makes me feel better about using struct_size/size_add here since it would help protect against an overflow with a large element size...
