Patch "mfd: omap-usb-tll: Use struct_size to allocate tll" has been added to the 6.10-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    mfd: omap-usb-tll: Use struct_size to allocate tll

to the 6.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     mfd-omap-usb-tll-use-struct_size-to-allocate-tll.patch
and it can be found in the queue-6.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit cf4ec9c37c18f5a9dec62137040c2ffb43a46cd1
Author: Javier Carrasco <javier.carrasco.cruz@xxxxxxxxx>
Date:   Wed Jun 26 21:37:03 2024 +0200

    mfd: omap-usb-tll: Use struct_size to allocate tll
    
    [ Upstream commit 40176714c818b0b6a2ca8213cdb7654fbd49b742 ]
    
    Commit 16c2004d9e4d ("mfd: omap-usb-tll: Allocate driver data at once")
    changed the memory allocation of 'tll' to consolidate it into a single
    allocation, introducing an incorrect size calculation.
    
    In particular, the allocation for the array of pointers was converted
    into a single-pointer allocation.
    
    The memory allocation used to occur in two steps:
    
    tll = devm_kzalloc(dev, sizeof(struct usbtll_omap), GFP_KERNEL);
    tll->ch_clk = devm_kzalloc(dev, sizeof(struct clk *) * tll->nch,
                               GFP_KERNEL);
    
    And it turned that into the following allocation:
    
    tll = devm_kzalloc(dev, sizeof(*tll) + sizeof(tll->ch_clk[nch]),
                       GFP_KERNEL);
    
    sizeof(tll->ch_clk[nch]) returns the size of a single pointer instead of
    the expected nch pointers.
    
    This bug went unnoticed because the allocation size was small enough to
    fit within the minimum size of a memory allocation for this particular
    case [1].
    
    The complete allocation can still be done at once with the struct_size
    macro, which comes in handy for structures with a trailing flexible
    array.
    
    Fix the memory allocation to obtain the original size again.
    
    Link: https://lore.kernel.org/all/202406261121.2FFD65647@keescook/ [1]
    Fixes: 16c2004d9e4d ("mfd: omap-usb-tll: Allocate driver data at once")
    Reviewed-by: Kees Cook <kees@xxxxxxxxxx>
    Signed-off-by: Javier Carrasco <javier.carrasco.cruz@xxxxxxxxx>
    Fixes: commit 16c2004d9e4d ("mfd: omap-usb-tll: Allocate driver data at once")
    Link: https://lore.kernel.org/r/20240626-omap-usb-tll-counted_by-v2-1-4bedf20d1b51@xxxxxxxxx
    Signed-off-by: Lee Jones <lee@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/mfd/omap-usb-tll.c b/drivers/mfd/omap-usb-tll.c
index b6303ddb013b0..f68dd02814638 100644
--- a/drivers/mfd/omap-usb-tll.c
+++ b/drivers/mfd/omap-usb-tll.c
@@ -230,8 +230,7 @@ static int usbtll_omap_probe(struct platform_device *pdev)
 		break;
 	}
 
-	tll = devm_kzalloc(dev, sizeof(*tll) + sizeof(tll->ch_clk[nch]),
-			   GFP_KERNEL);
+	tll = devm_kzalloc(dev, struct_size(tll, ch_clk, nch), GFP_KERNEL);
 	if (!tll) {
 		pm_runtime_put_sync(dev);
 		pm_runtime_disable(dev);




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux