[PATCH 1/7][Focal/linux-azure] net: mana: Use struct_size() in kzalloc()

Tim Gardner tim.gardner at canonical.com
Thu Oct 21 12:23:35 UTC 2021

From: "Gustavo A. R. Silva" <gustavoars at kernel.org>

BugLink: https://bugs.launchpad.net/bugs/1947859

Make use of the struct_size() helper instead of an open-coded version,
in order to avoid any potential type mistakes or integer overflows
that, in the worst scenario, could lead to heap overflows.

This code was detected with the help of Coccinelle and, audited and
fixed manually.

Signed-off-by: Gustavo A. R. Silva <gustavoars at kernel.org>
Signed-off-by: David S. Miller <davem at davemloft.net>
(cherry picked from commit ea89c862f01e02ec459932c7c3113fa37aedd09a)
Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
 drivers/net/ethernet/microsoft/mana/mana_en.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index 987e11c02f727..02aff16df27f0 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -1388,8 +1388,7 @@ static struct mana_rxq *mana_create_rxq(struct mana_port_context *apc,
 	gc = gd->gdma_context;
-	rxq = kzalloc(sizeof(*rxq) +
-		      RX_BUFFERS_PER_QUEUE * sizeof(struct mana_recv_buf_oob),
+	rxq = kzalloc(struct_size(rxq, rx_oobs, RX_BUFFERS_PER_QUEUE),
 	if (!rxq)
 		return NULL;

More information about the kernel-team mailing list