-----Original Message----- From: Len Baker len.baker@gmx.com Sent: Saturday, September 11, 2021 6:28 AM To: KY Srinivasan kys@microsoft.com; Haiyang Zhang haiyangz@microsoft.com; Stephen Hemminger sthemmin@microsoft.com; Wei Liu wei.liu@kernel.org; Dexuan Cui decui@microsoft.com; David S. Miller davem@davemloft.net; Jakub Kicinski kuba@kernel.org; Sumit Semwal sumit.semwal@linaro.org; Christian König christian.koenig@amd.com; Kees Cook keescook@chromium.org Cc: Len Baker len.baker@gmx.com; Colin Ian King colin.king@canonical.com; linux-hardening@vger.kernel.org; linux- hyperv@vger.kernel.org; netdev@vger.kernel.org; linux- kernel@vger.kernel.org; linux-media@vger.kernel.org; dri- devel@lists.freedesktop.org; linaro-mm-sig@lists.linaro.org Subject: [PATCH] net: mana: Prefer struct_size over open coded arithmetic
[Some people who received this message don't often get email from len.baker@gmx.com. Learn why this is important at http://aka.ms/LearnAboutSenderIdentification.]
As noted in the "Deprecated Interfaces, Language Features, Attributes, and Conventions" documentation [1], size calculations (especially multiplication) should not be performed in memory allocator (or similar) function arguments due to the risk of them overflowing. This could lead to values wrapping around and a smaller allocation being made than the caller was expecting. Using those allocations could lead to linear overflows of heap memory and other misbehaviors.
So, use the struct_size() helper to do the arithmetic instead of the argument "size + count * size" in the kzalloc() function.
[1] https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ke rnel.org%2Fdoc%2Fhtml%2Fv5.14%2Fprocess%2Fdeprecated.html%23open-coded- arithmetic-in-allocator- arguments&data=04%7C01%7Chaiyangz%40microsoft.com%7C1bf83c1204a34dae a6d308d9750eef16%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6376695297 12931146%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=PbYpBtyYfVfwwlxWSQx%2FiARc9 mhb0J7bfD46%2F9q5oTw%3D&reserved=0
Signed-off-by: Len Baker len.baker@gmx.com
drivers/net/ethernet/microsoft/mana/hw_channel.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c index 1a923fd99990..0efdc6c3c32a 100644 --- a/drivers/net/ethernet/microsoft/mana/hw_channel.c +++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c @@ -398,9 +398,7 @@ static int mana_hwc_alloc_dma_buf(struct hw_channel_context *hwc, u16 q_depth, int err; u16 i;
dma_buf = kzalloc(sizeof(*dma_buf) +q_depth * sizeof(struct hwc_work_request),GFP_KERNEL);
dma_buf = kzalloc(struct_size(dma_buf, reqs, q_depth),GFP_KERNEL);
Thanks!
Reviewed-by: Haiyang Zhang haiyangz@microsoft.com