kernel_samsung_a53x/drivers/mfd
Javier Carrasco 7529b3251f mfd: omap-usb-tll: Use struct_size to allocate tll
[ Upstream commit 40176714c818b0b6a2ca8213cdb7654fbd49b742 ]

Commit 16c2004d9e4d ("mfd: omap-usb-tll: Allocate driver data at once")
changed the memory allocation of 'tll' to consolidate it into a single
allocation, introducing an incorrect size calculation.

In particular, the allocation for the array of pointers was converted
into a single-pointer allocation.

The memory allocation used to occur in two steps:

tll = devm_kzalloc(dev, sizeof(struct usbtll_omap), GFP_KERNEL);
tll->ch_clk = devm_kzalloc(dev, sizeof(struct clk *) * tll->nch,
                           GFP_KERNEL);

And it turned that into the following allocation:

tll = devm_kzalloc(dev, sizeof(*tll) + sizeof(tll->ch_clk[nch]),
                   GFP_KERNEL);

sizeof(tll->ch_clk[nch]) returns the size of a single pointer instead of
the expected nch pointers.

This bug went unnoticed because the allocation size was small enough to
fit within the minimum size of a memory allocation for this particular
case [1].

The complete allocation can still be done at once with the struct_size
macro, which comes in handy for structures with a trailing flexible
array.

Fix the memory allocation to obtain the original size again.

Link: https://lore.kernel.org/all/202406261121.2FFD65647@keescook/ [1]
Fixes: 16c2004d9e4d ("mfd: omap-usb-tll: Allocate driver data at once")
Reviewed-by: Kees Cook <kees@kernel.org>
Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Fixes: commit 16c2004d9e4d ("mfd: omap-usb-tll: Allocate driver data at once")
Link: https://lore.kernel.org/r/20240626-omap-usb-tll-counted_by-v2-1-4bedf20d1b51@gmail.com
Signed-off-by: Lee Jones <lee@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-11-23 23:20:09 +01:00
..
sm/sm5714
88pm80x.c
88pm800.c
88pm805.c
88pm860x-core.c
88pm860x-i2c.c
aat2870-core.c
ab3100-core.c
ab3100-otp.c
ab8500-core.c
ab8500-debugfs.c
ab8500-sysctrl.c
abx500-core.c
ac100.c
act8945a.c
adp5520.c
altera-a10sr.c
altera-sysmgr.c mfd: altera-sysmgr: Call of_node_put() only when of_parse_phandle() takes a ref 2024-11-19 08:44:54 +01:00
arizona-core.c
arizona-i2c.c
arizona-irq.c
arizona-spi.c
arizona.h
as3711.c
as3722.c
asic3.c
at91-usart.c
atmel-flexcom.c
atmel-hlcdc.c
atmel-smc.c
axp20x-i2c.c
axp20x-rsb.c
axp20x.c
bcm590xx.c
bcm2835-pm.c
bd9571mwv.c
cros_ec_dev.c
cs47l15-tables.c
cs47l24-tables.c
cs47l35-tables.c
cs47l85-tables.c
cs47l90-tables.c
cs47l92-tables.c
cs5535-mfd.c
da903x.c
da9052-core.c
da9052-i2c.c
da9052-irq.c
da9052-spi.c
da9055-core.c
da9055-i2c.c
da9062-core.c
da9063-core.c
da9063-i2c.c
da9063-irq.c
da9150-core.c
davinci_voicecodec.c
db8500-prcmu.c
dbx500-prcmu-regs.h
dln2.c
dm355evm_msp.c
ene-kb3930.c
exynos-lpass.c
ezx-pcap.c
fsl-imx25-tsadc.c
gateworks-gsc.c
hi655x-pmic.c
hi6421-pmic-core.c
htc-i2cpld.c
htc-pasic3.c
intel-lpss-acpi.c
intel-lpss-pci.c
intel-lpss.c
intel-lpss.h
intel-m10-bmc.c
intel_msic.c
intel_pmc_bxt.c
intel_quark_i2c_gpio.c
intel_soc_pmic_bxtwc.c
intel_soc_pmic_chtdc_ti.c
intel_soc_pmic_chtwc.c
intel_soc_pmic_core.c
intel_soc_pmic_core.h
intel_soc_pmic_crc.c
intel_soc_pmic_mrfld.c
ioc3.c
ipaq-micro.c
iqs62x.c
janz-cmodio.c
Kconfig mfd: ti_am335x_tscadc: Fix TI SoC dependencies 2024-11-18 12:13:19 +01:00
Kconfig.variant1
kempld-core.c
khadas-mcu.c
lm3533-core.c
lm3533-ctrlbank.c
lochnagar-i2c.c
lp873x.c
lp3943.c
lp8788-irq.c
lp8788.c
lp87565.c
lpc_ich.c
lpc_sch.c
madera-core.c
madera-i2c.c
madera-spi.c
madera.h
Makefile
Makefile.variant1
max8907.c
max8925-core.c
max8925-i2c.c
max8997-irq.c
max8997.c
max8998-irq.c
max8998.c
max14577.c
max77620.c
max77650.c
max77686.c
max77693.c
max77843.c
mc13xxx-core.c
mc13xxx-i2c.c
mc13xxx-spi.c
mc13xxx.h
mcp-core.c
mcp-sa11x0.c
menelaus.c
menf21bmc.c
mfd-core.c
motorola-cpcap.c
mp2629.c
mt6358-irq.c
mt6360-core.c
mt6397-core.c
mt6397-irq.c
mxs-lradc.c
omap-usb-host.c
omap-usb-tll.c mfd: omap-usb-tll: Use struct_size to allocate tll 2024-11-23 23:20:09 +01:00
omap-usb.h
palmas.c
pcf50633-adc.c
pcf50633-core.c
pcf50633-gpio.c
pcf50633-irq.c
qcom-pm8xxx.c
qcom-spmi-pmic.c
qcom_rpm.c
rave-sp.c
rc5t583-irq.c
rc5t583.c
rdc321x-southbridge.c
retu-mfd.c
rk808.c
rn5t618.c
rohm-bd718x7.c
rohm-bd70528.c
rohm-bd71828.c
rt5033.c
s2mpb02-core.c
s2mpb02-irq.c
s2mpm07_core.c
s2mps23_core.c
s2mps23_irq.c
s2mps24-notifier.c
s2mps24_core.c
s2mps25_core.c
s2mps25_irq.c
s2mps26_core.c
s2mps26_notifier.c
s2mpu13_core.c
s2mpu13_irq.c
s2mpu14_core.c
s2mpu14_notifier.c
sec-core.c
sec-irq.c
si476x-cmd.c
si476x-i2c.c
si476x-prop.c
simple-mfd-i2c.c
sky81452.c
sm501.c
sprd-sc27xx-spi.c
ssbi.c
sta2x11-mfd.c
stm32-lptimer.c
stm32-timers.c
stmfx.c
stmpe-i2c.c
stmpe-spi.c
stmpe.c
stmpe.h
stpmic1.c
stw481x.c
sun4i-gpadc.c
sun6i-prcm.c
syscon.c mfd: syscon: Call of_node_put() only when of_parse_phandle() takes a ref 2024-11-19 08:44:54 +01:00
t7l66xb.c
tc3589x.c
tc6387xb.c
tc6393xb.c
ti-lmu.c
ti_am335x_tscadc.c
timberdale.c
timberdale.h
tmio_core.c
tps6105x.c
tps6507x.c
tps6586x.c
tps65010.c
tps65086.c
tps65090.c
tps65217.c
tps65218.c
tps65910.c
tps65911-comparator.c
tps65912-core.c
tps65912-i2c.c
tps65912-spi.c
tps68470.c
tps80031.c
tqmx86.c
twl-core.c
twl-core.h
twl4030-audio.c
twl4030-irq.c
twl4030-power.c
twl6030-irq.c
twl6040.c
ucb1x00-assabet.c
ucb1x00-core.c
ucb1x00-ts.c
ucb1400_core.c
vexpress-sysreg.c
viperboard.c
vx855.c
wcd934x.c
wl1273-core.c
wm97xx-core.c
wm831x-auxadc.c
wm831x-core.c
wm831x-i2c.c
wm831x-irq.c
wm831x-otp.c
wm831x-spi.c
wm5102-tables.c
wm5110-tables.c
wm8350-core.c
wm8350-gpio.c
wm8350-i2c.c
wm8350-irq.c
wm8350-regmap.c
wm8400-core.c
wm8994-core.c
wm8994-irq.c
wm8994-regmap.c
wm8994.h
wm8997-tables.c
wm8998-tables.c