tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

treewide: Use struct_size() for kmalloc()-family

One of the more common cases of allocation size calculations is finding
the size of a structure that has a zero-sized array at the end, along
with memory for some number of elements for that array. For example:

struct foo {
int stuff;
void *entry[];
};

instance = kmalloc(sizeof(struct foo) + sizeof(void *) * count, GFP_KERNEL);

Instead of leaving these open-coded and prone to type mistakes, we can
now use the new struct_size() helper:

instance = kmalloc(struct_size(instance, entry, count), GFP_KERNEL);

This patch makes the changes for kmalloc()-family (and kvmalloc()-family)
uses. It was done via automatic conversion with manual review for the
"CHECKME" non-standard cases noted below, using the following Coccinelle
script:

// pkey_cache = kmalloc(sizeof *pkey_cache + tprops->pkey_tbl_len *
// sizeof *pkey_cache->table, GFP_KERNEL);
@@
identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc";
expression GFP;
identifier VAR, ELEMENT;
expression COUNT;
@@

- alloc(sizeof(*VAR) + COUNT * sizeof(*VAR->ELEMENT), GFP)
+ alloc(struct_size(VAR, ELEMENT, COUNT), GFP)

// mr = kzalloc(sizeof(*mr) + m * sizeof(mr->map[0]), GFP_KERNEL);
@@
identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc";
expression GFP;
identifier VAR, ELEMENT;
expression COUNT;
@@

- alloc(sizeof(*VAR) + COUNT * sizeof(VAR->ELEMENT[0]), GFP)
+ alloc(struct_size(VAR, ELEMENT, COUNT), GFP)

// Same pattern, but can't trivially locate the trailing element name,
// or variable name.
@@
identifier alloc =~ "kmalloc|kzalloc|kvmalloc|kvzalloc";
expression GFP;
expression SOMETHING, COUNT, ELEMENT;
@@

- alloc(sizeof(SOMETHING) + COUNT * sizeof(ELEMENT), GFP)
+ alloc(CHECKME_struct_size(&SOMETHING, ELEMENT, COUNT), GFP)

Signed-off-by: Kees Cook <keescook@chromium.org>

Kees Cook acafe7e3 2509b561

+89 -116
+2 -2
drivers/clk/bcm/clk-iproc-asiu.c
··· 197 197 if (WARN_ON(!asiu)) 198 198 return; 199 199 200 - asiu->clk_data = kzalloc(sizeof(*asiu->clk_data->hws) * num_clks + 201 - sizeof(*asiu->clk_data), GFP_KERNEL); 200 + asiu->clk_data = kzalloc(struct_size(asiu->clk_data, hws, num_clks), 201 + GFP_KERNEL); 202 202 if (WARN_ON(!asiu->clk_data)) 203 203 goto err_clks; 204 204 asiu->clk_data->num = num_clks;
+1 -2
drivers/clk/bcm/clk-iproc-pll.c
··· 744 744 if (WARN_ON(!pll)) 745 745 return; 746 746 747 - clk_data = kzalloc(sizeof(*clk_data->hws) * num_clks + 748 - sizeof(*clk_data), GFP_KERNEL); 747 + clk_data = kzalloc(struct_size(clk_data, hws, num_clks), GFP_KERNEL); 749 748 if (WARN_ON(!clk_data)) 750 749 goto err_clk_data; 751 750 clk_data->num = num_clks;
+1 -2
drivers/clk/berlin/bg2.c
··· 509 509 u8 avpll_flags = 0; 510 510 int n, ret; 511 511 512 - clk_data = kzalloc(sizeof(*clk_data) + 513 - sizeof(*clk_data->hws) * MAX_CLKS, GFP_KERNEL); 512 + clk_data = kzalloc(struct_size(clk_data, hws, MAX_CLKS), GFP_KERNEL); 514 513 if (!clk_data) 515 514 return; 516 515 clk_data->num = MAX_CLKS;
+1 -2
drivers/clk/berlin/bg2q.c
··· 295 295 struct clk_hw **hws; 296 296 int n, ret; 297 297 298 - clk_data = kzalloc(sizeof(*clk_data) + 299 - sizeof(*clk_data->hws) * MAX_CLKS, GFP_KERNEL); 298 + clk_data = kzalloc(struct_size(clk_data, hws, MAX_CLKS), GFP_KERNEL); 300 299 if (!clk_data) 301 300 return; 302 301 clk_data->num = MAX_CLKS;
+1 -2
drivers/clk/clk-asm9260.c
··· 273 273 int n; 274 274 u32 accuracy = 0; 275 275 276 - clk_data = kzalloc(sizeof(*clk_data) + 277 - sizeof(*clk_data->hws) * MAX_CLKS, GFP_KERNEL); 276 + clk_data = kzalloc(struct_size(clk_data, hws, MAX_CLKS), GFP_KERNEL); 278 277 if (!clk_data) 279 278 return; 280 279 clk_data->num = MAX_CLKS;
+3 -3
drivers/clk/clk-aspeed.c
··· 627 627 if (!scu_base) 628 628 return; 629 629 630 - aspeed_clk_data = kzalloc(sizeof(*aspeed_clk_data) + 631 - sizeof(*aspeed_clk_data->hws) * ASPEED_NUM_CLKS, 632 - GFP_KERNEL); 630 + aspeed_clk_data = kzalloc(struct_size(aspeed_clk_data, hws, 631 + ASPEED_NUM_CLKS), 632 + GFP_KERNEL); 633 633 if (!aspeed_clk_data) 634 634 return; 635 635
+3 -3
drivers/clk/clk-clps711x.c
··· 54 54 if (!base) 55 55 return ERR_PTR(-ENOMEM); 56 56 57 - clps711x_clk = kzalloc(sizeof(*clps711x_clk) + 58 - sizeof(*clps711x_clk->clk_data.hws) * CLPS711X_CLK_MAX, 59 - GFP_KERNEL); 57 + clps711x_clk = kzalloc(struct_size(clps711x_clk, clk_data.hws, 58 + CLPS711X_CLK_MAX), 59 + GFP_KERNEL); 60 60 if (!clps711x_clk) 61 61 return ERR_PTR(-ENOMEM); 62 62
+2 -2
drivers/clk/clk-efm32gg.c
··· 25 25 void __iomem *base; 26 26 struct clk_hw **hws; 27 27 28 - clk_data = kzalloc(sizeof(*clk_data) + 29 - sizeof(*clk_data->hws) * CMU_MAX_CLKS, GFP_KERNEL); 28 + clk_data = kzalloc(struct_size(clk_data, hws, CMU_MAX_CLKS), 29 + GFP_KERNEL); 30 30 31 31 if (!clk_data) 32 32 return;
+3 -3
drivers/clk/clk-gemini.c
··· 399 399 int ret; 400 400 int i; 401 401 402 - gemini_clk_data = kzalloc(sizeof(*gemini_clk_data) + 403 - sizeof(*gemini_clk_data->hws) * GEMINI_NUM_CLKS, 404 - GFP_KERNEL); 402 + gemini_clk_data = kzalloc(struct_size(gemini_clk_data, hws, 403 + GEMINI_NUM_CLKS), 404 + GFP_KERNEL); 405 405 if (!gemini_clk_data) 406 406 return; 407 407
+2 -3
drivers/clk/clk-stm32h7.c
··· 1201 1201 const char *hse_clk, *lse_clk, *i2s_clk; 1202 1202 struct regmap *pdrm; 1203 1203 1204 - clk_data = kzalloc(sizeof(*clk_data) + 1205 - sizeof(*clk_data->hws) * STM32H7_MAX_CLKS, 1206 - GFP_KERNEL); 1204 + clk_data = kzalloc(struct_size(clk_data, hws, STM32H7_MAX_CLKS), 1205 + GFP_KERNEL); 1207 1206 if (!clk_data) 1208 1207 return; 1209 1208
+2 -3
drivers/clk/clk-stm32mp1.c
··· 2060 2060 2061 2061 max_binding = data->maxbinding; 2062 2062 2063 - clk_data = kzalloc(sizeof(*clk_data) + 2064 - sizeof(*clk_data->hws) * max_binding, 2065 - GFP_KERNEL); 2063 + clk_data = kzalloc(struct_size(clk_data, hws, max_binding), 2064 + GFP_KERNEL); 2066 2065 if (!clk_data) 2067 2066 return -ENOMEM; 2068 2067
+1 -2
drivers/clk/samsung/clk-exynos-clkout.c
··· 61 61 int ret; 62 62 int i; 63 63 64 - clkout = kzalloc(sizeof(*clkout) + 65 - sizeof(*clkout->data.hws) * EXYNOS_CLKOUT_NR_CLKS, 64 + clkout = kzalloc(struct_size(clkout, data.hws, EXYNOS_CLKOUT_NR_CLKS), 66 65 GFP_KERNEL); 67 66 if (!clkout) 68 67 return;
+1 -1
drivers/dax/device.c
··· 594 594 if (!count) 595 595 return ERR_PTR(-EINVAL); 596 596 597 - dev_dax = kzalloc(sizeof(*dev_dax) + sizeof(*res) * count, GFP_KERNEL); 597 + dev_dax = kzalloc(struct_size(dev_dax, res, count), GFP_KERNEL); 598 598 if (!dev_dax) 599 599 return ERR_PTR(-ENOMEM); 600 600
+3 -6
drivers/dma/edma.c
··· 1074 1074 return NULL; 1075 1075 } 1076 1076 1077 - edesc = kzalloc(sizeof(*edesc) + sg_len * sizeof(edesc->pset[0]), 1078 - GFP_ATOMIC); 1077 + edesc = kzalloc(struct_size(edesc, pset, sg_len), GFP_ATOMIC); 1079 1078 if (!edesc) 1080 1079 return NULL; 1081 1080 ··· 1191 1192 nslots = 2; 1192 1193 } 1193 1194 1194 - edesc = kzalloc(sizeof(*edesc) + nslots * sizeof(edesc->pset[0]), 1195 - GFP_ATOMIC); 1195 + edesc = kzalloc(struct_size(edesc, pset, nslots), GFP_ATOMIC); 1196 1196 if (!edesc) 1197 1197 return NULL; 1198 1198 ··· 1313 1315 } 1314 1316 } 1315 1317 1316 - edesc = kzalloc(sizeof(*edesc) + nslots * sizeof(edesc->pset[0]), 1317 - GFP_ATOMIC); 1318 + edesc = kzalloc(struct_size(edesc, pset, nslots), GFP_ATOMIC); 1318 1319 if (!edesc) 1319 1320 return NULL; 1320 1321
+1 -1
drivers/dma/moxart-dma.c
··· 309 309 return NULL; 310 310 } 311 311 312 - d = kzalloc(sizeof(*d) + sg_len * sizeof(d->sg[0]), GFP_ATOMIC); 312 + d = kzalloc(struct_size(d, sg, sg_len), GFP_ATOMIC); 313 313 if (!d) 314 314 return NULL; 315 315
+1 -1
drivers/dma/omap-dma.c
··· 917 917 } 918 918 919 919 /* Now allocate and setup the descriptor. */ 920 - d = kzalloc(sizeof(*d) + sglen * sizeof(d->sg[0]), GFP_ATOMIC); 920 + d = kzalloc(struct_size(d, sg, sglen), GFP_ATOMIC); 921 921 if (!d) 922 922 return NULL; 923 923
+2 -2
drivers/dma/sa11x0-dma.c
··· 557 557 } 558 558 } 559 559 560 - txd = kzalloc(sizeof(*txd) + j * sizeof(txd->sg[0]), GFP_ATOMIC); 560 + txd = kzalloc(struct_size(txd, sg, j), GFP_ATOMIC); 561 561 if (!txd) { 562 562 dev_dbg(chan->device->dev, "vchan %p: kzalloc failed\n", &c->vc); 563 563 return NULL; ··· 627 627 if (sglen == 0) 628 628 return NULL; 629 629 630 - txd = kzalloc(sizeof(*txd) + sglen * sizeof(txd->sg[0]), GFP_ATOMIC); 630 + txd = kzalloc(struct_size(txd, sg, sglen), GFP_ATOMIC); 631 631 if (!txd) { 632 632 dev_dbg(chan->device->dev, "vchan %p: kzalloc failed\n", &c->vc); 633 633 return NULL;
+1 -1
drivers/dma/sh/usb-dmac.c
··· 269 269 struct usb_dmac_desc *desc; 270 270 unsigned long flags; 271 271 272 - desc = kzalloc(sizeof(*desc) + sg_len * sizeof(desc->sg[0]), gfp); 272 + desc = kzalloc(struct_size(desc, sg, sg_len), gfp); 273 273 if (!desc) 274 274 return -ENOMEM; 275 275
+1 -2
drivers/firewire/core-topology.c
··· 112 112 { 113 113 struct fw_node *node; 114 114 115 - node = kzalloc(sizeof(*node) + port_count * sizeof(node->ports[0]), 116 - GFP_ATOMIC); 115 + node = kzalloc(struct_size(node, ports, port_count), GFP_ATOMIC); 117 116 if (node == NULL) 118 117 return NULL; 119 118
+1 -2
drivers/gpio/gpiolib.c
··· 4022 4022 if (count < 0) 4023 4023 return ERR_PTR(count); 4024 4024 4025 - descs = kzalloc(sizeof(*descs) + sizeof(descs->desc[0]) * count, 4026 - GFP_KERNEL); 4025 + descs = kzalloc(struct_size(descs, desc, count), GFP_KERNEL); 4027 4026 if (!descs) 4028 4027 return ERR_PTR(-ENOMEM); 4029 4028
+2 -2
drivers/gpu/drm/nouveau/nvkm/engine/pm/base.c
··· 779 779 780 780 sdom = spec; 781 781 while (sdom->signal_nr) { 782 - dom = kzalloc(sizeof(*dom) + sdom->signal_nr * 783 - sizeof(*dom->signal), GFP_KERNEL); 782 + dom = kzalloc(struct_size(dom, signal, sdom->signal_nr), 783 + GFP_KERNEL); 784 784 if (!dom) 785 785 return -ENOMEM; 786 786
+1 -1
drivers/hwspinlock/omap_hwspinlock.c
··· 132 132 133 133 num_locks = i * 32; /* actual number of locks in this device */ 134 134 135 - bank = kzalloc(sizeof(*bank) + num_locks * sizeof(*hwlock), GFP_KERNEL); 135 + bank = kzalloc(struct_size(bank, lock, num_locks), GFP_KERNEL); 136 136 if (!bank) { 137 137 ret = -ENOMEM; 138 138 goto iounmap_base;
+1 -1
drivers/hwspinlock/u8500_hsem.c
··· 119 119 /* clear all interrupts */ 120 120 writel(0xFFFF, io_base + HSEM_ICRALL); 121 121 122 - bank = kzalloc(sizeof(*bank) + num_locks * sizeof(*hwlock), GFP_KERNEL); 122 + bank = kzalloc(struct_size(bank, lock, num_locks), GFP_KERNEL); 123 123 if (!bank) { 124 124 ret = -ENOMEM; 125 125 goto iounmap_base;
+3 -2
drivers/infiniband/core/cache.c
··· 1157 1157 goto err; 1158 1158 } 1159 1159 1160 - pkey_cache = kmalloc(sizeof *pkey_cache + tprops->pkey_tbl_len * 1161 - sizeof *pkey_cache->table, GFP_KERNEL); 1160 + pkey_cache = kmalloc(struct_size(pkey_cache, table, 1161 + tprops->pkey_tbl_len), 1162 + GFP_KERNEL); 1162 1163 if (!pkey_cache) 1163 1164 goto err; 1164 1165
+2 -2
drivers/infiniband/core/cm.c
··· 4298 4298 int count = 0; 4299 4299 u8 i; 4300 4300 4301 - cm_dev = kzalloc(sizeof(*cm_dev) + sizeof(*port) * 4302 - ib_device->phys_port_cnt, GFP_KERNEL); 4301 + cm_dev = kzalloc(struct_size(cm_dev, port, ib_device->phys_port_cnt), 4302 + GFP_KERNEL); 4303 4303 if (!cm_dev) 4304 4304 return; 4305 4305
+1 -1
drivers/infiniband/core/multicast.c
··· 813 813 int i; 814 814 int count = 0; 815 815 816 - dev = kmalloc(sizeof *dev + device->phys_port_cnt * sizeof *port, 816 + dev = kmalloc(struct_size(dev, port, device->phys_port_cnt), 817 817 GFP_KERNEL); 818 818 if (!dev) 819 819 return;
+2 -2
drivers/infiniband/core/uverbs_cmd.c
··· 2756 2756 struct ib_uflow_resources *resources; 2757 2757 2758 2758 resources = 2759 - kmalloc(sizeof(*resources) + 2760 - num_specs * sizeof(*resources->collection), GFP_KERNEL); 2759 + kmalloc(struct_size(resources, collection, num_specs), 2760 + GFP_KERNEL); 2761 2761 2762 2762 if (!resources) 2763 2763 return NULL;
+10 -11
drivers/infiniband/core/uverbs_ioctl_merge.c
··· 297 297 if (max_attr_buckets >= 0) 298 298 num_attr_buckets = max_attr_buckets + 1; 299 299 300 - method = kzalloc(sizeof(*method) + 301 - num_attr_buckets * sizeof(*method->attr_buckets), 300 + method = kzalloc(struct_size(method, attr_buckets, num_attr_buckets), 302 301 GFP_KERNEL); 303 302 if (!method) 304 303 return ERR_PTR(-ENOMEM); ··· 445 446 if (max_method_buckets >= 0) 446 447 num_method_buckets = max_method_buckets + 1; 447 448 448 - object = kzalloc(sizeof(*object) + 449 - num_method_buckets * 450 - sizeof(*object->method_buckets), GFP_KERNEL); 449 + object = kzalloc(struct_size(object, method_buckets, 450 + num_method_buckets), 451 + GFP_KERNEL); 451 452 if (!object) 452 453 return ERR_PTR(-ENOMEM); 453 454 ··· 468 469 if (methods_max_bucket < 0) 469 470 continue; 470 471 471 - hash = kzalloc(sizeof(*hash) + 472 - sizeof(*hash->methods) * (methods_max_bucket + 1), 472 + hash = kzalloc(struct_size(hash, methods, 473 + methods_max_bucket + 1), 473 474 GFP_KERNEL); 474 475 if (!hash) { 475 476 res = -ENOMEM; ··· 578 579 if (max_object_buckets >= 0) 579 580 num_objects_buckets = max_object_buckets + 1; 580 581 581 - root_spec = kzalloc(sizeof(*root_spec) + 582 - num_objects_buckets * sizeof(*root_spec->object_buckets), 582 + root_spec = kzalloc(struct_size(root_spec, object_buckets, 583 + num_objects_buckets), 583 584 GFP_KERNEL); 584 585 if (!root_spec) 585 586 return ERR_PTR(-ENOMEM); ··· 602 603 if (objects_max_bucket < 0) 603 604 continue; 604 605 605 - hash = kzalloc(sizeof(*hash) + 606 - sizeof(*hash->objects) * (objects_max_bucket + 1), 606 + hash = kzalloc(struct_size(hash, objects, 607 + objects_max_bucket + 1), 607 608 GFP_KERNEL); 608 609 if (!hash) { 609 610 res = -ENOMEM;
+2 -2
drivers/infiniband/hw/mthca/mthca_memfree.c
··· 367 367 obj_per_chunk = MTHCA_TABLE_CHUNK_SIZE / obj_size; 368 368 num_icm = DIV_ROUND_UP(nobj, obj_per_chunk); 369 369 370 - table = kmalloc(sizeof *table + num_icm * sizeof *table->icm, GFP_KERNEL); 370 + table = kmalloc(struct_size(table, icm, num_icm), GFP_KERNEL); 371 371 if (!table) 372 372 return NULL; 373 373 ··· 529 529 return NULL; 530 530 531 531 npages = dev->uar_table.uarc_size / MTHCA_ICM_PAGE_SIZE; 532 - db_tab = kmalloc(sizeof *db_tab + npages * sizeof *db_tab->page, GFP_KERNEL); 532 + db_tab = kmalloc(struct_size(db_tab, page, npages), GFP_KERNEL); 533 533 if (!db_tab) 534 534 return ERR_PTR(-ENOMEM); 535 535
+2 -2
drivers/infiniband/sw/rdmavt/mr.c
··· 283 283 284 284 /* Allocate struct plus pointers to first level page tables. */ 285 285 m = (count + RVT_SEGSZ - 1) / RVT_SEGSZ; 286 - mr = kzalloc(sizeof(*mr) + m * sizeof(mr->mr.map[0]), GFP_KERNEL); 286 + mr = kzalloc(struct_size(mr, mr.map, m), GFP_KERNEL); 287 287 if (!mr) 288 288 goto bail; 289 289 ··· 730 730 731 731 /* Allocate struct plus pointers to first level page tables. */ 732 732 m = (fmr_attr->max_pages + RVT_SEGSZ - 1) / RVT_SEGSZ; 733 - fmr = kzalloc(sizeof(*fmr) + m * sizeof(fmr->mr.map[0]), GFP_KERNEL); 733 + fmr = kzalloc(struct_size(fmr, mr.map, m), GFP_KERNEL); 734 734 if (!fmr) 735 735 goto bail; 736 736
+1 -2
drivers/input/input-leds.c
··· 98 98 if (!num_leds) 99 99 return -ENXIO; 100 100 101 - leds = kzalloc(sizeof(*leds) + num_leds * sizeof(*leds->leds), 102 - GFP_KERNEL); 101 + leds = kzalloc(struct_size(leds, leds, num_leds), GFP_KERNEL); 103 102 if (!leds) 104 103 return -ENOMEM; 105 104
+1 -1
drivers/input/input-mt.c
··· 49 49 if (mt) 50 50 return mt->num_slots != num_slots ? -EINVAL : 0; 51 51 52 - mt = kzalloc(sizeof(*mt) + num_slots * sizeof(*mt->slots), GFP_KERNEL); 52 + mt = kzalloc(struct_size(mt, slots, num_slots), GFP_KERNEL); 53 53 if (!mt) 54 54 goto err_mem; 55 55
+1 -1
drivers/md/dm-raid.c
··· 756 756 return ERR_PTR(-EINVAL); 757 757 } 758 758 759 - rs = kzalloc(sizeof(*rs) + raid_devs * sizeof(rs->dev[0]), GFP_KERNEL); 759 + rs = kzalloc(struct_size(rs, dev, raid_devs), GFP_KERNEL); 760 760 if (!rs) { 761 761 ti->error = "Cannot allocate raid context"; 762 762 return ERR_PTR(-ENOMEM);
+1 -2
drivers/misc/vexpress-syscfg.c
··· 182 182 val = energy_quirk; 183 183 } 184 184 185 - func = kzalloc(sizeof(*func) + sizeof(*func->template) * num, 186 - GFP_KERNEL); 185 + func = kzalloc(struct_size(func, template, num), GFP_KERNEL); 187 186 if (!func) 188 187 return ERR_PTR(-ENOMEM); 189 188
+1 -1
drivers/net/ethernet/mellanox/mlx5/core/debugfs.c
··· 494 494 int err; 495 495 int i; 496 496 497 - d = kzalloc(sizeof(*d) + nfile * sizeof(d->fields[0]), GFP_KERNEL); 497 + d = kzalloc(struct_size(d, fields, nfile), GFP_KERNEL); 498 498 if (!d) 499 499 return -ENOMEM; 500 500
+1 -2
drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
··· 1191 1191 { 1192 1192 struct mlx5_flow_handle *handle; 1193 1193 1194 - handle = kzalloc(sizeof(*handle) + sizeof(handle->rule[0]) * 1195 - num_rules, GFP_KERNEL); 1194 + handle = kzalloc(struct_size(handle, rule, num_rules), GFP_KERNEL); 1196 1195 if (!handle) 1197 1196 return NULL; 1198 1197
+2 -3
drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
··· 2987 2987 2988 2988 mvmsta = iwl_mvm_sta_from_mac80211(sta); 2989 2989 WARN_ON(rcu_access_pointer(mvmsta->ptk_pn[keyidx])); 2990 - ptk_pn = kzalloc(sizeof(*ptk_pn) + 2991 - mvm->trans->num_rx_queues * 2992 - sizeof(ptk_pn->q[0]), 2990 + ptk_pn = kzalloc(struct_size(ptk_pn, q, 2991 + mvm->trans->num_rx_queues), 2993 2992 GFP_KERNEL); 2994 2993 if (!ptk_pn) { 2995 2994 ret = -ENOMEM;
+1 -2
drivers/net/wireless/mediatek/mt76/agg-rx.c
··· 236 236 237 237 mt76_rx_aggr_stop(dev, wcid, tidno); 238 238 239 - tid = kzalloc(sizeof(*tid) + size * sizeof(tid->reorder_buf[0]), 240 - GFP_KERNEL); 239 + tid = kzalloc(struct_size(tid, reorder_buf, size), GFP_KERNEL); 241 240 if (!tid) 242 241 return -ENOMEM; 243 242
+1 -2
drivers/reset/core.c
··· 730 730 if (num < 0) 731 731 return optional ? NULL : ERR_PTR(num); 732 732 733 - resets = kzalloc(sizeof(*resets) + sizeof(resets->rstc[0]) * num, 734 - GFP_KERNEL); 733 + resets = kzalloc(struct_size(resets, rstc, num), GFP_KERNEL); 735 734 if (!resets) 736 735 return ERR_PTR(-ENOMEM); 737 736
+1 -2
drivers/s390/cio/ccwgroup.c
··· 326 326 if (num_devices < 1) 327 327 return -EINVAL; 328 328 329 - gdev = kzalloc(sizeof(*gdev) + num_devices * sizeof(gdev->cdev[0]), 330 - GFP_KERNEL); 329 + gdev = kzalloc(struct_size(gdev, cdev, num_devices), GFP_KERNEL); 331 330 if (!gdev) 332 331 return -ENOMEM; 333 332
+2 -2
drivers/staging/greybus/module.c
··· 94 94 struct gb_module *module; 95 95 int i; 96 96 97 - module = kzalloc(sizeof(*module) + num_interfaces * sizeof(intf), 98 - GFP_KERNEL); 97 + module = kzalloc(struct_size(module, interfaces, num_interfaces), 98 + GFP_KERNEL); 99 99 if (!module) 100 100 return NULL; 101 101
+2 -3
drivers/usb/gadget/function/f_midi.c
··· 1287 1287 } 1288 1288 1289 1289 /* allocate and initialize one new instance */ 1290 - midi = kzalloc( 1291 - sizeof(*midi) + opts->in_ports * sizeof(*midi->in_ports_array), 1292 - GFP_KERNEL); 1290 + midi = kzalloc(struct_size(midi, in_ports_array, opts->in_ports), 1291 + GFP_KERNEL); 1293 1292 if (!midi) { 1294 1293 status = -ENOMEM; 1295 1294 goto setup_fail;
+1 -2
drivers/zorro/zorro.c
··· 136 136 int error; 137 137 138 138 /* Initialize the Zorro bus */ 139 - bus = kzalloc(sizeof(*bus) + 140 - zorro_num_autocon * sizeof(bus->devices[0]), 139 + bus = kzalloc(struct_size(bus, devices, zorro_num_autocon), 141 140 GFP_KERNEL); 142 141 if (!bus) 143 142 return -ENOMEM;
+1 -2
fs/afs/addr_list.c
··· 43 43 44 44 _enter("%u,%u,%u", nr, service, port); 45 45 46 - alist = kzalloc(sizeof(*alist) + sizeof(alist->addrs[0]) * nr, 47 - GFP_KERNEL); 46 + alist = kzalloc(struct_size(alist, addrs, nr), GFP_KERNEL); 48 47 if (!alist) 49 48 return NULL; 50 49
+2 -2
kernel/cgroup/cgroup.c
··· 4775 4775 int ret; 4776 4776 4777 4777 /* allocate the cgroup and its ID, 0 is reserved for the root */ 4778 - cgrp = kzalloc(sizeof(*cgrp) + 4779 - sizeof(cgrp->ancestor_ids[0]) * (level + 1), GFP_KERNEL); 4778 + cgrp = kzalloc(struct_size(cgrp, ancestor_ids, (level + 1)), 4779 + GFP_KERNEL); 4780 4780 if (!cgrp) 4781 4781 return ERR_PTR(-ENOMEM); 4782 4782
+1 -2
kernel/module.c
··· 1604 1604 if (notes == 0) 1605 1605 return; 1606 1606 1607 - notes_attrs = kzalloc(sizeof(*notes_attrs) 1608 - + notes * sizeof(notes_attrs->attrs[0]), 1607 + notes_attrs = kzalloc(struct_size(notes_attrs, attrs, notes), 1609 1608 GFP_KERNEL); 1610 1609 if (notes_attrs == NULL) 1611 1610 return;
+1 -2
kernel/workqueue.c
··· 3700 3700 3701 3701 lockdep_assert_held(&wq_pool_mutex); 3702 3702 3703 - ctx = kzalloc(sizeof(*ctx) + nr_node_ids * sizeof(ctx->pwq_tbl[0]), 3704 - GFP_KERNEL); 3703 + ctx = kzalloc(struct_size(ctx, pwq_tbl, nr_node_ids), GFP_KERNEL); 3705 3704 3706 3705 new_attrs = alloc_workqueue_attrs(GFP_KERNEL); 3707 3706 tmp_attrs = alloc_workqueue_attrs(GFP_KERNEL);
+2 -3
net/ceph/mon_client.c
··· 62 62 63 63 if (num_mon > CEPH_MAX_MON) 64 64 goto bad; 65 - m = kmalloc(sizeof(*m) + sizeof(m->mon_inst[0])*num_mon, GFP_NOFS); 65 + m = kmalloc(struct_size(m, mon_inst, num_mon), GFP_NOFS); 66 66 if (m == NULL) 67 67 return ERR_PTR(-ENOMEM); 68 68 m->fsid = fsid; ··· 1000 1000 int i; 1001 1001 1002 1002 /* build initial monmap */ 1003 - monc->monmap = kzalloc(sizeof(*monc->monmap) + 1004 - num_mon*sizeof(monc->monmap->mon_inst[0]), 1003 + monc->monmap = kzalloc(struct_size(monc->monmap, mon_inst, num_mon), 1005 1004 GFP_KERNEL); 1006 1005 if (!monc->monmap) 1007 1006 return -ENOMEM;
+1 -2
net/ceph/osd_client.c
··· 565 565 req = kmem_cache_alloc(ceph_osd_request_cache, gfp_flags); 566 566 } else { 567 567 BUG_ON(num_ops > CEPH_OSD_MAX_OPS); 568 - req = kmalloc(sizeof(*req) + num_ops * sizeof(req->r_ops[0]), 569 - gfp_flags); 568 + req = kmalloc(struct_size(req, r_ops, num_ops), gfp_flags); 570 569 } 571 570 if (unlikely(!req)) 572 571 return NULL;
+1 -2
net/netfilter/xt_recent.c
··· 184 184 } 185 185 186 186 nstamps_max += 1; 187 - e = kmalloc(sizeof(*e) + sizeof(e->stamps[0]) * nstamps_max, 188 - GFP_ATOMIC); 187 + e = kmalloc(struct_size(e, stamps, nstamps_max), GFP_ATOMIC); 189 188 if (e == NULL) 190 189 return NULL; 191 190 memcpy(&e->addr, addr, sizeof(e->addr));
+2 -2
net/sctp/endpointola.c
··· 73 73 * variables. There are arrays that we encode directly 74 74 * into parameters to make the rest of the operations easier. 75 75 */ 76 - auth_hmacs = kzalloc(sizeof(*auth_hmacs) + 77 - sizeof(__u16) * SCTP_AUTH_NUM_HMACS, gfp); 76 + auth_hmacs = kzalloc(struct_size(auth_hmacs, hmac_ids, 77 + SCTP_AUTH_NUM_HMACS), gfp); 78 78 if (!auth_hmacs) 79 79 goto nomem; 80 80
+2 -2
sound/core/vmaster.c
··· 259 259 struct link_master *master_link = snd_kcontrol_chip(master); 260 260 struct link_slave *srec; 261 261 262 - srec = kzalloc(sizeof(*srec) + 263 - slave->count * sizeof(*slave->vd), GFP_KERNEL); 262 + srec = kzalloc(struct_size(srec, slave.vd, slave->count), 263 + GFP_KERNEL); 264 264 if (!srec) 265 265 return -ENOMEM; 266 266 srec->kctl = slave;
+1 -1
sound/soc/soc-dapm.c
··· 1088 1088 list_for_each(it, widgets) 1089 1089 size++; 1090 1090 1091 - *list = kzalloc(sizeof(**list) + size * sizeof(*w), GFP_KERNEL); 1091 + *list = kzalloc(struct_size(*list, widgets, size), GFP_KERNEL); 1092 1092 if (*list == NULL) 1093 1093 return -ENOMEM; 1094 1094