| Message ID | X8ikqc4Mo2/0G72j@mwanda (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/2] usb: mtu3: fix memory corruption in mtu3_debugfs_regset() | expand |
On Thu, 2020-12-03 at 11:41 +0300, Dan Carpenter wrote: > This code is using the wrong sizeof() so it does not allocate enough > memory. It allocates 32 bytes but 72 are required. That will lead to > memory corruption. > > Fixes: ae07809255d3 ("usb: mtu3: add debugfs interface files") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > drivers/usb/mtu3/mtu3_debugfs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/mtu3/mtu3_debugfs.c b/drivers/usb/mtu3/mtu3_debugfs.c > index fdeade6254ae..7537bfd651af 100644 > --- a/drivers/usb/mtu3/mtu3_debugfs.c > +++ b/drivers/usb/mtu3/mtu3_debugfs.c > @@ -127,7 +127,7 @@ static void mtu3_debugfs_regset(struct mtu3 *mtu, void __iomem *base, > struct debugfs_regset32 *regset; > struct mtu3_regset *mregs; > > - mregs = devm_kzalloc(mtu->dev, sizeof(*regset), GFP_KERNEL); > + mregs = devm_kzalloc(mtu->dev, sizeof(*mregs), GFP_KERNEL); > if (!mregs) > return; > Acked-by: Chunfeng Yun <chunfeng.yun@mediatek.com> Thanks
diff --git a/drivers/usb/mtu3/mtu3_debugfs.c b/drivers/usb/mtu3/mtu3_debugfs.c index fdeade6254ae..7537bfd651af 100644 --- a/drivers/usb/mtu3/mtu3_debugfs.c +++ b/drivers/usb/mtu3/mtu3_debugfs.c @@ -127,7 +127,7 @@ static void mtu3_debugfs_regset(struct mtu3 *mtu, void __iomem *base, struct debugfs_regset32 *regset; struct mtu3_regset *mregs; - mregs = devm_kzalloc(mtu->dev, sizeof(*regset), GFP_KERNEL); + mregs = devm_kzalloc(mtu->dev, sizeof(*mregs), GFP_KERNEL); if (!mregs) return;
This code is using the wrong sizeof() so it does not allocate enough memory. It allocates 32 bytes but 72 are required. That will lead to memory corruption. Fixes: ae07809255d3 ("usb: mtu3: add debugfs interface files") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/usb/mtu3/mtu3_debugfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)