Merge tag 'for-linus-5.1b-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip

Pull xen fixes from Juergen Gross:
 "One minor fix and a small cleanup for the xen privcmd driver"

* tag 'for-linus-5.1b-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  xen: Prevent buffer overflow in privcmd ioctl
  xen: use struct_size() helper in kzalloc()

2 files changed, 4 insertions, 2 deletions

diff --git a/arch/x86/include/asm/xen/hypercall.h b/arch/x86/include/asm/xen/hypercall.h
index de6f0d59a24f..2863c2026655 100644
--- a/arch/x86/include/asm/xen/hypercall.h
+++ b/arch/x86/include/asm/xen/hypercall.h
@@ -206,6 +206,9 @@ xen_single_call(unsigned int call,
         __HYPERCALL_DECLS;
         __HYPERCALL_5ARG(a1, a2, a3, a4, a5);
 
+        if (call >= PAGE_SIZE / sizeof(hypercall_page[0]))
+                return -EINVAL;
+
         asm volatile(CALL_NOSPEC
                      : __HYPERCALL_5PARAM
                      : [thunk_target] "a" (&hypercall_page[call])
diff --git a/drivers/xen/privcmd-buf.c b/drivers/xen/privcmd-buf.c
index de01a6d0059d..a1c61e351d3f 100644
--- a/drivers/xen/privcmd-buf.c
+++ b/drivers/xen/privcmd-buf.c
@@ -140,8 +140,7 @@ static int privcmd_buf_mmap(struct file *file, struct vm_area_struct *vma)
         if (!(vma->vm_flags & VM_SHARED))
                 return -EINVAL;
 
-        vma_priv = kzalloc(sizeof(*vma_priv) + count * sizeof(void *),
-                           GFP_KERNEL);
+        vma_priv = kzalloc(struct_size(vma_priv, pages, count), GFP_KERNEL);
         if (!vma_priv)
                 return -ENOMEM;