aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--crypto/af_alg.c4
-rw-r--r--drivers/base/devres.c7
-rw-r--r--drivers/clk/bcm/clk-bcm2835-aux.c6
-rw-r--r--drivers/clk/bcm/clk-bcm2835.c4
-rw-r--r--drivers/clk/bcm/clk-iproc-asiu.c4
-rw-r--r--drivers/clk/bcm/clk-iproc-pll.c3
-rw-r--r--drivers/clk/berlin/bg2.c3
-rw-r--r--drivers/clk/berlin/bg2q.c3
-rw-r--r--drivers/clk/clk-asm9260.c3
-rw-r--r--drivers/clk/clk-aspeed.c6
-rw-r--r--drivers/clk/clk-clps711x.c6
-rw-r--r--drivers/clk/clk-efm32gg.c4
-rw-r--r--drivers/clk/clk-gemini.c6
-rw-r--r--drivers/clk/clk-s2mps11.c4
-rw-r--r--drivers/clk/clk-scmi.c4
-rw-r--r--drivers/clk/clk-stm32h7.c5
-rw-r--r--drivers/clk/clk-stm32mp1.c5
-rw-r--r--drivers/clk/davinci/da8xx-cfgchip.c4
-rw-r--r--drivers/clk/mvebu/armada-37xx-periph.c7
-rw-r--r--drivers/clk/mvebu/armada-37xx-tbg.c4
-rw-r--r--drivers/clk/qcom/clk-spmi-pmic-div.c3
-rw-r--r--drivers/clk/samsung/clk-exynos-audss.c4
-rw-r--r--drivers/clk/samsung/clk-exynos-clkout.c3
-rw-r--r--drivers/clk/samsung/clk-exynos5433.c4
-rw-r--r--drivers/clk/samsung/clk-s3c2410-dclk.c7
-rw-r--r--drivers/clk/samsung/clk-s5pv210-audss.c3
-rw-r--r--drivers/dax/device.c2
-rw-r--r--drivers/dma/bcm-sba-raid.c5
-rw-r--r--drivers/dma/edma.c9
-rw-r--r--drivers/dma/moxart-dma.c2
-rw-r--r--drivers/dma/nbpfaxi.c4
-rw-r--r--drivers/dma/omap-dma.c2
-rw-r--r--drivers/dma/sa11x0-dma.c4
-rw-r--r--drivers/dma/sh/usb-dmac.c2
-rw-r--r--drivers/dma/sprd-dma.c4
-rw-r--r--drivers/firewire/core-topology.c3
-rw-r--r--drivers/gpio/gpio-uniphier.c3
-rw-r--r--drivers/gpio/gpiolib.c3
-rw-r--r--drivers/gpu/drm/nouveau/nvkm/core/ramht.c3
-rw-r--r--drivers/gpu/drm/nouveau/nvkm/engine/pm/base.c4
-rw-r--r--drivers/hwspinlock/omap_hwspinlock.c2
-rw-r--r--drivers/hwspinlock/sirf_hwspinlock.c6
-rw-r--r--drivers/hwspinlock/u8500_hsem.c2
-rw-r--r--drivers/infiniband/core/cache.c5
-rw-r--r--drivers/infiniband/core/cm.c4
-rw-r--r--drivers/infiniband/core/multicast.c2
-rw-r--r--drivers/infiniband/core/uverbs_cmd.c4
-rw-r--r--drivers/infiniband/core/uverbs_ioctl_merge.c21
-rw-r--r--drivers/infiniband/hw/mthca/mthca_memfree.c4
-rw-r--r--drivers/infiniband/sw/rdmavt/mr.c4
-rw-r--r--drivers/input/input-leds.c3
-rw-r--r--drivers/input/input-mt.c2
-rw-r--r--drivers/input/keyboard/cap11xx.c3
-rw-r--r--drivers/md/dm-raid.c2
-rw-r--r--drivers/md/dm-table.c10
-rw-r--r--drivers/mfd/qcom-pm8xxx.c4
-rw-r--r--drivers/misc/cb710/core.c4
-rw-r--r--drivers/misc/vexpress-syscfg.c3
-rw-r--r--drivers/mtd/spi-nor/aspeed-smc.c5
-rw-r--r--drivers/net/can/peak_canfd/peak_pciefd_main.c3
-rw-r--r--drivers/net/ethernet/mellanox/mlx5/core/debugfs.c2
-rw-r--r--drivers/net/ethernet/mellanox/mlx5/core/fs_core.c3
-rw-r--r--drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c5
-rw-r--r--drivers/net/wireless/mediatek/mt76/agg-rx.c3
-rw-r--r--drivers/pinctrl/samsung/pinctrl-s3c64xx.c4
-rw-r--r--drivers/pinctrl/uniphier/pinctrl-uniphier-core.c3
-rw-r--r--drivers/regulator/mc13783-regulator.c6
-rw-r--r--drivers/regulator/mc13892-regulator.c6
-rw-r--r--drivers/reset/core.c3
-rw-r--r--drivers/rtc/rtc-ac100.c8
-rw-r--r--drivers/s390/cio/ccwgroup.c3
-rw-r--r--drivers/soc/actions/owl-sps.c4
-rw-r--r--drivers/soc/rockchip/pm_domains.c3
-rw-r--r--drivers/staging/greybus/module.c4
-rw-r--r--drivers/thermal/qcom/tsens.c6
-rw-r--r--drivers/usb/gadget/function/f_midi.c5
-rw-r--r--drivers/zorro/zorro.c3
-rw-r--r--fs/afs/addr_list.c3
-rw-r--r--include/linux/compiler-clang.h14
-rw-r--r--include/linux/compiler-gcc.h4
-rw-r--r--include/linux/compiler-intel.h4
-rw-r--r--include/linux/device.h8
-rw-r--r--include/linux/mm.h7
-rw-r--r--include/linux/overflow.h278
-rw-r--r--include/linux/slab.h17
-rw-r--r--include/linux/vmalloc.h1
-rw-r--r--kernel/cgroup/cgroup.c4
-rw-r--r--kernel/module.c3
-rw-r--r--kernel/workqueue.c3
-rw-r--r--lib/Kconfig.debug3
-rw-r--r--lib/Makefile1
-rw-r--r--lib/test_overflow.c417
-rw-r--r--net/ceph/mon_client.c5
-rw-r--r--net/ceph/osd_client.c3
-rw-r--r--net/netfilter/xt_recent.c3
-rw-r--r--net/sctp/endpointola.c4
-rw-r--r--sound/core/vmaster.c4
-rw-r--r--sound/soc/qcom/apq8016_sbc.c3
-rw-r--r--sound/soc/soc-dapm.c2
99 files changed, 916 insertions, 205 deletions
diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index 89ed613c017e..49fa8582138b 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -500,8 +500,8 @@ int af_alg_alloc_tsgl(struct sock *sk)
500 sg = sgl->sg; 500 sg = sgl->sg;
501 501
502 if (!sg || sgl->cur >= MAX_SGL_ENTS) { 502 if (!sg || sgl->cur >= MAX_SGL_ENTS) {
503 sgl = sock_kmalloc(sk, sizeof(*sgl) + 503 sgl = sock_kmalloc(sk,
504 sizeof(sgl->sg[0]) * (MAX_SGL_ENTS + 1), 504 struct_size(sgl, sg, (MAX_SGL_ENTS + 1)),
505 GFP_KERNEL); 505 GFP_KERNEL);
506 if (!sgl) 506 if (!sgl)
507 return -ENOMEM; 507 return -ENOMEM;
diff --git a/drivers/base/devres.c b/drivers/base/devres.c
index 95b67281cd2a..f98a097e73f2 100644
--- a/drivers/base/devres.c
+++ b/drivers/base/devres.c
@@ -84,9 +84,14 @@ static struct devres_group * node_to_group(struct devres_node *node)
84static __always_inline struct devres * alloc_dr(dr_release_t release, 84static __always_inline struct devres * alloc_dr(dr_release_t release,
85 size_t size, gfp_t gfp, int nid) 85 size_t size, gfp_t gfp, int nid)
86{ 86{
87 size_t tot_size = sizeof(struct devres) + size; 87 size_t tot_size;
88 struct devres *dr; 88 struct devres *dr;
89 89
90 /* We must catch any near-SIZE_MAX cases that could overflow. */
91 if (unlikely(check_add_overflow(sizeof(struct devres), size,
92 &tot_size)))
93 return NULL;
94
90 dr = kmalloc_node_track_caller(tot_size, gfp, nid); 95 dr = kmalloc_node_track_caller(tot_size, gfp, nid);
91 if (unlikely(!dr)) 96 if (unlikely(!dr))
92 return NULL; 97 return NULL;
diff --git a/drivers/clk/bcm/clk-bcm2835-aux.c b/drivers/clk/bcm/clk-bcm2835-aux.c
index 77e276d61702..f225ad29b110 100644
--- a/drivers/clk/bcm/clk-bcm2835-aux.c
+++ b/drivers/clk/bcm/clk-bcm2835-aux.c
@@ -40,8 +40,10 @@ static int bcm2835_aux_clk_probe(struct platform_device *pdev)
40 if (IS_ERR(reg)) 40 if (IS_ERR(reg))
41 return PTR_ERR(reg); 41 return PTR_ERR(reg);
42 42
43 onecell = devm_kmalloc(dev, sizeof(*onecell) + sizeof(*onecell->hws) * 43 onecell = devm_kmalloc(dev,
44 BCM2835_AUX_CLOCK_COUNT, GFP_KERNEL); 44 struct_size(onecell, hws,
45 BCM2835_AUX_CLOCK_COUNT),
46 GFP_KERNEL);
45 if (!onecell) 47 if (!onecell)
46 return -ENOMEM; 48 return -ENOMEM;
47 onecell->num = BCM2835_AUX_CLOCK_COUNT; 49 onecell->num = BCM2835_AUX_CLOCK_COUNT;
diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c
index fa0d5c8611a0..6d4e69edfb36 100644
--- a/drivers/clk/bcm/clk-bcm2835.c
+++ b/drivers/clk/bcm/clk-bcm2835.c
@@ -2147,8 +2147,8 @@ static int bcm2835_clk_probe(struct platform_device *pdev)
2147 size_t i; 2147 size_t i;
2148 int ret; 2148 int ret;
2149 2149
2150 cprman = devm_kzalloc(dev, sizeof(*cprman) + 2150 cprman = devm_kzalloc(dev,
2151 sizeof(*cprman->onecell.hws) * asize, 2151 struct_size(cprman, onecell.hws, asize),
2152 GFP_KERNEL); 2152 GFP_KERNEL);
2153 if (!cprman) 2153 if (!cprman)
2154 return -ENOMEM; 2154 return -ENOMEM;
diff --git a/drivers/clk/bcm/clk-iproc-asiu.c b/drivers/clk/bcm/clk-iproc-asiu.c
index 4360e481368b..6fb8af506777 100644
--- a/drivers/clk/bcm/clk-iproc-asiu.c
+++ b/drivers/clk/bcm/clk-iproc-asiu.c
@@ -197,8 +197,8 @@ void __init iproc_asiu_setup(struct device_node *node,
197 if (WARN_ON(!asiu)) 197 if (WARN_ON(!asiu))
198 return; 198 return;
199 199
200 asiu->clk_data = kzalloc(sizeof(*asiu->clk_data->hws) * num_clks + 200 asiu->clk_data = kzalloc(struct_size(asiu->clk_data, hws, num_clks),
201 sizeof(*asiu->clk_data), GFP_KERNEL); 201 GFP_KERNEL);
202 if (WARN_ON(!asiu->clk_data)) 202 if (WARN_ON(!asiu->clk_data))
203 goto err_clks; 203 goto err_clks;
204 asiu->clk_data->num = num_clks; 204 asiu->clk_data->num = num_clks;
diff --git a/drivers/clk/bcm/clk-iproc-pll.c b/drivers/clk/bcm/clk-iproc-pll.c
index 43a58ae5a89d..274441e2ddb2 100644
--- a/drivers/clk/bcm/clk-iproc-pll.c
+++ b/drivers/clk/bcm/clk-iproc-pll.c
@@ -744,8 +744,7 @@ void iproc_pll_clk_setup(struct device_node *node,
744 if (WARN_ON(!pll)) 744 if (WARN_ON(!pll))
745 return; 745 return;
746 746
747 clk_data = kzalloc(sizeof(*clk_data->hws) * num_clks + 747 clk_data = kzalloc(struct_size(clk_data, hws, num_clks), GFP_KERNEL);
748 sizeof(*clk_data), GFP_KERNEL);
749 if (WARN_ON(!clk_data)) 748 if (WARN_ON(!clk_data))
750 goto err_clk_data; 749 goto err_clk_data;
751 clk_data->num = num_clks; 750 clk_data->num = num_clks;
diff --git a/drivers/clk/berlin/bg2.c b/drivers/clk/berlin/bg2.c
index e7331ace0337..45fb888bf0a0 100644
--- a/drivers/clk/berlin/bg2.c
+++ b/drivers/clk/berlin/bg2.c
@@ -509,8 +509,7 @@ static void __init berlin2_clock_setup(struct device_node *np)
509 u8 avpll_flags = 0; 509 u8 avpll_flags = 0;
510 int n, ret; 510 int n, ret;
511 511
512 clk_data = kzalloc(sizeof(*clk_data) + 512 clk_data = kzalloc(struct_size(clk_data, hws, MAX_CLKS), GFP_KERNEL);
513 sizeof(*clk_data->hws) * MAX_CLKS, GFP_KERNEL);
514 if (!clk_data) 513 if (!clk_data)
515 return; 514 return;
516 clk_data->num = MAX_CLKS; 515 clk_data->num = MAX_CLKS;
diff --git a/drivers/clk/berlin/bg2q.c b/drivers/clk/berlin/bg2q.c
index 67c270b143f7..db7364e15c8b 100644
--- a/drivers/clk/berlin/bg2q.c
+++ b/drivers/clk/berlin/bg2q.c
@@ -295,8 +295,7 @@ static void __init berlin2q_clock_setup(struct device_node *np)
295 struct clk_hw **hws; 295 struct clk_hw **hws;
296 int n, ret; 296 int n, ret;
297 297
298 clk_data = kzalloc(sizeof(*clk_data) + 298 clk_data = kzalloc(struct_size(clk_data, hws, MAX_CLKS), GFP_KERNEL);
299 sizeof(*clk_data->hws) * MAX_CLKS, GFP_KERNEL);
300 if (!clk_data) 299 if (!clk_data)
301 return; 300 return;
302 clk_data->num = MAX_CLKS; 301 clk_data->num = MAX_CLKS;
diff --git a/drivers/clk/clk-asm9260.c b/drivers/clk/clk-asm9260.c
index bf0582cbbf38..44b544157121 100644
--- a/drivers/clk/clk-asm9260.c
+++ b/drivers/clk/clk-asm9260.c
@@ -273,8 +273,7 @@ static void __init asm9260_acc_init(struct device_node *np)
273 int n; 273 int n;
274 u32 accuracy = 0; 274 u32 accuracy = 0;
275 275
276 clk_data = kzalloc(sizeof(*clk_data) + 276 clk_data = kzalloc(struct_size(clk_data, hws, MAX_CLKS), GFP_KERNEL);
277 sizeof(*clk_data->hws) * MAX_CLKS, GFP_KERNEL);
278 if (!clk_data) 277 if (!clk_data)
279 return; 278 return;
280 clk_data->num = MAX_CLKS; 279 clk_data->num = MAX_CLKS;
diff --git a/drivers/clk/clk-aspeed.c b/drivers/clk/clk-aspeed.c
index 5eb50c31e455..7abe4232d282 100644
--- a/drivers/clk/clk-aspeed.c
+++ b/drivers/clk/clk-aspeed.c
@@ -627,9 +627,9 @@ static void __init aspeed_cc_init(struct device_node *np)
627 if (!scu_base) 627 if (!scu_base)
628 return; 628 return;
629 629
630 aspeed_clk_data = kzalloc(sizeof(*aspeed_clk_data) + 630 aspeed_clk_data = kzalloc(struct_size(aspeed_clk_data, hws,
631 sizeof(*aspeed_clk_data->hws) * ASPEED_NUM_CLKS, 631 ASPEED_NUM_CLKS),
632 GFP_KERNEL); 632 GFP_KERNEL);
633 if (!aspeed_clk_data) 633 if (!aspeed_clk_data)
634 return; 634 return;
635 635
diff --git a/drivers/clk/clk-clps711x.c b/drivers/clk/clk-clps711x.c
index 9193f64561f6..2c04396402ab 100644
--- a/drivers/clk/clk-clps711x.c
+++ b/drivers/clk/clk-clps711x.c
@@ -54,9 +54,9 @@ static struct clps711x_clk * __init _clps711x_clk_init(void __iomem *base,
54 if (!base) 54 if (!base)
55 return ERR_PTR(-ENOMEM); 55 return ERR_PTR(-ENOMEM);
56 56
57 clps711x_clk = kzalloc(sizeof(*clps711x_clk) + 57 clps711x_clk = kzalloc(struct_size(clps711x_clk, clk_data.hws,
58 sizeof(*clps711x_clk->clk_data.hws) * CLPS711X_CLK_MAX, 58 CLPS711X_CLK_MAX),
59 GFP_KERNEL); 59 GFP_KERNEL);
60 if (!clps711x_clk) 60 if (!clps711x_clk)
61 return ERR_PTR(-ENOMEM); 61 return ERR_PTR(-ENOMEM);
62 62
diff --git a/drivers/clk/clk-efm32gg.c b/drivers/clk/clk-efm32gg.c
index f674778fb3ac..f37cf08ff7aa 100644
--- a/drivers/clk/clk-efm32gg.c
+++ b/drivers/clk/clk-efm32gg.c
@@ -25,8 +25,8 @@ static void __init efm32gg_cmu_init(struct device_node *np)
25 void __iomem *base; 25 void __iomem *base;
26 struct clk_hw **hws; 26 struct clk_hw **hws;
27 27
28 clk_data = kzalloc(sizeof(*clk_data) + 28 clk_data = kzalloc(struct_size(clk_data, hws, CMU_MAX_CLKS),
29 sizeof(*clk_data->hws) * CMU_MAX_CLKS, GFP_KERNEL); 29 GFP_KERNEL);
30 30
31 if (!clk_data) 31 if (!clk_data)
32 return; 32 return;
diff --git a/drivers/clk/clk-gemini.c b/drivers/clk/clk-gemini.c
index 5e66e6c0205e..b51069e794ff 100644
--- a/drivers/clk/clk-gemini.c
+++ b/drivers/clk/clk-gemini.c
@@ -399,9 +399,9 @@ static void __init gemini_cc_init(struct device_node *np)
399 int ret; 399 int ret;
400 int i; 400 int i;
401 401
402 gemini_clk_data = kzalloc(sizeof(*gemini_clk_data) + 402 gemini_clk_data = kzalloc(struct_size(gemini_clk_data, hws,
403 sizeof(*gemini_clk_data->hws) * GEMINI_NUM_CLKS, 403 GEMINI_NUM_CLKS),
404 GFP_KERNEL); 404 GFP_KERNEL);
405 if (!gemini_clk_data) 405 if (!gemini_clk_data)
406 return; 406 return;
407 407
diff --git a/drivers/clk/clk-s2mps11.c b/drivers/clk/clk-s2mps11.c
index fbaa84a33c46..d44e0eea31ec 100644
--- a/drivers/clk/clk-s2mps11.c
+++ b/drivers/clk/clk-s2mps11.c
@@ -147,8 +147,8 @@ static int s2mps11_clk_probe(struct platform_device *pdev)
147 if (!s2mps11_clks) 147 if (!s2mps11_clks)
148 return -ENOMEM; 148 return -ENOMEM;
149 149
150 clk_data = devm_kzalloc(&pdev->dev, sizeof(*clk_data) + 150 clk_data = devm_kzalloc(&pdev->dev,
151 sizeof(*clk_data->hws) * S2MPS11_CLKS_NUM, 151 struct_size(clk_data, hws, S2MPS11_CLKS_NUM),
152 GFP_KERNEL); 152 GFP_KERNEL);
153 if (!clk_data) 153 if (!clk_data)
154 return -ENOMEM; 154 return -ENOMEM;
diff --git a/drivers/clk/clk-scmi.c b/drivers/clk/clk-scmi.c
index 488c21376b55..bb2a6f2f5516 100644
--- a/drivers/clk/clk-scmi.c
+++ b/drivers/clk/clk-scmi.c
@@ -137,8 +137,8 @@ static int scmi_clocks_probe(struct scmi_device *sdev)
137 return -EINVAL; 137 return -EINVAL;
138 } 138 }
139 139
140 clk_data = devm_kzalloc(dev, sizeof(*clk_data) + 140 clk_data = devm_kzalloc(dev, struct_size(clk_data, hws, count),
141 sizeof(*clk_data->hws) * count, GFP_KERNEL); 141 GFP_KERNEL);
142 if (!clk_data) 142 if (!clk_data)
143 return -ENOMEM; 143 return -ENOMEM;
144 144
diff --git a/drivers/clk/clk-stm32h7.c b/drivers/clk/clk-stm32h7.c
index db2b162c0d4c..d3271eca3779 100644
--- a/drivers/clk/clk-stm32h7.c
+++ b/drivers/clk/clk-stm32h7.c
@@ -1201,9 +1201,8 @@ static void __init stm32h7_rcc_init(struct device_node *np)
1201 const char *hse_clk, *lse_clk, *i2s_clk; 1201 const char *hse_clk, *lse_clk, *i2s_clk;
1202 struct regmap *pdrm; 1202 struct regmap *pdrm;
1203 1203
1204 clk_data = kzalloc(sizeof(*clk_data) + 1204 clk_data = kzalloc(struct_size(clk_data, hws, STM32H7_MAX_CLKS),
1205 sizeof(*clk_data->hws) * STM32H7_MAX_CLKS, 1205 GFP_KERNEL);
1206 GFP_KERNEL);
1207 if (!clk_data) 1206 if (!clk_data)
1208 return; 1207 return;
1209 1208
diff --git a/drivers/clk/clk-stm32mp1.c b/drivers/clk/clk-stm32mp1.c
index edd3cf451401..83e8cd81674f 100644
--- a/drivers/clk/clk-stm32mp1.c
+++ b/drivers/clk/clk-stm32mp1.c
@@ -2060,9 +2060,8 @@ static int stm32_rcc_init(struct device_node *np,
2060 2060
2061 max_binding = data->maxbinding; 2061 max_binding = data->maxbinding;
2062 2062
2063 clk_data = kzalloc(sizeof(*clk_data) + 2063 clk_data = kzalloc(struct_size(clk_data, hws, max_binding),
2064 sizeof(*clk_data->hws) * max_binding, 2064 GFP_KERNEL);
2065 GFP_KERNEL);
2066 if (!clk_data) 2065 if (!clk_data)
2067 return -ENOMEM; 2066 return -ENOMEM;
2068 2067
diff --git a/drivers/clk/davinci/da8xx-cfgchip.c b/drivers/clk/davinci/da8xx-cfgchip.c
index c971111d2601..aae62a5b8734 100644
--- a/drivers/clk/davinci/da8xx-cfgchip.c
+++ b/drivers/clk/davinci/da8xx-cfgchip.c
@@ -650,8 +650,8 @@ static int of_da8xx_usb_phy_clk_init(struct device *dev, struct regmap *regmap)
650 struct da8xx_usb0_clk48 *usb0; 650 struct da8xx_usb0_clk48 *usb0;
651 struct da8xx_usb1_clk48 *usb1; 651 struct da8xx_usb1_clk48 *usb1;
652 652
653 clk_data = devm_kzalloc(dev, sizeof(*clk_data) + 2 * 653 clk_data = devm_kzalloc(dev, struct_size(clk_data, hws, 2),
654 sizeof(*clk_data->hws), GFP_KERNEL); 654 GFP_KERNEL);
655 if (!clk_data) 655 if (!clk_data)
656 return -ENOMEM; 656 return -ENOMEM;
657 657
diff --git a/drivers/clk/mvebu/armada-37xx-periph.c b/drivers/clk/mvebu/armada-37xx-periph.c
index 87213ea7fc84..6860bd5a37c5 100644
--- a/drivers/clk/mvebu/armada-37xx-periph.c
+++ b/drivers/clk/mvebu/armada-37xx-periph.c
@@ -667,9 +667,10 @@ static int armada_3700_periph_clock_probe(struct platform_device *pdev)
667 if (!driver_data) 667 if (!driver_data)
668 return -ENOMEM; 668 return -ENOMEM;
669 669
670 driver_data->hw_data = devm_kzalloc(dev, sizeof(*driver_data->hw_data) + 670 driver_data->hw_data = devm_kzalloc(dev,
671 sizeof(*driver_data->hw_data->hws) * num_periph, 671 struct_size(driver_data->hw_data,
672 GFP_KERNEL); 672 hws, num_periph),
673 GFP_KERNEL);
673 if (!driver_data->hw_data) 674 if (!driver_data->hw_data)
674 return -ENOMEM; 675 return -ENOMEM;
675 driver_data->hw_data->num = num_periph; 676 driver_data->hw_data->num = num_periph;
diff --git a/drivers/clk/mvebu/armada-37xx-tbg.c b/drivers/clk/mvebu/armada-37xx-tbg.c
index aa80db11f543..7ff041f73b55 100644
--- a/drivers/clk/mvebu/armada-37xx-tbg.c
+++ b/drivers/clk/mvebu/armada-37xx-tbg.c
@@ -91,8 +91,8 @@ static int armada_3700_tbg_clock_probe(struct platform_device *pdev)
91 void __iomem *reg; 91 void __iomem *reg;
92 int i, ret; 92 int i, ret;
93 93
94 hw_tbg_data = devm_kzalloc(&pdev->dev, sizeof(*hw_tbg_data) 94 hw_tbg_data = devm_kzalloc(&pdev->dev,
95 + sizeof(*hw_tbg_data->hws) * NUM_TBG, 95 struct_size(hw_tbg_data, hws, NUM_TBG),
96 GFP_KERNEL); 96 GFP_KERNEL);
97 if (!hw_tbg_data) 97 if (!hw_tbg_data)
98 return -ENOMEM; 98 return -ENOMEM;
diff --git a/drivers/clk/qcom/clk-spmi-pmic-div.c b/drivers/clk/qcom/clk-spmi-pmic-div.c
index 8672ab84746f..c90dfdd6c147 100644
--- a/drivers/clk/qcom/clk-spmi-pmic-div.c
+++ b/drivers/clk/qcom/clk-spmi-pmic-div.c
@@ -239,8 +239,7 @@ static int spmi_pmic_clkdiv_probe(struct platform_device *pdev)
239 if (!nclks) 239 if (!nclks)
240 return -EINVAL; 240 return -EINVAL;
241 241
242 cc = devm_kzalloc(dev, sizeof(*cc) + sizeof(*cc->clks) * nclks, 242 cc = devm_kzalloc(dev, struct_size(cc, clks, nclks), GFP_KERNEL);
243 GFP_KERNEL);
244 if (!cc) 243 if (!cc)
245 return -ENOMEM; 244 return -ENOMEM;
246 cc->nclks = nclks; 245 cc->nclks = nclks;
diff --git a/drivers/clk/samsung/clk-exynos-audss.c b/drivers/clk/samsung/clk-exynos-audss.c
index b4b057c7301c..f659c5cbf1d5 100644
--- a/drivers/clk/samsung/clk-exynos-audss.c
+++ b/drivers/clk/samsung/clk-exynos-audss.c
@@ -149,8 +149,8 @@ static int exynos_audss_clk_probe(struct platform_device *pdev)
149 epll = ERR_PTR(-ENODEV); 149 epll = ERR_PTR(-ENODEV);
150 150
151 clk_data = devm_kzalloc(dev, 151 clk_data = devm_kzalloc(dev,
152 sizeof(*clk_data) + 152 struct_size(clk_data, hws,
153 sizeof(*clk_data->hws) * EXYNOS_AUDSS_MAX_CLKS, 153 EXYNOS_AUDSS_MAX_CLKS),
154 GFP_KERNEL); 154 GFP_KERNEL);
155 if (!clk_data) 155 if (!clk_data)
156 return -ENOMEM; 156 return -ENOMEM;
diff --git a/drivers/clk/samsung/clk-exynos-clkout.c b/drivers/clk/samsung/clk-exynos-clkout.c
index f29fb5824005..9c95390d2d77 100644
--- a/drivers/clk/samsung/clk-exynos-clkout.c
+++ b/drivers/clk/samsung/clk-exynos-clkout.c
@@ -61,8 +61,7 @@ static void __init exynos_clkout_init(struct device_node *node, u32 mux_mask)
61 int ret; 61 int ret;
62 int i; 62 int i;
63 63
64 clkout = kzalloc(sizeof(*clkout) + 64 clkout = kzalloc(struct_size(clkout, data.hws, EXYNOS_CLKOUT_NR_CLKS),
65 sizeof(*clkout->data.hws) * EXYNOS_CLKOUT_NR_CLKS,
66 GFP_KERNEL); 65 GFP_KERNEL);
67 if (!clkout) 66 if (!clkout)
68 return; 67 return;
diff --git a/drivers/clk/samsung/clk-exynos5433.c b/drivers/clk/samsung/clk-exynos5433.c
index 5305ace514b2..162de44df099 100644
--- a/drivers/clk/samsung/clk-exynos5433.c
+++ b/drivers/clk/samsung/clk-exynos5433.c
@@ -5505,8 +5505,8 @@ static int __init exynos5433_cmu_probe(struct platform_device *pdev)
5505 5505
5506 info = of_device_get_match_data(dev); 5506 info = of_device_get_match_data(dev);
5507 5507
5508 data = devm_kzalloc(dev, sizeof(*data) + 5508 data = devm_kzalloc(dev,
5509 sizeof(*data->ctx.clk_data.hws) * info->nr_clk_ids, 5509 struct_size(data, ctx.clk_data.hws, info->nr_clk_ids),
5510 GFP_KERNEL); 5510 GFP_KERNEL);
5511 if (!data) 5511 if (!data)
5512 return -ENOMEM; 5512 return -ENOMEM;
diff --git a/drivers/clk/samsung/clk-s3c2410-dclk.c b/drivers/clk/samsung/clk-s3c2410-dclk.c
index 077df3e539a7..66a904758761 100644
--- a/drivers/clk/samsung/clk-s3c2410-dclk.c
+++ b/drivers/clk/samsung/clk-s3c2410-dclk.c
@@ -247,9 +247,10 @@ static int s3c24xx_dclk_probe(struct platform_device *pdev)
247 struct clk_hw **clk_table; 247 struct clk_hw **clk_table;
248 int ret, i; 248 int ret, i;
249 249
250 s3c24xx_dclk = devm_kzalloc(&pdev->dev, sizeof(*s3c24xx_dclk) + 250 s3c24xx_dclk = devm_kzalloc(&pdev->dev,
251 sizeof(*s3c24xx_dclk->clk_data.hws) * DCLK_MAX_CLKS, 251 struct_size(s3c24xx_dclk, clk_data.hws,
252 GFP_KERNEL); 252 DCLK_MAX_CLKS),
253 GFP_KERNEL);
253 if (!s3c24xx_dclk) 254 if (!s3c24xx_dclk)
254 return -ENOMEM; 255 return -ENOMEM;
255 256
diff --git a/drivers/clk/samsung/clk-s5pv210-audss.c b/drivers/clk/samsung/clk-s5pv210-audss.c
index b9641414ddc6..22b18e728b88 100644
--- a/drivers/clk/samsung/clk-s5pv210-audss.c
+++ b/drivers/clk/samsung/clk-s5pv210-audss.c
@@ -81,8 +81,7 @@ static int s5pv210_audss_clk_probe(struct platform_device *pdev)
81 } 81 }
82 82
83 clk_data = devm_kzalloc(&pdev->dev, 83 clk_data = devm_kzalloc(&pdev->dev,
84 sizeof(*clk_data) + 84 struct_size(clk_data, hws, AUDSS_MAX_CLKS),
85 sizeof(*clk_data->hws) * AUDSS_MAX_CLKS,
86 GFP_KERNEL); 85 GFP_KERNEL);
87 86
88 if (!clk_data) 87 if (!clk_data)
diff --git a/drivers/dax/device.c b/drivers/dax/device.c
index aff2c1594220..de2f8297a210 100644
--- a/drivers/dax/device.c
+++ b/drivers/dax/device.c
@@ -594,7 +594,7 @@ struct dev_dax *devm_create_dev_dax(struct dax_region *dax_region,
594 if (!count) 594 if (!count)
595 return ERR_PTR(-EINVAL); 595 return ERR_PTR(-EINVAL);
596 596
597 dev_dax = kzalloc(sizeof(*dev_dax) + sizeof(*res) * count, GFP_KERNEL); 597 dev_dax = kzalloc(struct_size(dev_dax, res, count), GFP_KERNEL);
598 if (!dev_dax) 598 if (!dev_dax)
599 return ERR_PTR(-ENOMEM); 599 return ERR_PTR(-ENOMEM);
600 600
diff --git a/drivers/dma/bcm-sba-raid.c b/drivers/dma/bcm-sba-raid.c
index 3956a018bf5a..72878ac5c78d 100644
--- a/drivers/dma/bcm-sba-raid.c
+++ b/drivers/dma/bcm-sba-raid.c
@@ -1499,9 +1499,8 @@ static int sba_prealloc_channel_resources(struct sba_device *sba)
1499 1499
1500 for (i = 0; i < sba->max_req; i++) { 1500 for (i = 0; i < sba->max_req; i++) {
1501 req = devm_kzalloc(sba->dev, 1501 req = devm_kzalloc(sba->dev,
1502 sizeof(*req) + 1502 struct_size(req, cmds, sba->max_cmd_per_req),
1503 sba->max_cmd_per_req * sizeof(req->cmds[0]), 1503 GFP_KERNEL);
1504 GFP_KERNEL);
1505 if (!req) { 1504 if (!req) {
1506 ret = -ENOMEM; 1505 ret = -ENOMEM;
1507 goto fail_free_cmds_pool; 1506 goto fail_free_cmds_pool;
diff --git a/drivers/dma/edma.c b/drivers/dma/edma.c
index 85ea92fcea54..9bc722ca8329 100644
--- a/drivers/dma/edma.c
+++ b/drivers/dma/edma.c
@@ -1074,8 +1074,7 @@ static struct dma_async_tx_descriptor *edma_prep_slave_sg(
1074 return NULL; 1074 return NULL;
1075 } 1075 }
1076 1076
1077 edesc = kzalloc(sizeof(*edesc) + sg_len * sizeof(edesc->pset[0]), 1077 edesc = kzalloc(struct_size(edesc, pset, sg_len), GFP_ATOMIC);
1078 GFP_ATOMIC);
1079 if (!edesc) 1078 if (!edesc)
1080 return NULL; 1079 return NULL;
1081 1080
@@ -1192,8 +1191,7 @@ static struct dma_async_tx_descriptor *edma_prep_dma_memcpy(
1192 nslots = 2; 1191 nslots = 2;
1193 } 1192 }
1194 1193
1195 edesc = kzalloc(sizeof(*edesc) + nslots * sizeof(edesc->pset[0]), 1194 edesc = kzalloc(struct_size(edesc, pset, nslots), GFP_ATOMIC);
1196 GFP_ATOMIC);
1197 if (!edesc) 1195 if (!edesc)
1198 return NULL; 1196 return NULL;
1199 1197
@@ -1315,8 +1313,7 @@ static struct dma_async_tx_descriptor *edma_prep_dma_cyclic(
1315 } 1313 }
1316 } 1314 }
1317 1315
1318 edesc = kzalloc(sizeof(*edesc) + nslots * sizeof(edesc->pset[0]), 1316 edesc = kzalloc(struct_size(edesc, pset, nslots), GFP_ATOMIC);
1319 GFP_ATOMIC);
1320 if (!edesc) 1317 if (!edesc)
1321 return NULL; 1318 return NULL;
1322 1319
diff --git a/drivers/dma/moxart-dma.c b/drivers/dma/moxart-dma.c
index e1a5c2242f6f..e04499c1f27f 100644
--- a/drivers/dma/moxart-dma.c
+++ b/drivers/dma/moxart-dma.c
@@ -309,7 +309,7 @@ static struct dma_async_tx_descriptor *moxart_prep_slave_sg(
309 return NULL; 309 return NULL;
310 } 310 }
311 311
312 d = kzalloc(sizeof(*d) + sg_len * sizeof(d->sg[0]), GFP_ATOMIC); 312 d = kzalloc(struct_size(d, sg, sg_len), GFP_ATOMIC);
313 if (!d) 313 if (!d)
314 return NULL; 314 return NULL;
315 315
diff --git a/drivers/dma/nbpfaxi.c b/drivers/dma/nbpfaxi.c
index 50559338239b..2f9974ddfbb2 100644
--- a/drivers/dma/nbpfaxi.c
+++ b/drivers/dma/nbpfaxi.c
@@ -1305,8 +1305,8 @@ static int nbpf_probe(struct platform_device *pdev)
1305 cfg = of_device_get_match_data(dev); 1305 cfg = of_device_get_match_data(dev);
1306 num_channels = cfg->num_channels; 1306 num_channels = cfg->num_channels;
1307 1307
1308 nbpf = devm_kzalloc(dev, sizeof(*nbpf) + num_channels * 1308 nbpf = devm_kzalloc(dev, struct_size(nbpf, chan, num_channels),
1309 sizeof(nbpf->chan[0]), GFP_KERNEL); 1309 GFP_KERNEL);
1310 if (!nbpf) 1310 if (!nbpf)
1311 return -ENOMEM; 1311 return -ENOMEM;
1312 1312
diff --git a/drivers/dma/omap-dma.c b/drivers/dma/omap-dma.c
index d21c19822feb..9483000fcf79 100644
--- a/drivers/dma/omap-dma.c
+++ b/drivers/dma/omap-dma.c
@@ -917,7 +917,7 @@ static struct dma_async_tx_descriptor *omap_dma_prep_slave_sg(
917 } 917 }
918 918
919 /* Now allocate and setup the descriptor. */ 919 /* Now allocate and setup the descriptor. */
920 d = kzalloc(sizeof(*d) + sglen * sizeof(d->sg[0]), GFP_ATOMIC); 920 d = kzalloc(struct_size(d, sg, sglen), GFP_ATOMIC);
921 if (!d) 921 if (!d)
922 return NULL; 922 return NULL;
923 923
diff --git a/drivers/dma/sa11x0-dma.c b/drivers/dma/sa11x0-dma.c
index c7a89c22890e..b31d07c7d93c 100644
--- a/drivers/dma/sa11x0-dma.c
+++ b/drivers/dma/sa11x0-dma.c
@@ -557,7 +557,7 @@ static struct dma_async_tx_descriptor *sa11x0_dma_prep_slave_sg(
557 } 557 }
558 } 558 }
559 559
560 txd = kzalloc(sizeof(*txd) + j * sizeof(txd->sg[0]), GFP_ATOMIC); 560 txd = kzalloc(struct_size(txd, sg, j), GFP_ATOMIC);
561 if (!txd) { 561 if (!txd) {
562 dev_dbg(chan->device->dev, "vchan %p: kzalloc failed\n", &c->vc); 562 dev_dbg(chan->device->dev, "vchan %p: kzalloc failed\n", &c->vc);
563 return NULL; 563 return NULL;
@@ -627,7 +627,7 @@ static struct dma_async_tx_descriptor *sa11x0_dma_prep_dma_cyclic(
627 if (sglen == 0) 627 if (sglen == 0)
628 return NULL; 628 return NULL;
629 629
630 txd = kzalloc(sizeof(*txd) + sglen * sizeof(txd->sg[0]), GFP_ATOMIC); 630 txd = kzalloc(struct_size(txd, sg, sglen), GFP_ATOMIC);
631 if (!txd) { 631 if (!txd) {
632 dev_dbg(chan->device->dev, "vchan %p: kzalloc failed\n", &c->vc); 632 dev_dbg(chan->device->dev, "vchan %p: kzalloc failed\n", &c->vc);
633 return NULL; 633 return NULL;
diff --git a/drivers/dma/sh/usb-dmac.c b/drivers/dma/sh/usb-dmac.c
index 31a145154e9f..1bb1a8e09025 100644
--- a/drivers/dma/sh/usb-dmac.c
+++ b/drivers/dma/sh/usb-dmac.c
@@ -269,7 +269,7 @@ static int usb_dmac_desc_alloc(struct usb_dmac_chan *chan, unsigned int sg_len,
269 struct usb_dmac_desc *desc; 269 struct usb_dmac_desc *desc;
270 unsigned long flags; 270 unsigned long flags;
271 271
272 desc = kzalloc(sizeof(*desc) + sg_len * sizeof(desc->sg[0]), gfp); 272 desc = kzalloc(struct_size(desc, sg, sg_len), gfp);
273 if (!desc) 273 if (!desc)
274 return -ENOMEM; 274 return -ENOMEM;
275 275
diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c
index b106e8a60af6..52ebccb483be 100644
--- a/drivers/dma/sprd-dma.c
+++ b/drivers/dma/sprd-dma.c
@@ -805,8 +805,8 @@ static int sprd_dma_probe(struct platform_device *pdev)
805 return ret; 805 return ret;
806 } 806 }
807 807
808 sdev = devm_kzalloc(&pdev->dev, sizeof(*sdev) + 808 sdev = devm_kzalloc(&pdev->dev,
809 sizeof(*dma_chn) * chn_count, 809 struct_size(sdev, channels, chn_count),
810 GFP_KERNEL); 810 GFP_KERNEL);
811 if (!sdev) 811 if (!sdev)
812 return -ENOMEM; 812 return -ENOMEM;
diff --git a/drivers/firewire/core-topology.c b/drivers/firewire/core-topology.c
index 939d259ddf19..7db234d3fbdd 100644
--- a/drivers/firewire/core-topology.c
+++ b/drivers/firewire/core-topology.c
@@ -112,8 +112,7 @@ static struct fw_node *fw_node_create(u32 sid, int port_count, int color)
112{ 112{
113 struct fw_node *node; 113 struct fw_node *node;
114 114
115 node = kzalloc(sizeof(*node) + port_count * sizeof(node->ports[0]), 115 node = kzalloc(struct_size(node, ports, port_count), GFP_ATOMIC);
116 GFP_ATOMIC);
117 if (node == NULL) 116 if (node == NULL)
118 return NULL; 117 return NULL;
119 118
diff --git a/drivers/gpio/gpio-uniphier.c b/drivers/gpio/gpio-uniphier.c
index 761d8279abca..d3cf9502e7e7 100644
--- a/drivers/gpio/gpio-uniphier.c
+++ b/drivers/gpio/gpio-uniphier.c
@@ -371,8 +371,7 @@ static int uniphier_gpio_probe(struct platform_device *pdev)
371 return ret; 371 return ret;
372 372
373 nregs = uniphier_gpio_get_nbanks(ngpios) * 2 + 3; 373 nregs = uniphier_gpio_get_nbanks(ngpios) * 2 + 3;
374 priv = devm_kzalloc(dev, 374 priv = devm_kzalloc(dev, struct_size(priv, saved_vals, nregs),
375 sizeof(*priv) + sizeof(priv->saved_vals[0]) * nregs,
376 GFP_KERNEL); 375 GFP_KERNEL);
377 if (!priv) 376 if (!priv)
378 return -ENOMEM; 377 return -ENOMEM;
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index d8ccb500872f..55d596f3035e 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -4023,8 +4023,7 @@ struct gpio_descs *__must_check gpiod_get_array(struct device *dev,
4023 if (count < 0) 4023 if (count < 0)
4024 return ERR_PTR(count); 4024 return ERR_PTR(count);
4025 4025
4026 descs = kzalloc(sizeof(*descs) + sizeof(descs->desc[0]) * count, 4026 descs = kzalloc(struct_size(descs, desc, count), GFP_KERNEL);
4027 GFP_KERNEL);
4028 if (!descs) 4027 if (!descs)
4029 return ERR_PTR(-ENOMEM); 4028 return ERR_PTR(-ENOMEM);
4030 4029
diff --git a/drivers/gpu/drm/nouveau/nvkm/core/ramht.c b/drivers/gpu/drm/nouveau/nvkm/core/ramht.c
index ccba4ae73cc5..8162e3d2359c 100644
--- a/drivers/gpu/drm/nouveau/nvkm/core/ramht.c
+++ b/drivers/gpu/drm/nouveau/nvkm/core/ramht.c
@@ -144,8 +144,7 @@ nvkm_ramht_new(struct nvkm_device *device, u32 size, u32 align,
144 struct nvkm_ramht *ramht; 144 struct nvkm_ramht *ramht;
145 int ret, i; 145 int ret, i;
146 146
147 if (!(ramht = *pramht = vzalloc(sizeof(*ramht) + 147 if (!(ramht = *pramht = vzalloc(struct_size(ramht, data, (size >> 3)))))
148 (size >> 3) * sizeof(*ramht->data))))
149 return -ENOMEM; 148 return -ENOMEM;
150 149
151 ramht->device = device; 150 ramht->device = device;
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/pm/base.c b/drivers/gpu/drm/nouveau/nvkm/engine/pm/base.c
index 53859b6254d6..b2785bee418e 100644
--- a/drivers/gpu/drm/nouveau/nvkm/engine/pm/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/pm/base.c
@@ -779,8 +779,8 @@ nvkm_perfdom_new(struct nvkm_pm *pm, const char *name, u32 mask,
779 779
780 sdom = spec; 780 sdom = spec;
781 while (sdom->signal_nr) { 781 while (sdom->signal_nr) {
782 dom = kzalloc(sizeof(*dom) + sdom->signal_nr * 782 dom = kzalloc(struct_size(dom, signal, sdom->signal_nr),
783 sizeof(*dom->signal), GFP_KERNEL); 783 GFP_KERNEL);
784 if (!dom) 784 if (!dom)
785 return -ENOMEM; 785 return -ENOMEM;
786 786
diff --git a/drivers/hwspinlock/omap_hwspinlock.c b/drivers/hwspinlock/omap_hwspinlock.c
index ad2f8cac8487..d897e5251c36 100644
--- a/drivers/hwspinlock/omap_hwspinlock.c
+++ b/drivers/hwspinlock/omap_hwspinlock.c
@@ -132,7 +132,7 @@ static int omap_hwspinlock_probe(struct platform_device *pdev)
132 132
133 num_locks = i * 32; /* actual number of locks in this device */ 133 num_locks = i * 32; /* actual number of locks in this device */
134 134
135 bank = kzalloc(sizeof(*bank) + num_locks * sizeof(*hwlock), GFP_KERNEL); 135 bank = kzalloc(struct_size(bank, lock, num_locks), GFP_KERNEL);
136 if (!bank) { 136 if (!bank) {
137 ret = -ENOMEM; 137 ret = -ENOMEM;
138 goto iounmap_base; 138 goto iounmap_base;
diff --git a/drivers/hwspinlock/sirf_hwspinlock.c b/drivers/hwspinlock/sirf_hwspinlock.c
index 16018544d431..cb38e487c6c4 100644
--- a/drivers/hwspinlock/sirf_hwspinlock.c
+++ b/drivers/hwspinlock/sirf_hwspinlock.c
@@ -62,8 +62,10 @@ static int sirf_hwspinlock_probe(struct platform_device *pdev)
62 if (!pdev->dev.of_node) 62 if (!pdev->dev.of_node)
63 return -ENODEV; 63 return -ENODEV;
64 64
65 hwspin = devm_kzalloc(&pdev->dev, sizeof(*hwspin) + 65 hwspin = devm_kzalloc(&pdev->dev,
66 sizeof(*hwlock) * HW_SPINLOCK_NUMBER, GFP_KERNEL); 66 struct_size(hwspin, bank.lock,
67 HW_SPINLOCK_NUMBER),
68 GFP_KERNEL);
67 if (!hwspin) 69 if (!hwspin)
68 return -ENOMEM; 70 return -ENOMEM;
69 71
diff --git a/drivers/hwspinlock/u8500_hsem.c b/drivers/hwspinlock/u8500_hsem.c
index e93eabbd660f..0128d8fb905e 100644
--- a/drivers/hwspinlock/u8500_hsem.c
+++ b/drivers/hwspinlock/u8500_hsem.c
@@ -119,7 +119,7 @@ static int u8500_hsem_probe(struct platform_device *pdev)
119 /* clear all interrupts */ 119 /* clear all interrupts */
120 writel(0xFFFF, io_base + HSEM_ICRALL); 120 writel(0xFFFF, io_base + HSEM_ICRALL);
121 121
122 bank = kzalloc(sizeof(*bank) + num_locks * sizeof(*hwlock), GFP_KERNEL); 122 bank = kzalloc(struct_size(bank, lock, num_locks), GFP_KERNEL);
123 if (!bank) { 123 if (!bank) {
124 ret = -ENOMEM; 124 ret = -ENOMEM;
125 goto iounmap_base; 125 goto iounmap_base;
diff --git a/drivers/infiniband/core/cache.c b/drivers/infiniband/core/cache.c
index ecc55e98ddd3..3330d97faa1e 100644
--- a/drivers/infiniband/core/cache.c
+++ b/drivers/infiniband/core/cache.c
@@ -1157,8 +1157,9 @@ static void ib_cache_update(struct ib_device *device,
1157 goto err; 1157 goto err;
1158 } 1158 }
1159 1159
1160 pkey_cache = kmalloc(sizeof *pkey_cache + tprops->pkey_tbl_len * 1160 pkey_cache = kmalloc(struct_size(pkey_cache, table,
1161 sizeof *pkey_cache->table, GFP_KERNEL); 1161 tprops->pkey_tbl_len),
1162 GFP_KERNEL);
1162 if (!pkey_cache) 1163 if (!pkey_cache)
1163 goto err; 1164 goto err;
1164 1165
diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
index a92e1a5c202b..36a4d90a7b47 100644
--- a/drivers/infiniband/core/cm.c
+++ b/drivers/infiniband/core/cm.c
@@ -4298,8 +4298,8 @@ static void cm_add_one(struct ib_device *ib_device)
4298 int count = 0; 4298 int count = 0;
4299 u8 i; 4299 u8 i;
4300 4300
4301 cm_dev = kzalloc(sizeof(*cm_dev) + sizeof(*port) * 4301 cm_dev = kzalloc(struct_size(cm_dev, port, ib_device->phys_port_cnt),
4302 ib_device->phys_port_cnt, GFP_KERNEL); 4302 GFP_KERNEL);
4303 if (!cm_dev) 4303 if (!cm_dev)
4304 return; 4304 return;
4305 4305
diff --git a/drivers/infiniband/core/multicast.c b/drivers/infiniband/core/multicast.c
index 4eb72ff539fc..6c48f4193dda 100644
--- a/drivers/infiniband/core/multicast.c
+++ b/drivers/infiniband/core/multicast.c
@@ -813,7 +813,7 @@ static void mcast_add_one(struct ib_device *device)
813 int i; 813 int i;
814 int count = 0; 814 int count = 0;
815 815
816 dev = kmalloc(sizeof *dev + device->phys_port_cnt * sizeof *port, 816 dev = kmalloc(struct_size(dev, port, device->phys_port_cnt),
817 GFP_KERNEL); 817 GFP_KERNEL);
818 if (!dev) 818 if (!dev)
819 return; 819 return;
diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
index 21a887c9523b..e3662a8ee465 100644
--- a/drivers/infiniband/core/uverbs_cmd.c
+++ b/drivers/infiniband/core/uverbs_cmd.c
@@ -2756,8 +2756,8 @@ static struct ib_uflow_resources *flow_resources_alloc(size_t num_specs)
2756 struct ib_uflow_resources *resources; 2756 struct ib_uflow_resources *resources;
2757 2757
2758 resources = 2758 resources =
2759 kmalloc(sizeof(*resources) + 2759 kmalloc(struct_size(resources, collection, num_specs),
2760 num_specs * sizeof(*resources->collection), GFP_KERNEL); 2760 GFP_KERNEL);
2761 2761
2762 if (!resources) 2762 if (!resources)
2763 return NULL; 2763 return NULL;
diff --git a/drivers/infiniband/core/uverbs_ioctl_merge.c b/drivers/infiniband/core/uverbs_ioctl_merge.c
index 0f88a1919d51..6ceb672c4d46 100644
--- a/drivers/infiniband/core/uverbs_ioctl_merge.c
+++ b/drivers/infiniband/core/uverbs_ioctl_merge.c
@@ -297,8 +297,7 @@ static struct uverbs_method_spec *build_method_with_attrs(const struct uverbs_me
297 if (max_attr_buckets >= 0) 297 if (max_attr_buckets >= 0)
298 num_attr_buckets = max_attr_buckets + 1; 298 num_attr_buckets = max_attr_buckets + 1;
299 299
300 method = kzalloc(sizeof(*method) + 300 method = kzalloc(struct_size(method, attr_buckets, num_attr_buckets),
301 num_attr_buckets * sizeof(*method->attr_buckets),
302 GFP_KERNEL); 301 GFP_KERNEL);
303 if (!method) 302 if (!method)
304 return ERR_PTR(-ENOMEM); 303 return ERR_PTR(-ENOMEM);
@@ -446,9 +445,9 @@ static struct uverbs_object_spec *build_object_with_methods(const struct uverbs_
446 if (max_method_buckets >= 0) 445 if (max_method_buckets >= 0)
447 num_method_buckets = max_method_buckets + 1; 446 num_method_buckets = max_method_buckets + 1;
448 447
449 object = kzalloc(sizeof(*object) + 448 object = kzalloc(struct_size(object, method_buckets,
450 num_method_buckets * 449 num_method_buckets),
451 sizeof(*object->method_buckets), GFP_KERNEL); 450 GFP_KERNEL);
452 if (!object) 451 if (!object)
453 return ERR_PTR(-ENOMEM); 452 return ERR_PTR(-ENOMEM);
454 453
@@ -469,8 +468,8 @@ static struct uverbs_object_spec *build_object_with_methods(const struct uverbs_
469 if (methods_max_bucket < 0) 468 if (methods_max_bucket < 0)
470 continue; 469 continue;
471 470
472 hash = kzalloc(sizeof(*hash) + 471 hash = kzalloc(struct_size(hash, methods,
473 sizeof(*hash->methods) * (methods_max_bucket + 1), 472 methods_max_bucket + 1),
474 GFP_KERNEL); 473 GFP_KERNEL);
475 if (!hash) { 474 if (!hash) {
476 res = -ENOMEM; 475 res = -ENOMEM;
@@ -579,8 +578,8 @@ struct uverbs_root_spec *uverbs_alloc_spec_tree(unsigned int num_trees,
579 if (max_object_buckets >= 0) 578 if (max_object_buckets >= 0)
580 num_objects_buckets = max_object_buckets + 1; 579 num_objects_buckets = max_object_buckets + 1;
581 580
582 root_spec = kzalloc(sizeof(*root_spec) + 581 root_spec = kzalloc(struct_size(root_spec, object_buckets,
583 num_objects_buckets * sizeof(*root_spec->object_buckets), 582 num_objects_buckets),
584 GFP_KERNEL); 583 GFP_KERNEL);
585 if (!root_spec) 584 if (!root_spec)
586 return ERR_PTR(-ENOMEM); 585 return ERR_PTR(-ENOMEM);
@@ -603,8 +602,8 @@ struct uverbs_root_spec *uverbs_alloc_spec_tree(unsigned int num_trees,
603 if (objects_max_bucket < 0) 602 if (objects_max_bucket < 0)
604 continue; 603 continue;
605 604
606 hash = kzalloc(sizeof(*hash) + 605 hash = kzalloc(struct_size(hash, objects,
607 sizeof(*hash->objects) * (objects_max_bucket + 1), 606 objects_max_bucket + 1),
608 GFP_KERNEL); 607 GFP_KERNEL);
609 if (!hash) { 608 if (!hash) {
610 res = -ENOMEM; 609 res = -ENOMEM;
diff --git a/drivers/infiniband/hw/mthca/mthca_memfree.c b/drivers/infiniband/hw/mthca/mthca_memfree.c
index 2fe503e86c1d..7a31be3c3e73 100644
--- a/drivers/infiniband/hw/mthca/mthca_memfree.c
+++ b/drivers/infiniband/hw/mthca/mthca_memfree.c
@@ -367,7 +367,7 @@ struct mthca_icm_table *mthca_alloc_icm_table(struct mthca_dev *dev,
367 obj_per_chunk = MTHCA_TABLE_CHUNK_SIZE / obj_size; 367 obj_per_chunk = MTHCA_TABLE_CHUNK_SIZE / obj_size;
368 num_icm = DIV_ROUND_UP(nobj, obj_per_chunk); 368 num_icm = DIV_ROUND_UP(nobj, obj_per_chunk);
369 369
370 table = kmalloc(sizeof *table + num_icm * sizeof *table->icm, GFP_KERNEL); 370 table = kmalloc(struct_size(table, icm, num_icm), GFP_KERNEL);
371 if (!table) 371 if (!table)
372 return NULL; 372 return NULL;
373 373
@@ -529,7 +529,7 @@ struct mthca_user_db_table *mthca_init_user_db_tab(struct mthca_dev *dev)
529 return NULL; 529 return NULL;
530 530
531 npages = dev->uar_table.uarc_size / MTHCA_ICM_PAGE_SIZE; 531 npages = dev->uar_table.uarc_size / MTHCA_ICM_PAGE_SIZE;
532 db_tab = kmalloc(sizeof *db_tab + npages * sizeof *db_tab->page, GFP_KERNEL); 532 db_tab = kmalloc(struct_size(db_tab, page, npages), GFP_KERNEL);
533 if (!db_tab) 533 if (!db_tab)
534 return ERR_PTR(-ENOMEM); 534 return ERR_PTR(-ENOMEM);
535 535
diff --git a/drivers/infiniband/sw/rdmavt/mr.c b/drivers/infiniband/sw/rdmavt/mr.c
index cc429b567d0a..49c9541050d4 100644
--- a/drivers/infiniband/sw/rdmavt/mr.c
+++ b/drivers/infiniband/sw/rdmavt/mr.c
@@ -283,7 +283,7 @@ static struct rvt_mr *__rvt_alloc_mr(int count, struct ib_pd *pd)
283 283
284 /* Allocate struct plus pointers to first level page tables. */ 284 /* Allocate struct plus pointers to first level page tables. */
285 m = (count + RVT_SEGSZ - 1) / RVT_SEGSZ; 285 m = (count + RVT_SEGSZ - 1) / RVT_SEGSZ;
286 mr = kzalloc(sizeof(*mr) + m * sizeof(mr->mr.map[0]), GFP_KERNEL); 286 mr = kzalloc(struct_size(mr, mr.map, m), GFP_KERNEL);
287 if (!mr) 287 if (!mr)
288 goto bail; 288 goto bail;
289 289
@@ -730,7 +730,7 @@ struct ib_fmr *rvt_alloc_fmr(struct ib_pd *pd, int mr_access_flags,
730 730
731 /* Allocate struct plus pointers to first level page tables. */ 731 /* Allocate struct plus pointers to first level page tables. */
732 m = (fmr_attr->max_pages + RVT_SEGSZ - 1) / RVT_SEGSZ; 732 m = (fmr_attr->max_pages + RVT_SEGSZ - 1) / RVT_SEGSZ;
733 fmr = kzalloc(sizeof(*fmr) + m * sizeof(fmr->mr.map[0]), GFP_KERNEL); 733 fmr = kzalloc(struct_size(fmr, mr.map, m), GFP_KERNEL);
734 if (!fmr) 734 if (!fmr)
735 goto bail; 735 goto bail;
736 736
diff --git a/drivers/input/input-leds.c b/drivers/input/input-leds.c
index 5f04b2d94635..99cc784e1264 100644
--- a/drivers/input/input-leds.c
+++ b/drivers/input/input-leds.c
@@ -98,8 +98,7 @@ static int input_leds_connect(struct input_handler *handler,
98 if (!num_leds) 98 if (!num_leds)
99 return -ENXIO; 99 return -ENXIO;
100 100
101 leds = kzalloc(sizeof(*leds) + num_leds * sizeof(*leds->leds), 101 leds = kzalloc(struct_size(leds, leds, num_leds), GFP_KERNEL);
102 GFP_KERNEL);
103 if (!leds) 102 if (!leds)
104 return -ENOMEM; 103 return -ENOMEM;
105 104
diff --git a/drivers/input/input-mt.c b/drivers/input/input-mt.c
index a1bbec9cda8d..cf30523c6ef6 100644
--- a/drivers/input/input-mt.c
+++ b/drivers/input/input-mt.c
@@ -49,7 +49,7 @@ int input_mt_init_slots(struct input_dev *dev, unsigned int num_slots,
49 if (mt) 49 if (mt)
50 return mt->num_slots != num_slots ? -EINVAL : 0; 50 return mt->num_slots != num_slots ? -EINVAL : 0;
51 51
52 mt = kzalloc(sizeof(*mt) + num_slots * sizeof(*mt->slots), GFP_KERNEL); 52 mt = kzalloc(struct_size(mt, slots, num_slots), GFP_KERNEL);
53 if (!mt) 53 if (!mt)
54 goto err_mem; 54 goto err_mem;
55 55
diff --git a/drivers/input/keyboard/cap11xx.c b/drivers/input/keyboard/cap11xx.c
index 1a1eacae3ea1..312916f99597 100644
--- a/drivers/input/keyboard/cap11xx.c
+++ b/drivers/input/keyboard/cap11xx.c
@@ -357,8 +357,7 @@ static int cap11xx_i2c_probe(struct i2c_client *i2c_client,
357 } 357 }
358 358
359 priv = devm_kzalloc(dev, 359 priv = devm_kzalloc(dev,
360 sizeof(*priv) + 360 struct_size(priv, keycodes, cap->num_channels),
361 cap->num_channels * sizeof(priv->keycodes[0]),
362 GFP_KERNEL); 361 GFP_KERNEL);
363 if (!priv) 362 if (!priv)
364 return -ENOMEM; 363 return -ENOMEM;
diff --git a/drivers/md/dm-raid.c b/drivers/md/dm-raid.c
index 6f823f44b4aa..ab13fcec3fca 100644
--- a/drivers/md/dm-raid.c
+++ b/drivers/md/dm-raid.c
@@ -756,7 +756,7 @@ static struct raid_set *raid_set_alloc(struct dm_target *ti, struct raid_type *r
756 return ERR_PTR(-EINVAL); 756 return ERR_PTR(-EINVAL);
757 } 757 }
758 758
759 rs = kzalloc(sizeof(*rs) + raid_devs * sizeof(rs->dev[0]), GFP_KERNEL); 759 rs = kzalloc(struct_size(rs, dev, raid_devs), GFP_KERNEL);
760 if (!rs) { 760 if (!rs) {
761 ti->error = "Cannot allocate raid context"; 761 ti->error = "Cannot allocate raid context";
762 return ERR_PTR(-ENOMEM); 762 return ERR_PTR(-ENOMEM);
diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
index 0589a4da12bb..caa51dd351b6 100644
--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -548,14 +548,14 @@ static int adjoin(struct dm_table *table, struct dm_target *ti)
548 * On the other hand, dm-switch needs to process bulk data using messages and 548 * On the other hand, dm-switch needs to process bulk data using messages and
549 * excessive use of GFP_NOIO could cause trouble. 549 * excessive use of GFP_NOIO could cause trouble.
550 */ 550 */
551static char **realloc_argv(unsigned *array_size, char **old_argv) 551static char **realloc_argv(unsigned *size, char **old_argv)
552{ 552{
553 char **argv; 553 char **argv;
554 unsigned new_size; 554 unsigned new_size;
555 gfp_t gfp; 555 gfp_t gfp;
556 556
557 if (*array_size) { 557 if (*size) {
558 new_size = *array_size * 2; 558 new_size = *size * 2;
559 gfp = GFP_KERNEL; 559 gfp = GFP_KERNEL;
560 } else { 560 } else {
561 new_size = 8; 561 new_size = 8;
@@ -563,8 +563,8 @@ static char **realloc_argv(unsigned *array_size, char **old_argv)
563 } 563 }
564 argv = kmalloc(new_size * sizeof(*argv), gfp); 564 argv = kmalloc(new_size * sizeof(*argv), gfp);
565 if (argv) { 565 if (argv) {
566 memcpy(argv, old_argv, *array_size * sizeof(*argv)); 566 memcpy(argv, old_argv, *size * sizeof(*argv));
567 *array_size = new_size; 567 *size = new_size;
568 } 568 }
569 569
570 kfree(old_argv); 570 kfree(old_argv);
diff --git a/drivers/mfd/qcom-pm8xxx.c b/drivers/mfd/qcom-pm8xxx.c
index f08758f6b418..e6e8d81c15fd 100644
--- a/drivers/mfd/qcom-pm8xxx.c
+++ b/drivers/mfd/qcom-pm8xxx.c
@@ -563,8 +563,8 @@ static int pm8xxx_probe(struct platform_device *pdev)
563 pr_info("PMIC revision 2: %02X\n", val); 563 pr_info("PMIC revision 2: %02X\n", val);
564 rev |= val << BITS_PER_BYTE; 564 rev |= val << BITS_PER_BYTE;
565 565
566 chip = devm_kzalloc(&pdev->dev, sizeof(*chip) + 566 chip = devm_kzalloc(&pdev->dev,
567 sizeof(chip->config[0]) * data->num_irqs, 567 struct_size(chip, config, data->num_irqs),
568 GFP_KERNEL); 568 GFP_KERNEL);
569 if (!chip) 569 if (!chip)
570 return -ENOMEM; 570 return -ENOMEM;
diff --git a/drivers/misc/cb710/core.c b/drivers/misc/cb710/core.c
index fb397e7d1cce..4d4acf763b65 100644
--- a/drivers/misc/cb710/core.c
+++ b/drivers/misc/cb710/core.c
@@ -232,8 +232,8 @@ static int cb710_probe(struct pci_dev *pdev,
232 if (val & CB710_SLOT_SM) 232 if (val & CB710_SLOT_SM)
233 ++n; 233 ++n;
234 234
235 chip = devm_kzalloc(&pdev->dev, 235 chip = devm_kzalloc(&pdev->dev, struct_size(chip, slot, n),
236 sizeof(*chip) + n * sizeof(*chip->slot), GFP_KERNEL); 236 GFP_KERNEL);
237 if (!chip) 237 if (!chip)
238 return -ENOMEM; 238 return -ENOMEM;
239 239
diff --git a/drivers/misc/vexpress-syscfg.c b/drivers/misc/vexpress-syscfg.c
index 9eea30f54fd6..80a6f199077c 100644
--- a/drivers/misc/vexpress-syscfg.c
+++ b/drivers/misc/vexpress-syscfg.c
@@ -182,8 +182,7 @@ static struct regmap *vexpress_syscfg_regmap_init(struct device *dev,
182 val = energy_quirk; 182 val = energy_quirk;
183 } 183 }
184 184
185 func = kzalloc(sizeof(*func) + sizeof(*func->template) * num, 185 func = kzalloc(struct_size(func, template, num), GFP_KERNEL);
186 GFP_KERNEL);
187 if (!func) 186 if (!func)
188 return ERR_PTR(-ENOMEM); 187 return ERR_PTR(-ENOMEM);
189 188
diff --git a/drivers/mtd/spi-nor/aspeed-smc.c b/drivers/mtd/spi-nor/aspeed-smc.c
index 8d3cbe27efb6..95e54468cf7d 100644
--- a/drivers/mtd/spi-nor/aspeed-smc.c
+++ b/drivers/mtd/spi-nor/aspeed-smc.c
@@ -861,8 +861,9 @@ static int aspeed_smc_probe(struct platform_device *pdev)
861 return -ENODEV; 861 return -ENODEV;
862 info = match->data; 862 info = match->data;
863 863
864 controller = devm_kzalloc(&pdev->dev, sizeof(*controller) + 864 controller = devm_kzalloc(&pdev->dev,
865 info->nce * sizeof(controller->chips[0]), GFP_KERNEL); 865 struct_size(controller, chips, info->nce),
866 GFP_KERNEL);
866 if (!controller) 867 if (!controller)
867 return -ENOMEM; 868 return -ENOMEM;
868 controller->info = info; 869 controller->info = info;
diff --git a/drivers/net/can/peak_canfd/peak_pciefd_main.c b/drivers/net/can/peak_canfd/peak_pciefd_main.c
index 3c51a884db87..b9e28578bc7b 100644
--- a/drivers/net/can/peak_canfd/peak_pciefd_main.c
+++ b/drivers/net/can/peak_canfd/peak_pciefd_main.c
@@ -752,8 +752,7 @@ static int peak_pciefd_probe(struct pci_dev *pdev,
752 can_count = 1; 752 can_count = 1;
753 753
754 /* allocate board structure object */ 754 /* allocate board structure object */
755 pciefd = devm_kzalloc(&pdev->dev, sizeof(*pciefd) + 755 pciefd = devm_kzalloc(&pdev->dev, struct_size(pciefd, can, can_count),
756 can_count * sizeof(*pciefd->can),
757 GFP_KERNEL); 756 GFP_KERNEL);
758 if (!pciefd) { 757 if (!pciefd) {
759 err = -ENOMEM; 758 err = -ENOMEM;
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c b/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c
index 7ecadb501743..413080a312a7 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/debugfs.c
@@ -494,7 +494,7 @@ static int add_res_tree(struct mlx5_core_dev *dev, enum dbg_rsc_type type,
494 int err; 494 int err;
495 int i; 495 int i;
496 496
497 d = kzalloc(sizeof(*d) + nfile * sizeof(d->fields[0]), GFP_KERNEL); 497 d = kzalloc(struct_size(d, fields, nfile), GFP_KERNEL);
498 if (!d) 498 if (!d)
499 return -ENOMEM; 499 return -ENOMEM;
500 500
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
index c39c1692e674..56e275199256 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
@@ -1191,8 +1191,7 @@ static struct mlx5_flow_handle *alloc_handle(int num_rules)
1191{ 1191{
1192 struct mlx5_flow_handle *handle; 1192 struct mlx5_flow_handle *handle;
1193 1193
1194 handle = kzalloc(sizeof(*handle) + sizeof(handle->rule[0]) * 1194 handle = kzalloc(struct_size(handle, rule, num_rules), GFP_KERNEL);
1195 num_rules, GFP_KERNEL);
1196 if (!handle) 1195 if (!handle)
1197 return NULL; 1196 return NULL;
1198 1197
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
index 90f8c89ea59c..9b2e1cb58e38 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
@@ -2987,9 +2987,8 @@ static int iwl_mvm_mac_set_key(struct ieee80211_hw *hw,
2987 2987
2988 mvmsta = iwl_mvm_sta_from_mac80211(sta); 2988 mvmsta = iwl_mvm_sta_from_mac80211(sta);
2989 WARN_ON(rcu_access_pointer(mvmsta->ptk_pn[keyidx])); 2989 WARN_ON(rcu_access_pointer(mvmsta->ptk_pn[keyidx]));
2990 ptk_pn = kzalloc(sizeof(*ptk_pn) + 2990 ptk_pn = kzalloc(struct_size(ptk_pn, q,
2991 mvm->trans->num_rx_queues * 2991 mvm->trans->num_rx_queues),
2992 sizeof(ptk_pn->q[0]),
2993 GFP_KERNEL); 2992 GFP_KERNEL);
2994 if (!ptk_pn) { 2993 if (!ptk_pn) {
2995 ret = -ENOMEM; 2994 ret = -ENOMEM;
diff --git a/drivers/net/wireless/mediatek/mt76/agg-rx.c b/drivers/net/wireless/mediatek/mt76/agg-rx.c
index fcb208d1f276..89c7d8c7eb48 100644
--- a/drivers/net/wireless/mediatek/mt76/agg-rx.c
+++ b/drivers/net/wireless/mediatek/mt76/agg-rx.c
@@ -236,8 +236,7 @@ int mt76_rx_aggr_start(struct mt76_dev *dev, struct mt76_wcid *wcid, u8 tidno,
236 236
237 mt76_rx_aggr_stop(dev, wcid, tidno); 237 mt76_rx_aggr_stop(dev, wcid, tidno);
238 238
239 tid = kzalloc(sizeof(*tid) + size * sizeof(tid->reorder_buf[0]), 239 tid = kzalloc(struct_size(tid, reorder_buf, size), GFP_KERNEL);
240 GFP_KERNEL);
241 if (!tid) 240 if (!tid)
242 return -ENOMEM; 241 return -ENOMEM;
243 242
diff --git a/drivers/pinctrl/samsung/pinctrl-s3c64xx.c b/drivers/pinctrl/samsung/pinctrl-s3c64xx.c
index 288e6567ceb1..c399f0932af5 100644
--- a/drivers/pinctrl/samsung/pinctrl-s3c64xx.c
+++ b/drivers/pinctrl/samsung/pinctrl-s3c64xx.c
@@ -483,8 +483,8 @@ static int s3c64xx_eint_gpio_init(struct samsung_pinctrl_drv_data *d)
483 ++nr_domains; 483 ++nr_domains;
484 } 484 }
485 485
486 data = devm_kzalloc(dev, sizeof(*data) 486 data = devm_kzalloc(dev, struct_size(data, domains, nr_domains),
487 + nr_domains * sizeof(*data->domains), GFP_KERNEL); 487 GFP_KERNEL);
488 if (!data) 488 if (!data)
489 return -ENOMEM; 489 return -ENOMEM;
490 data->drvdata = d; 490 data->drvdata = d;
diff --git a/drivers/pinctrl/uniphier/pinctrl-uniphier-core.c b/drivers/pinctrl/uniphier/pinctrl-uniphier-core.c
index ec0f77afeaa4..add8e870667b 100644
--- a/drivers/pinctrl/uniphier/pinctrl-uniphier-core.c
+++ b/drivers/pinctrl/uniphier/pinctrl-uniphier-core.c
@@ -759,8 +759,7 @@ static int uniphier_pinctrl_add_reg_region(struct device *dev,
759 759
760 nregs = DIV_ROUND_UP(count * width, 32); 760 nregs = DIV_ROUND_UP(count * width, 32);
761 761
762 region = devm_kzalloc(dev, 762 region = devm_kzalloc(dev, struct_size(region, vals, nregs),
763 sizeof(*region) + sizeof(region->vals[0]) * nregs,
764 GFP_KERNEL); 763 GFP_KERNEL);
765 if (!region) 764 if (!region)
766 return -ENOMEM; 765 return -ENOMEM;
diff --git a/drivers/regulator/mc13783-regulator.c b/drivers/regulator/mc13783-regulator.c
index fe4c7d677f9c..0e0277bd91a8 100644
--- a/drivers/regulator/mc13783-regulator.c
+++ b/drivers/regulator/mc13783-regulator.c
@@ -409,9 +409,9 @@ static int mc13783_regulator_probe(struct platform_device *pdev)
409 if (num_regulators <= 0) 409 if (num_regulators <= 0)
410 return -EINVAL; 410 return -EINVAL;
411 411
412 priv = devm_kzalloc(&pdev->dev, sizeof(*priv) + 412 priv = devm_kzalloc(&pdev->dev,
413 num_regulators * sizeof(priv->regulators[0]), 413 struct_size(priv, regulators, num_regulators),
414 GFP_KERNEL); 414 GFP_KERNEL);
415 if (!priv) 415 if (!priv)
416 return -ENOMEM; 416 return -ENOMEM;
417 417
diff --git a/drivers/regulator/mc13892-regulator.c b/drivers/regulator/mc13892-regulator.c
index 0d17c9206816..15dd7bc7b529 100644
--- a/drivers/regulator/mc13892-regulator.c
+++ b/drivers/regulator/mc13892-regulator.c
@@ -547,9 +547,9 @@ static int mc13892_regulator_probe(struct platform_device *pdev)
547 if (num_regulators <= 0) 547 if (num_regulators <= 0)
548 return -EINVAL; 548 return -EINVAL;
549 549
550 priv = devm_kzalloc(&pdev->dev, sizeof(*priv) + 550 priv = devm_kzalloc(&pdev->dev,
551 num_regulators * sizeof(priv->regulators[0]), 551 struct_size(priv, regulators, num_regulators),
552 GFP_KERNEL); 552 GFP_KERNEL);
553 if (!priv) 553 if (!priv)
554 return -ENOMEM; 554 return -ENOMEM;
555 555
diff --git a/drivers/reset/core.c b/drivers/reset/core.c
index 6488292e129c..225e34c56b94 100644
--- a/drivers/reset/core.c
+++ b/drivers/reset/core.c
@@ -730,8 +730,7 @@ of_reset_control_array_get(struct device_node *np, bool shared, bool optional)
730 if (num < 0) 730 if (num < 0)
731 return optional ? NULL : ERR_PTR(num); 731 return optional ? NULL : ERR_PTR(num);
732 732
733 resets = kzalloc(sizeof(*resets) + sizeof(resets->rstc[0]) * num, 733 resets = kzalloc(struct_size(resets, rstc, num), GFP_KERNEL);
734 GFP_KERNEL);
735 if (!resets) 734 if (!resets)
736 return ERR_PTR(-ENOMEM); 735 return ERR_PTR(-ENOMEM);
737 736
diff --git a/drivers/rtc/rtc-ac100.c b/drivers/rtc/rtc-ac100.c
index 3fe576fdd45e..784b676284bf 100644
--- a/drivers/rtc/rtc-ac100.c
+++ b/drivers/rtc/rtc-ac100.c
@@ -317,10 +317,10 @@ static int ac100_rtc_register_clks(struct ac100_rtc_dev *chip)
317 const char *parents[2] = {AC100_RTC_32K_NAME}; 317 const char *parents[2] = {AC100_RTC_32K_NAME};
318 int i, ret; 318 int i, ret;
319 319
320 chip->clk_data = devm_kzalloc(chip->dev, sizeof(*chip->clk_data) + 320 chip->clk_data = devm_kzalloc(chip->dev,
321 sizeof(*chip->clk_data->hws) * 321 struct_size(chip->clk_data, hws,
322 AC100_CLKOUT_NUM, 322 AC100_CLKOUT_NUM),
323 GFP_KERNEL); 323 GFP_KERNEL);
324 if (!chip->clk_data) 324 if (!chip->clk_data)
325 return -ENOMEM; 325 return -ENOMEM;
326 326
diff --git a/drivers/s390/cio/ccwgroup.c b/drivers/s390/cio/ccwgroup.c
index db9c854088bc..93b2862bd3fa 100644
--- a/drivers/s390/cio/ccwgroup.c
+++ b/drivers/s390/cio/ccwgroup.c
@@ -326,8 +326,7 @@ int ccwgroup_create_dev(struct device *parent, struct ccwgroup_driver *gdrv,
326 if (num_devices < 1) 326 if (num_devices < 1)
327 return -EINVAL; 327 return -EINVAL;
328 328
329 gdev = kzalloc(sizeof(*gdev) + num_devices * sizeof(gdev->cdev[0]), 329 gdev = kzalloc(struct_size(gdev, cdev, num_devices), GFP_KERNEL);
330 GFP_KERNEL);
331 if (!gdev) 330 if (!gdev)
332 return -ENOMEM; 331 return -ENOMEM;
333 332
diff --git a/drivers/soc/actions/owl-sps.c b/drivers/soc/actions/owl-sps.c
index 8477f0f18e24..032921d8d41f 100644
--- a/drivers/soc/actions/owl-sps.c
+++ b/drivers/soc/actions/owl-sps.c
@@ -117,8 +117,8 @@ static int owl_sps_probe(struct platform_device *pdev)
117 117
118 sps_info = match->data; 118 sps_info = match->data;
119 119
120 sps = devm_kzalloc(&pdev->dev, sizeof(*sps) + 120 sps = devm_kzalloc(&pdev->dev,
121 sps_info->num_domains * sizeof(sps->domains[0]), 121 struct_size(sps, domains, sps_info->num_domains),
122 GFP_KERNEL); 122 GFP_KERNEL);
123 if (!sps) 123 if (!sps)
124 return -ENOMEM; 124 return -ENOMEM;
diff --git a/drivers/soc/rockchip/pm_domains.c b/drivers/soc/rockchip/pm_domains.c
index 53efc386b1ad..111c44fc1c12 100644
--- a/drivers/soc/rockchip/pm_domains.c
+++ b/drivers/soc/rockchip/pm_domains.c
@@ -626,8 +626,7 @@ static int rockchip_pm_domain_probe(struct platform_device *pdev)
626 pmu_info = match->data; 626 pmu_info = match->data;
627 627
628 pmu = devm_kzalloc(dev, 628 pmu = devm_kzalloc(dev,
629 sizeof(*pmu) + 629 struct_size(pmu, domains, pmu_info->num_domains),
630 pmu_info->num_domains * sizeof(pmu->domains[0]),
631 GFP_KERNEL); 630 GFP_KERNEL);
632 if (!pmu) 631 if (!pmu)
633 return -ENOMEM; 632 return -ENOMEM;
diff --git a/drivers/staging/greybus/module.c b/drivers/staging/greybus/module.c
index b785382192de..894d02e8d8b7 100644
--- a/drivers/staging/greybus/module.c
+++ b/drivers/staging/greybus/module.c
@@ -94,8 +94,8 @@ struct gb_module *gb_module_create(struct gb_host_device *hd, u8 module_id,
94 struct gb_module *module; 94 struct gb_module *module;
95 int i; 95 int i;
96 96
97 module = kzalloc(sizeof(*module) + num_interfaces * sizeof(intf), 97 module = kzalloc(struct_size(module, interfaces, num_interfaces),
98 GFP_KERNEL); 98 GFP_KERNEL);
99 if (!module) 99 if (!module)
100 return NULL; 100 return NULL;
101 101
diff --git a/drivers/thermal/qcom/tsens.c b/drivers/thermal/qcom/tsens.c
index 3f9fe6aa51cc..c2c34425279d 100644
--- a/drivers/thermal/qcom/tsens.c
+++ b/drivers/thermal/qcom/tsens.c
@@ -112,7 +112,6 @@ static int tsens_probe(struct platform_device *pdev)
112 int ret, i; 112 int ret, i;
113 struct device *dev; 113 struct device *dev;
114 struct device_node *np; 114 struct device_node *np;
115 struct tsens_sensor *s;
116 struct tsens_device *tmdev; 115 struct tsens_device *tmdev;
117 const struct tsens_data *data; 116 const struct tsens_data *data;
118 const struct of_device_id *id; 117 const struct of_device_id *id;
@@ -135,8 +134,9 @@ static int tsens_probe(struct platform_device *pdev)
135 return -EINVAL; 134 return -EINVAL;
136 } 135 }
137 136
138 tmdev = devm_kzalloc(dev, sizeof(*tmdev) + 137 tmdev = devm_kzalloc(dev,
139 data->num_sensors * sizeof(*s), GFP_KERNEL); 138 struct_size(tmdev, sensor, data->num_sensors),
139 GFP_KERNEL);
140 if (!tmdev) 140 if (!tmdev)
141 return -ENOMEM; 141 return -ENOMEM;
142 142
diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c
index f80699747ee0..46af0aa07e2e 100644
--- a/drivers/usb/gadget/function/f_midi.c
+++ b/drivers/usb/gadget/function/f_midi.c
@@ -1301,9 +1301,8 @@ static struct usb_function *f_midi_alloc(struct usb_function_instance *fi)
1301 } 1301 }
1302 1302
1303 /* allocate and initialize one new instance */ 1303 /* allocate and initialize one new instance */
1304 midi = kzalloc( 1304 midi = kzalloc(struct_size(midi, in_ports_array, opts->in_ports),
1305 sizeof(*midi) + opts->in_ports * sizeof(*midi->in_ports_array), 1305 GFP_KERNEL);
1306 GFP_KERNEL);
1307 if (!midi) { 1306 if (!midi) {
1308 status = -ENOMEM; 1307 status = -ENOMEM;
1309 goto setup_fail; 1308 goto setup_fail;
diff --git a/drivers/zorro/zorro.c b/drivers/zorro/zorro.c
index 67fa900572a9..8eeb84c239db 100644
--- a/drivers/zorro/zorro.c
+++ b/drivers/zorro/zorro.c
@@ -138,8 +138,7 @@ static int __init amiga_zorro_probe(struct platform_device *pdev)
138 int error; 138 int error;
139 139
140 /* Initialize the Zorro bus */ 140 /* Initialize the Zorro bus */
141 bus = kzalloc(sizeof(*bus) + 141 bus = kzalloc(struct_size(bus, devices, zorro_num_autocon),
142 zorro_num_autocon * sizeof(bus->devices[0]),
143 GFP_KERNEL); 142 GFP_KERNEL);
144 if (!bus) 143 if (!bus)
145 return -ENOMEM; 144 return -ENOMEM;
diff --git a/fs/afs/addr_list.c b/fs/afs/addr_list.c
index 7587fb665ff1..2c46c46f3a6d 100644
--- a/fs/afs/addr_list.c
+++ b/fs/afs/addr_list.c
@@ -43,8 +43,7 @@ struct afs_addr_list *afs_alloc_addrlist(unsigned int nr,
43 43
44 _enter("%u,%u,%u", nr, service, port); 44 _enter("%u,%u,%u", nr, service, port);
45 45
46 alist = kzalloc(sizeof(*alist) + sizeof(alist->addrs[0]) * nr, 46 alist = kzalloc(struct_size(alist, addrs, nr), GFP_KERNEL);
47 GFP_KERNEL);
48 if (!alist) 47 if (!alist)
49 return NULL; 48 return NULL;
50 49
diff --git a/include/linux/compiler-clang.h b/include/linux/compiler-clang.h
index 7d98e263e048..7087446c24c8 100644
--- a/include/linux/compiler-clang.h
+++ b/include/linux/compiler-clang.h
@@ -32,3 +32,17 @@
32#ifdef __noretpoline 32#ifdef __noretpoline
33#undef __noretpoline 33#undef __noretpoline
34#endif 34#endif
35
36/*
37 * Not all versions of clang implement the the type-generic versions
38 * of the builtin overflow checkers. Fortunately, clang implements
39 * __has_builtin allowing us to avoid awkward version
40 * checks. Unfortunately, we don't know which version of gcc clang
41 * pretends to be, so the macro may or may not be defined.
42 */
43#undef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
44#if __has_builtin(__builtin_mul_overflow) && \
45 __has_builtin(__builtin_add_overflow) && \
46 __has_builtin(__builtin_sub_overflow)
47#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
48#endif
diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
index b4bf73f5e38f..f1a7492a5cc8 100644
--- a/include/linux/compiler-gcc.h
+++ b/include/linux/compiler-gcc.h
@@ -343,3 +343,7 @@
343 * code 343 * code
344 */ 344 */
345#define uninitialized_var(x) x = x 345#define uninitialized_var(x) x = x
346
347#if GCC_VERSION >= 50100
348#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
349#endif
diff --git a/include/linux/compiler-intel.h b/include/linux/compiler-intel.h
index bfa08160db3a..547cdc920a3c 100644
--- a/include/linux/compiler-intel.h
+++ b/include/linux/compiler-intel.h
@@ -44,3 +44,7 @@
44#define __builtin_bswap16 _bswap16 44#define __builtin_bswap16 _bswap16
45#endif 45#endif
46 46
47/*
48 * icc defines __GNUC__, but does not implement the builtin overflow checkers.
49 */
50#undef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
diff --git a/include/linux/device.h b/include/linux/device.h
index e9d4b43c4ead..055a69dbcd18 100644
--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -25,6 +25,7 @@
25#include <linux/ratelimit.h> 25#include <linux/ratelimit.h>
26#include <linux/uidgid.h> 26#include <linux/uidgid.h>
27#include <linux/gfp.h> 27#include <linux/gfp.h>
28#include <linux/overflow.h>
28#include <asm/device.h> 29#include <asm/device.h>
29 30
30struct device; 31struct device;
@@ -672,9 +673,12 @@ static inline void *devm_kzalloc(struct device *dev, size_t size, gfp_t gfp)
672static inline void *devm_kmalloc_array(struct device *dev, 673static inline void *devm_kmalloc_array(struct device *dev,
673 size_t n, size_t size, gfp_t flags) 674 size_t n, size_t size, gfp_t flags)
674{ 675{
675 if (size != 0 && n > SIZE_MAX / size) 676 size_t bytes;
677
678 if (unlikely(check_mul_overflow(n, size, &bytes)))
676 return NULL; 679 return NULL;
677 return devm_kmalloc(dev, n * size, flags); 680
681 return devm_kmalloc(dev, bytes, flags);
678} 682}
679static inline void *devm_kcalloc(struct device *dev, 683static inline void *devm_kcalloc(struct device *dev,
680 size_t n, size_t size, gfp_t flags) 684 size_t n, size_t size, gfp_t flags)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 02a616e2f17d..611f19dd471d 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -25,6 +25,7 @@
25#include <linux/err.h> 25#include <linux/err.h>
26#include <linux/page_ref.h> 26#include <linux/page_ref.h>
27#include <linux/memremap.h> 27#include <linux/memremap.h>
28#include <linux/overflow.h>
28 29
29struct mempolicy; 30struct mempolicy;
30struct anon_vma; 31struct anon_vma;
@@ -560,10 +561,12 @@ static inline void *kvzalloc(size_t size, gfp_t flags)
560 561
561static inline void *kvmalloc_array(size_t n, size_t size, gfp_t flags) 562static inline void *kvmalloc_array(size_t n, size_t size, gfp_t flags)
562{ 563{
563 if (size != 0 && n > SIZE_MAX / size) 564 size_t bytes;
565
566 if (unlikely(check_mul_overflow(n, size, &bytes)))
564 return NULL; 567 return NULL;
565 568
566 return kvmalloc(n * size, flags); 569 return kvmalloc(bytes, flags);
567} 570}
568 571
569extern void kvfree(const void *addr); 572extern void kvfree(const void *addr);
diff --git a/include/linux/overflow.h b/include/linux/overflow.h
new file mode 100644
index 000000000000..8712ff70995f
--- /dev/null
+++ b/include/linux/overflow.h
@@ -0,0 +1,278 @@
1/* SPDX-License-Identifier: GPL-2.0 OR MIT */
2#ifndef __LINUX_OVERFLOW_H
3#define __LINUX_OVERFLOW_H
4
5#include <linux/compiler.h>
6
7/*
8 * In the fallback code below, we need to compute the minimum and
9 * maximum values representable in a given type. These macros may also
10 * be useful elsewhere, so we provide them outside the
11 * COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW block.
12 *
13 * It would seem more obvious to do something like
14 *
15 * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0)
16 * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0)
17 *
18 * Unfortunately, the middle expressions, strictly speaking, have
19 * undefined behaviour, and at least some versions of gcc warn about
20 * the type_max expression (but not if -fsanitize=undefined is in
21 * effect; in that case, the warning is deferred to runtime...).
22 *
23 * The slightly excessive casting in type_min is to make sure the
24 * macros also produce sensible values for the exotic type _Bool. [The
25 * overflow checkers only almost work for _Bool, but that's
26 * a-feature-not-a-bug, since people shouldn't be doing arithmetic on
27 * _Bools. Besides, the gcc builtins don't allow _Bool* as third
28 * argument.]
29 *
30 * Idea stolen from
31 * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html -
32 * credit to Christian Biere.
33 */
34#define is_signed_type(type) (((type)(-1)) < (type)1)
35#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
36#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
37#define type_min(T) ((T)((T)-type_max(T)-(T)1))
38
39
40#ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
41/*
42 * For simplicity and code hygiene, the fallback code below insists on
43 * a, b and *d having the same type (similar to the min() and max()
44 * macros), whereas gcc's type-generic overflow checkers accept
45 * different types. Hence we don't just make check_add_overflow an
46 * alias for __builtin_add_overflow, but add type checks similar to
47 * below.
48 */
49#define check_add_overflow(a, b, d) ({ \
50 typeof(a) __a = (a); \
51 typeof(b) __b = (b); \
52 typeof(d) __d = (d); \
53 (void) (&__a == &__b); \
54 (void) (&__a == __d); \
55 __builtin_add_overflow(__a, __b, __d); \
56})
57
58#define check_sub_overflow(a, b, d) ({ \
59 typeof(a) __a = (a); \
60 typeof(b) __b = (b); \
61 typeof(d) __d = (d); \
62 (void) (&__a == &__b); \
63 (void) (&__a == __d); \
64 __builtin_sub_overflow(__a, __b, __d); \
65})
66
67#define check_mul_overflow(a, b, d) ({ \
68 typeof(a) __a = (a); \
69 typeof(b) __b = (b); \
70 typeof(d) __d = (d); \
71 (void) (&__a == &__b); \
72 (void) (&__a == __d); \
73 __builtin_mul_overflow(__a, __b, __d); \
74})
75
76#else
77
78
79/* Checking for unsigned overflow is relatively easy without causing UB. */
80#define __unsigned_add_overflow(a, b, d) ({ \
81 typeof(a) __a = (a); \
82 typeof(b) __b = (b); \
83 typeof(d) __d = (d); \
84 (void) (&__a == &__b); \
85 (void) (&__a == __d); \
86 *__d = __a + __b; \
87 *__d < __a; \
88})
89#define __unsigned_sub_overflow(a, b, d) ({ \
90 typeof(a) __a = (a); \
91 typeof(b) __b = (b); \
92 typeof(d) __d = (d); \
93 (void) (&__a == &__b); \
94 (void) (&__a == __d); \
95 *__d = __a - __b; \
96 __a < __b; \
97})
98/*
99 * If one of a or b is a compile-time constant, this avoids a division.
100 */
101#define __unsigned_mul_overflow(a, b, d) ({ \
102 typeof(a) __a = (a); \
103 typeof(b) __b = (b); \
104 typeof(d) __d = (d); \
105 (void) (&__a == &__b); \
106 (void) (&__a == __d); \
107 *__d = __a * __b; \
108 __builtin_constant_p(__b) ? \
109 __b > 0 && __a > type_max(typeof(__a)) / __b : \
110 __a > 0 && __b > type_max(typeof(__b)) / __a; \
111})
112
113/*
114 * For signed types, detecting overflow is much harder, especially if
115 * we want to avoid UB. But the interface of these macros is such that
116 * we must provide a result in *d, and in fact we must produce the
117 * result promised by gcc's builtins, which is simply the possibly
118 * wrapped-around value. Fortunately, we can just formally do the
119 * operations in the widest relevant unsigned type (u64) and then
120 * truncate the result - gcc is smart enough to generate the same code
121 * with and without the (u64) casts.
122 */
123
124/*
125 * Adding two signed integers can overflow only if they have the same
126 * sign, and overflow has happened iff the result has the opposite
127 * sign.
128 */
129#define __signed_add_overflow(a, b, d) ({ \
130 typeof(a) __a = (a); \
131 typeof(b) __b = (b); \
132 typeof(d) __d = (d); \
133 (void) (&__a == &__b); \
134 (void) (&__a == __d); \
135 *__d = (u64)__a + (u64)__b; \
136 (((~(__a ^ __b)) & (*__d ^ __a)) \
137 & type_min(typeof(__a))) != 0; \
138})
139
140/*
141 * Subtraction is similar, except that overflow can now happen only
142 * when the signs are opposite. In this case, overflow has happened if
143 * the result has the opposite sign of a.
144 */
145#define __signed_sub_overflow(a, b, d) ({ \
146 typeof(a) __a = (a); \
147 typeof(b) __b = (b); \
148 typeof(d) __d = (d); \
149 (void) (&__a == &__b); \
150 (void) (&__a == __d); \
151 *__d = (u64)__a - (u64)__b; \
152 ((((__a ^ __b)) & (*__d ^ __a)) \
153 & type_min(typeof(__a))) != 0; \
154})
155
156/*
157 * Signed multiplication is rather hard. gcc always follows C99, so
158 * division is truncated towards 0. This means that we can write the
159 * overflow check like this:
160 *
161 * (a > 0 && (b > MAX/a || b < MIN/a)) ||
162 * (a < -1 && (b > MIN/a || b < MAX/a) ||
163 * (a == -1 && b == MIN)
164 *
165 * The redundant casts of -1 are to silence an annoying -Wtype-limits
166 * (included in -Wextra) warning: When the type is u8 or u16, the
167 * __b_c_e in check_mul_overflow obviously selects
168 * __unsigned_mul_overflow, but unfortunately gcc still parses this
169 * code and warns about the limited range of __b.
170 */
171
172#define __signed_mul_overflow(a, b, d) ({ \
173 typeof(a) __a = (a); \
174 typeof(b) __b = (b); \
175 typeof(d) __d = (d); \
176 typeof(a) __tmax = type_max(typeof(a)); \
177 typeof(a) __tmin = type_min(typeof(a)); \
178 (void) (&__a == &__b); \
179 (void) (&__a == __d); \
180 *__d = (u64)__a * (u64)__b; \
181 (__b > 0 && (__a > __tmax/__b || __a < __tmin/__b)) || \
182 (__b < (typeof(__b))-1 && (__a > __tmin/__b || __a < __tmax/__b)) || \
183 (__b == (typeof(__b))-1 && __a == __tmin); \
184})
185
186
187#define check_add_overflow(a, b, d) \
188 __builtin_choose_expr(is_signed_type(typeof(a)), \
189 __signed_add_overflow(a, b, d), \
190 __unsigned_add_overflow(a, b, d))
191
192#define check_sub_overflow(a, b, d) \
193 __builtin_choose_expr(is_signed_type(typeof(a)), \
194 __signed_sub_overflow(a, b, d), \
195 __unsigned_sub_overflow(a, b, d))
196
197#define check_mul_overflow(a, b, d) \
198 __builtin_choose_expr(is_signed_type(typeof(a)), \
199 __signed_mul_overflow(a, b, d), \
200 __unsigned_mul_overflow(a, b, d))
201
202
203#endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
204
205/**
206 * array_size() - Calculate size of 2-dimensional array.
207 *
208 * @a: dimension one
209 * @b: dimension two
210 *
211 * Calculates size of 2-dimensional array: @a * @b.
212 *
213 * Returns: number of bytes needed to represent the array or SIZE_MAX on
214 * overflow.
215 */
216static inline __must_check size_t array_size(size_t a, size_t b)
217{
218 size_t bytes;
219
220 if (check_mul_overflow(a, b, &bytes))
221 return SIZE_MAX;
222
223 return bytes;
224}
225
226/**
227 * array3_size() - Calculate size of 3-dimensional array.
228 *
229 * @a: dimension one
230 * @b: dimension two
231 * @c: dimension three
232 *
233 * Calculates size of 3-dimensional array: @a * @b * @c.
234 *
235 * Returns: number of bytes needed to represent the array or SIZE_MAX on
236 * overflow.
237 */
238static inline __must_check size_t array3_size(size_t a, size_t b, size_t c)
239{
240 size_t bytes;
241
242 if (check_mul_overflow(a, b, &bytes))
243 return SIZE_MAX;
244 if (check_mul_overflow(bytes, c, &bytes))
245 return SIZE_MAX;
246
247 return bytes;
248}
249
250static inline __must_check size_t __ab_c_size(size_t n, size_t size, size_t c)
251{
252 size_t bytes;
253
254 if (check_mul_overflow(n, size, &bytes))
255 return SIZE_MAX;
256 if (check_add_overflow(bytes, c, &bytes))
257 return SIZE_MAX;
258
259 return bytes;
260}
261
262/**
263 * struct_size() - Calculate size of structure with trailing array.
264 * @p: Pointer to the structure.
265 * @member: Name of the array member.
266 * @n: Number of elements in the array.
267 *
268 * Calculates size of memory needed for structure @p followed by an
269 * array of @n @member elements.
270 *
271 * Return: number of bytes needed or SIZE_MAX on overflow.
272 */
273#define struct_size(p, member, n) \
274 __ab_c_size(n, \
275 sizeof(*(p)->member) + __must_be_array((p)->member),\
276 sizeof(*(p)))
277
278#endif /* __LINUX_OVERFLOW_H */
diff --git a/include/linux/slab.h b/include/linux/slab.h
index 81ebd71f8c03..4d759e1ddc33 100644
--- a/include/linux/slab.h
+++ b/include/linux/slab.h
@@ -13,6 +13,7 @@
13#define _LINUX_SLAB_H 13#define _LINUX_SLAB_H
14 14
15#include <linux/gfp.h> 15#include <linux/gfp.h>
16#include <linux/overflow.h>
16#include <linux/types.h> 17#include <linux/types.h>
17#include <linux/workqueue.h> 18#include <linux/workqueue.h>
18 19
@@ -624,11 +625,13 @@ int memcg_update_all_caches(int num_memcgs);
624 */ 625 */
625static inline void *kmalloc_array(size_t n, size_t size, gfp_t flags) 626static inline void *kmalloc_array(size_t n, size_t size, gfp_t flags)
626{ 627{
627 if (size != 0 && n > SIZE_MAX / size) 628 size_t bytes;
629
630 if (unlikely(check_mul_overflow(n, size, &bytes)))
628 return NULL; 631 return NULL;
629 if (__builtin_constant_p(n) && __builtin_constant_p(size)) 632 if (__builtin_constant_p(n) && __builtin_constant_p(size))
630 return kmalloc(n * size, flags); 633 return kmalloc(bytes, flags);
631 return __kmalloc(n * size, flags); 634 return __kmalloc(bytes, flags);
632} 635}
633 636
634/** 637/**
@@ -657,11 +660,13 @@ extern void *__kmalloc_track_caller(size_t, gfp_t, unsigned long);
657static inline void *kmalloc_array_node(size_t n, size_t size, gfp_t flags, 660static inline void *kmalloc_array_node(size_t n, size_t size, gfp_t flags,
658 int node) 661 int node)
659{ 662{
660 if (size != 0 && n > SIZE_MAX / size) 663 size_t bytes;
664
665 if (unlikely(check_mul_overflow(n, size, &bytes)))
661 return NULL; 666 return NULL;
662 if (__builtin_constant_p(n) && __builtin_constant_p(size)) 667 if (__builtin_constant_p(n) && __builtin_constant_p(size))
663 return kmalloc_node(n * size, flags, node); 668 return kmalloc_node(bytes, flags, node);
664 return __kmalloc_node(n * size, flags, node); 669 return __kmalloc_node(bytes, flags, node);
665} 670}
666 671
667static inline void *kcalloc_node(size_t n, size_t size, gfp_t flags, int node) 672static inline void *kcalloc_node(size_t n, size_t size, gfp_t flags, int node)
diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h
index 1e5d8c392f15..398e9c95cd61 100644
--- a/include/linux/vmalloc.h
+++ b/include/linux/vmalloc.h
@@ -8,6 +8,7 @@
8#include <linux/llist.h> 8#include <linux/llist.h>
9#include <asm/page.h> /* pgprot_t */ 9#include <asm/page.h> /* pgprot_t */
10#include <linux/rbtree.h> 10#include <linux/rbtree.h>
11#include <linux/overflow.h>
11 12
12struct vm_area_struct; /* vma defining user mapping in mm_types.h */ 13struct vm_area_struct; /* vma defining user mapping in mm_types.h */
13struct notifier_block; /* in notifier.h */ 14struct notifier_block; /* in notifier.h */
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index acb66713f9b6..077370bf8964 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -4820,8 +4820,8 @@ static struct cgroup *cgroup_create(struct cgroup *parent)
4820 int ret; 4820 int ret;
4821 4821
4822 /* allocate the cgroup and its ID, 0 is reserved for the root */ 4822 /* allocate the cgroup and its ID, 0 is reserved for the root */
4823 cgrp = kzalloc(sizeof(*cgrp) + 4823 cgrp = kzalloc(struct_size(cgrp, ancestor_ids, (level + 1)),
4824 sizeof(cgrp->ancestor_ids[0]) * (level + 1), GFP_KERNEL); 4824 GFP_KERNEL);
4825 if (!cgrp) 4825 if (!cgrp)
4826 return ERR_PTR(-ENOMEM); 4826 return ERR_PTR(-ENOMEM);
4827 4827
diff --git a/kernel/module.c b/kernel/module.c
index c9bea7f2b43e..68469b37d61a 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -1604,8 +1604,7 @@ static void add_notes_attrs(struct module *mod, const struct load_info *info)
1604 if (notes == 0) 1604 if (notes == 0)
1605 return; 1605 return;
1606 1606
1607 notes_attrs = kzalloc(sizeof(*notes_attrs) 1607 notes_attrs = kzalloc(struct_size(notes_attrs, attrs, notes),
1608 + notes * sizeof(notes_attrs->attrs[0]),
1609 GFP_KERNEL); 1608 GFP_KERNEL);
1610 if (notes_attrs == NULL) 1609 if (notes_attrs == NULL)
1611 return; 1610 return;
diff --git a/kernel/workqueue.c b/kernel/workqueue.c
index 7ea75529eabb..9f9983b0a27d 100644
--- a/kernel/workqueue.c
+++ b/kernel/workqueue.c
@@ -3714,8 +3714,7 @@ apply_wqattrs_prepare(struct workqueue_struct *wq,
3714 3714
3715 lockdep_assert_held(&wq_pool_mutex); 3715 lockdep_assert_held(&wq_pool_mutex);
3716 3716
3717 ctx = kzalloc(sizeof(*ctx) + nr_node_ids * sizeof(ctx->pwq_tbl[0]), 3717 ctx = kzalloc(struct_size(ctx, pwq_tbl, nr_node_ids), GFP_KERNEL);
3718 GFP_KERNEL);
3719 3718
3720 new_attrs = alloc_workqueue_attrs(GFP_KERNEL); 3719 new_attrs = alloc_workqueue_attrs(GFP_KERNEL);
3721 tmp_attrs = alloc_workqueue_attrs(GFP_KERNEL); 3720 tmp_attrs = alloc_workqueue_attrs(GFP_KERNEL);
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 76555479ae36..eb885942eb0f 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -1802,6 +1802,9 @@ config TEST_BITMAP
1802config TEST_UUID 1802config TEST_UUID
1803 tristate "Test functions located in the uuid module at runtime" 1803 tristate "Test functions located in the uuid module at runtime"
1804 1804
1805config TEST_OVERFLOW
1806 tristate "Test check_*_overflow() functions at runtime"
1807
1805config TEST_RHASHTABLE 1808config TEST_RHASHTABLE
1806 tristate "Perform selftest on resizable hash table" 1809 tristate "Perform selftest on resizable hash table"
1807 default n 1810 default n
diff --git a/lib/Makefile b/lib/Makefile
index 9f18c8152281..84c6dcb31fbb 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -60,6 +60,7 @@ UBSAN_SANITIZE_test_ubsan.o := y
60obj-$(CONFIG_TEST_KSTRTOX) += test-kstrtox.o 60obj-$(CONFIG_TEST_KSTRTOX) += test-kstrtox.o
61obj-$(CONFIG_TEST_LIST_SORT) += test_list_sort.o 61obj-$(CONFIG_TEST_LIST_SORT) += test_list_sort.o
62obj-$(CONFIG_TEST_LKM) += test_module.o 62obj-$(CONFIG_TEST_LKM) += test_module.o
63obj-$(CONFIG_TEST_OVERFLOW) += test_overflow.o
63obj-$(CONFIG_TEST_RHASHTABLE) += test_rhashtable.o 64obj-$(CONFIG_TEST_RHASHTABLE) += test_rhashtable.o
64obj-$(CONFIG_TEST_SORT) += test_sort.o 65obj-$(CONFIG_TEST_SORT) += test_sort.o
65obj-$(CONFIG_TEST_USER_COPY) += test_user_copy.o 66obj-$(CONFIG_TEST_USER_COPY) += test_user_copy.o
diff --git a/lib/test_overflow.c b/lib/test_overflow.c
new file mode 100644
index 000000000000..aecbbb217305
--- /dev/null
+++ b/lib/test_overflow.c
@@ -0,0 +1,417 @@
1// SPDX-License-Identifier: GPL-2.0 OR MIT
2/*
3 * Test cases for arithmetic overflow checks.
4 */
5#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
6
7#include <linux/device.h>
8#include <linux/init.h>
9#include <linux/kernel.h>
10#include <linux/mm.h>
11#include <linux/module.h>
12#include <linux/overflow.h>
13#include <linux/slab.h>
14#include <linux/types.h>
15#include <linux/vmalloc.h>
16
17#define DEFINE_TEST_ARRAY(t) \
18 static const struct test_ ## t { \
19 t a, b; \
20 t sum, diff, prod; \
21 bool s_of, d_of, p_of; \
22 } t ## _tests[] __initconst
23
24DEFINE_TEST_ARRAY(u8) = {
25 {0, 0, 0, 0, 0, false, false, false},
26 {1, 1, 2, 0, 1, false, false, false},
27 {0, 1, 1, U8_MAX, 0, false, true, false},
28 {1, 0, 1, 1, 0, false, false, false},
29 {0, U8_MAX, U8_MAX, 1, 0, false, true, false},
30 {U8_MAX, 0, U8_MAX, U8_MAX, 0, false, false, false},
31 {1, U8_MAX, 0, 2, U8_MAX, true, true, false},
32 {U8_MAX, 1, 0, U8_MAX-1, U8_MAX, true, false, false},
33 {U8_MAX, U8_MAX, U8_MAX-1, 0, 1, true, false, true},
34
35 {U8_MAX, U8_MAX-1, U8_MAX-2, 1, 2, true, false, true},
36 {U8_MAX-1, U8_MAX, U8_MAX-2, U8_MAX, 2, true, true, true},
37
38 {1U << 3, 1U << 3, 1U << 4, 0, 1U << 6, false, false, false},
39 {1U << 4, 1U << 4, 1U << 5, 0, 0, false, false, true},
40 {1U << 4, 1U << 3, 3*(1U << 3), 1U << 3, 1U << 7, false, false, false},
41 {1U << 7, 1U << 7, 0, 0, 0, true, false, true},
42
43 {48, 32, 80, 16, 0, false, false, true},
44 {128, 128, 0, 0, 0, true, false, true},
45 {123, 234, 101, 145, 110, true, true, true},
46};
47DEFINE_TEST_ARRAY(u16) = {
48 {0, 0, 0, 0, 0, false, false, false},
49 {1, 1, 2, 0, 1, false, false, false},
50 {0, 1, 1, U16_MAX, 0, false, true, false},
51 {1, 0, 1, 1, 0, false, false, false},
52 {0, U16_MAX, U16_MAX, 1, 0, false, true, false},
53 {U16_MAX, 0, U16_MAX, U16_MAX, 0, false, false, false},
54 {1, U16_MAX, 0, 2, U16_MAX, true, true, false},
55 {U16_MAX, 1, 0, U16_MAX-1, U16_MAX, true, false, false},
56 {U16_MAX, U16_MAX, U16_MAX-1, 0, 1, true, false, true},
57
58 {U16_MAX, U16_MAX-1, U16_MAX-2, 1, 2, true, false, true},
59 {U16_MAX-1, U16_MAX, U16_MAX-2, U16_MAX, 2, true, true, true},
60
61 {1U << 7, 1U << 7, 1U << 8, 0, 1U << 14, false, false, false},
62 {1U << 8, 1U << 8, 1U << 9, 0, 0, false, false, true},
63 {1U << 8, 1U << 7, 3*(1U << 7), 1U << 7, 1U << 15, false, false, false},
64 {1U << 15, 1U << 15, 0, 0, 0, true, false, true},
65
66 {123, 234, 357, 65425, 28782, false, true, false},
67 {1234, 2345, 3579, 64425, 10146, false, true, true},
68};
69DEFINE_TEST_ARRAY(u32) = {
70 {0, 0, 0, 0, 0, false, false, false},
71 {1, 1, 2, 0, 1, false, false, false},
72 {0, 1, 1, U32_MAX, 0, false, true, false},
73 {1, 0, 1, 1, 0, false, false, false},
74 {0, U32_MAX, U32_MAX, 1, 0, false, true, false},
75 {U32_MAX, 0, U32_MAX, U32_MAX, 0, false, false, false},
76 {1, U32_MAX, 0, 2, U32_MAX, true, true, false},
77 {U32_MAX, 1, 0, U32_MAX-1, U32_MAX, true, false, false},
78 {U32_MAX, U32_MAX, U32_MAX-1, 0, 1, true, false, true},
79
80 {U32_MAX, U32_MAX-1, U32_MAX-2, 1, 2, true, false, true},
81 {U32_MAX-1, U32_MAX, U32_MAX-2, U32_MAX, 2, true, true, true},
82
83 {1U << 15, 1U << 15, 1U << 16, 0, 1U << 30, false, false, false},
84 {1U << 16, 1U << 16, 1U << 17, 0, 0, false, false, true},
85 {1U << 16, 1U << 15, 3*(1U << 15), 1U << 15, 1U << 31, false, false, false},
86 {1U << 31, 1U << 31, 0, 0, 0, true, false, true},
87
88 {-2U, 1U, -1U, -3U, -2U, false, false, false},
89 {-4U, 5U, 1U, -9U, -20U, true, false, true},
90};
91
92DEFINE_TEST_ARRAY(u64) = {
93 {0, 0, 0, 0, 0, false, false, false},
94 {1, 1, 2, 0, 1, false, false, false},
95 {0, 1, 1, U64_MAX, 0, false, true, false},
96 {1, 0, 1, 1, 0, false, false, false},
97 {0, U64_MAX, U64_MAX, 1, 0, false, true, false},
98 {U64_MAX, 0, U64_MAX, U64_MAX, 0, false, false, false},
99 {1, U64_MAX, 0, 2, U64_MAX, true, true, false},
100 {U64_MAX, 1, 0, U64_MAX-1, U64_MAX, true, false, false},
101 {U64_MAX, U64_MAX, U64_MAX-1, 0, 1, true, false, true},
102
103 {U64_MAX, U64_MAX-1, U64_MAX-2, 1, 2, true, false, true},
104 {U64_MAX-1, U64_MAX, U64_MAX-2, U64_MAX, 2, true, true, true},
105
106 {1ULL << 31, 1ULL << 31, 1ULL << 32, 0, 1ULL << 62, false, false, false},
107 {1ULL << 32, 1ULL << 32, 1ULL << 33, 0, 0, false, false, true},
108 {1ULL << 32, 1ULL << 31, 3*(1ULL << 31), 1ULL << 31, 1ULL << 63, false, false, false},
109 {1ULL << 63, 1ULL << 63, 0, 0, 0, true, false, true},
110 {1000000000ULL /* 10^9 */, 10000000000ULL /* 10^10 */,
111 11000000000ULL, 18446744064709551616ULL, 10000000000000000000ULL,
112 false, true, false},
113 {-15ULL, 10ULL, -5ULL, -25ULL, -150ULL, false, false, true},
114};
115
116DEFINE_TEST_ARRAY(s8) = {
117 {0, 0, 0, 0, 0, false, false, false},
118
119 {0, S8_MAX, S8_MAX, -S8_MAX, 0, false, false, false},
120 {S8_MAX, 0, S8_MAX, S8_MAX, 0, false, false, false},
121 {0, S8_MIN, S8_MIN, S8_MIN, 0, false, true, false},
122 {S8_MIN, 0, S8_MIN, S8_MIN, 0, false, false, false},
123
124 {-1, S8_MIN, S8_MAX, S8_MAX, S8_MIN, true, false, true},
125 {S8_MIN, -1, S8_MAX, -S8_MAX, S8_MIN, true, false, true},
126 {-1, S8_MAX, S8_MAX-1, S8_MIN, -S8_MAX, false, false, false},
127 {S8_MAX, -1, S8_MAX-1, S8_MIN, -S8_MAX, false, true, false},
128 {-1, -S8_MAX, S8_MIN, S8_MAX-1, S8_MAX, false, false, false},
129 {-S8_MAX, -1, S8_MIN, S8_MIN+2, S8_MAX, false, false, false},
130
131 {1, S8_MIN, -S8_MAX, -S8_MAX, S8_MIN, false, true, false},
132 {S8_MIN, 1, -S8_MAX, S8_MAX, S8_MIN, false, true, false},
133 {1, S8_MAX, S8_MIN, S8_MIN+2, S8_MAX, true, false, false},
134 {S8_MAX, 1, S8_MIN, S8_MAX-1, S8_MAX, true, false, false},
135
136 {S8_MIN, S8_MIN, 0, 0, 0, true, false, true},
137 {S8_MAX, S8_MAX, -2, 0, 1, true, false, true},
138
139 {-4, -32, -36, 28, -128, false, false, true},
140 {-4, 32, 28, -36, -128, false, false, false},
141};
142
143DEFINE_TEST_ARRAY(s16) = {
144 {0, 0, 0, 0, 0, false, false, false},
145
146 {0, S16_MAX, S16_MAX, -S16_MAX, 0, false, false, false},
147 {S16_MAX, 0, S16_MAX, S16_MAX, 0, false, false, false},
148 {0, S16_MIN, S16_MIN, S16_MIN, 0, false, true, false},
149 {S16_MIN, 0, S16_MIN, S16_MIN, 0, false, false, false},
150
151 {-1, S16_MIN, S16_MAX, S16_MAX, S16_MIN, true, false, true},
152 {S16_MIN, -1, S16_MAX, -S16_MAX, S16_MIN, true, false, true},
153 {-1, S16_MAX, S16_MAX-1, S16_MIN, -S16_MAX, false, false, false},
154 {S16_MAX, -1, S16_MAX-1, S16_MIN, -S16_MAX, false, true, false},
155 {-1, -S16_MAX, S16_MIN, S16_MAX-1, S16_MAX, false, false, false},
156 {-S16_MAX, -1, S16_MIN, S16_MIN+2, S16_MAX, false, false, false},
157
158 {1, S16_MIN, -S16_MAX, -S16_MAX, S16_MIN, false, true, false},
159 {S16_MIN, 1, -S16_MAX, S16_MAX, S16_MIN, false, true, false},
160 {1, S16_MAX, S16_MIN, S16_MIN+2, S16_MAX, true, false, false},
161 {S16_MAX, 1, S16_MIN, S16_MAX-1, S16_MAX, true, false, false},
162
163 {S16_MIN, S16_MIN, 0, 0, 0, true, false, true},
164 {S16_MAX, S16_MAX, -2, 0, 1, true, false, true},
165};
166DEFINE_TEST_ARRAY(s32) = {
167 {0, 0, 0, 0, 0, false, false, false},
168
169 {0, S32_MAX, S32_MAX, -S32_MAX, 0, false, false, false},
170 {S32_MAX, 0, S32_MAX, S32_MAX, 0, false, false, false},
171 {0, S32_MIN, S32_MIN, S32_MIN, 0, false, true, false},
172 {S32_MIN, 0, S32_MIN, S32_MIN, 0, false, false, false},
173
174 {-1, S32_MIN, S32_MAX, S32_MAX, S32_MIN, true, false, true},
175 {S32_MIN, -1, S32_MAX, -S32_MAX, S32_MIN, true, false, true},
176 {-1, S32_MAX, S32_MAX-1, S32_MIN, -S32_MAX, false, false, false},
177 {S32_MAX, -1, S32_MAX-1, S32_MIN, -S32_MAX, false, true, false},
178 {-1, -S32_MAX, S32_MIN, S32_MAX-1, S32_MAX, false, false, false},
179 {-S32_MAX, -1, S32_MIN, S32_MIN+2, S32_MAX, false, false, false},
180
181 {1, S32_MIN, -S32_MAX, -S32_MAX, S32_MIN, false, true, false},
182 {S32_MIN, 1, -S32_MAX, S32_MAX, S32_MIN, false, true, false},
183 {1, S32_MAX, S32_MIN, S32_MIN+2, S32_MAX, true, false, false},
184 {S32_MAX, 1, S32_MIN, S32_MAX-1, S32_MAX, true, false, false},
185
186 {S32_MIN, S32_MIN, 0, 0, 0, true, false, true},
187 {S32_MAX, S32_MAX, -2, 0, 1, true, false, true},
188};
189DEFINE_TEST_ARRAY(s64) = {
190 {0, 0, 0, 0, 0, false, false, false},
191
192 {0, S64_MAX, S64_MAX, -S64_MAX, 0, false, false, false},
193 {S64_MAX, 0, S64_MAX, S64_MAX, 0, false, false, false},
194 {0, S64_MIN, S64_MIN, S64_MIN, 0, false, true, false},
195 {S64_MIN, 0, S64_MIN, S64_MIN, 0, false, false, false},
196
197 {-1, S64_MIN, S64_MAX, S64_MAX, S64_MIN, true, false, true},
198 {S64_MIN, -1, S64_MAX, -S64_MAX, S64_MIN, true, false, true},
199 {-1, S64_MAX, S64_MAX-1, S64_MIN, -S64_MAX, false, false, false},
200 {S64_MAX, -1, S64_MAX-1, S64_MIN, -S64_MAX, false, true, false},
201 {-1, -S64_MAX, S64_MIN, S64_MAX-1, S64_MAX, false, false, false},
202 {-S64_MAX, -1, S64_MIN, S64_MIN+2, S64_MAX, false, false, false},
203
204 {1, S64_MIN, -S64_MAX, -S64_MAX, S64_MIN, false, true, false},
205 {S64_MIN, 1, -S64_MAX, S64_MAX, S64_MIN, false, true, false},
206 {1, S64_MAX, S64_MIN, S64_MIN+2, S64_MAX, true, false, false},
207 {S64_MAX, 1, S64_MIN, S64_MAX-1, S64_MAX, true, false, false},
208
209 {S64_MIN, S64_MIN, 0, 0, 0, true, false, true},
210 {S64_MAX, S64_MAX, -2, 0, 1, true, false, true},
211
212 {-1, -1, -2, 0, 1, false, false, false},
213 {-1, -128, -129, 127, 128, false, false, false},
214 {-128, -1, -129, -127, 128, false, false, false},
215 {0, -S64_MAX, -S64_MAX, S64_MAX, 0, false, false, false},
216};
217
218#define check_one_op(t, fmt, op, sym, a, b, r, of) do { \
219 t _r; \
220 bool _of; \
221 \
222 _of = check_ ## op ## _overflow(a, b, &_r); \
223 if (_of != of) { \
224 pr_warn("expected "fmt" "sym" "fmt \
225 " to%s overflow (type %s)\n", \
226 a, b, of ? "" : " not", #t); \
227 err = 1; \
228 } \
229 if (_r != r) { \
230 pr_warn("expected "fmt" "sym" "fmt" == " \
231 fmt", got "fmt" (type %s)\n", \
232 a, b, r, _r, #t); \
233 err = 1; \
234 } \
235} while (0)
236
237#define DEFINE_TEST_FUNC(t, fmt) \
238static int __init do_test_ ## t(const struct test_ ## t *p) \
239{ \
240 int err = 0; \
241 \
242 check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of); \
243 check_one_op(t, fmt, add, "+", p->b, p->a, p->sum, p->s_of); \
244 check_one_op(t, fmt, sub, "-", p->a, p->b, p->diff, p->d_of); \
245 check_one_op(t, fmt, mul, "*", p->a, p->b, p->prod, p->p_of); \
246 check_one_op(t, fmt, mul, "*", p->b, p->a, p->prod, p->p_of); \
247 \
248 return err; \
249} \
250 \
251static int __init test_ ## t ## _overflow(void) { \
252 int err = 0; \
253 unsigned i; \
254 \
255 pr_info("%-3s: %zu tests\n", #t, ARRAY_SIZE(t ## _tests)); \
256 for (i = 0; i < ARRAY_SIZE(t ## _tests); ++i) \
257 err |= do_test_ ## t(&t ## _tests[i]); \
258 return err; \
259}
260
261DEFINE_TEST_FUNC(u8, "%d");
262DEFINE_TEST_FUNC(s8, "%d");
263DEFINE_TEST_FUNC(u16, "%d");
264DEFINE_TEST_FUNC(s16, "%d");
265DEFINE_TEST_FUNC(u32, "%u");
266DEFINE_TEST_FUNC(s32, "%d");
267#if BITS_PER_LONG == 64
268DEFINE_TEST_FUNC(u64, "%llu");
269DEFINE_TEST_FUNC(s64, "%lld");
270#endif
271
272static int __init test_overflow_calculation(void)
273{
274 int err = 0;
275
276 err |= test_u8_overflow();
277 err |= test_s8_overflow();
278 err |= test_u16_overflow();
279 err |= test_s16_overflow();
280 err |= test_u32_overflow();
281 err |= test_s32_overflow();
282#if BITS_PER_LONG == 64
283 err |= test_u64_overflow();
284 err |= test_s64_overflow();
285#endif
286
287 return err;
288}
289
290/*
291 * Deal with the various forms of allocator arguments. See comments above
292 * the DEFINE_TEST_ALLOC() instances for mapping of the "bits".
293 */
294#define alloc010(alloc, arg, sz) alloc(sz, GFP_KERNEL)
295#define alloc011(alloc, arg, sz) alloc(sz, GFP_KERNEL, NUMA_NO_NODE)
296#define alloc000(alloc, arg, sz) alloc(sz)
297#define alloc001(alloc, arg, sz) alloc(sz, NUMA_NO_NODE)
298#define alloc110(alloc, arg, sz) alloc(arg, sz, GFP_KERNEL)
299#define free0(free, arg, ptr) free(ptr)
300#define free1(free, arg, ptr) free(arg, ptr)
301
302/* Wrap around to 8K */
303#define TEST_SIZE (9 << PAGE_SHIFT)
304
305#define DEFINE_TEST_ALLOC(func, free_func, want_arg, want_gfp, want_node)\
306static int __init test_ ## func (void *arg) \
307{ \
308 volatile size_t a = TEST_SIZE; \
309 volatile size_t b = (SIZE_MAX / TEST_SIZE) + 1; \
310 void *ptr; \
311 \
312 /* Tiny allocation test. */ \
313 ptr = alloc ## want_arg ## want_gfp ## want_node (func, arg, 1);\
314 if (!ptr) { \
315 pr_warn(#func " failed regular allocation?!\n"); \
316 return 1; \
317 } \
318 free ## want_arg (free_func, arg, ptr); \
319 \
320 /* Wrapped allocation test. */ \
321 ptr = alloc ## want_arg ## want_gfp ## want_node (func, arg, \
322 a * b); \
323 if (!ptr) { \
324 pr_warn(#func " unexpectedly failed bad wrapping?!\n"); \
325 return 1; \
326 } \
327 free ## want_arg (free_func, arg, ptr); \
328 \
329 /* Saturated allocation test. */ \
330 ptr = alloc ## want_arg ## want_gfp ## want_node (func, arg, \
331 array_size(a, b)); \
332 if (ptr) { \
333 pr_warn(#func " missed saturation!\n"); \
334 free ## want_arg (free_func, arg, ptr); \
335 return 1; \
336 } \
337 pr_info(#func " detected saturation\n"); \
338 return 0; \
339}
340
341/*
342 * Allocator uses a trailing node argument --------+ (e.g. kmalloc_node())
343 * Allocator uses the gfp_t argument -----------+ | (e.g. kmalloc())
344 * Allocator uses a special leading argument + | | (e.g. devm_kmalloc())
345 * | | |
346 */
347DEFINE_TEST_ALLOC(kmalloc, kfree, 0, 1, 0);
348DEFINE_TEST_ALLOC(kmalloc_node, kfree, 0, 1, 1);
349DEFINE_TEST_ALLOC(kzalloc, kfree, 0, 1, 0);
350DEFINE_TEST_ALLOC(kzalloc_node, kfree, 0, 1, 1);
351DEFINE_TEST_ALLOC(vmalloc, vfree, 0, 0, 0);
352DEFINE_TEST_ALLOC(vmalloc_node, vfree, 0, 0, 1);
353DEFINE_TEST_ALLOC(vzalloc, vfree, 0, 0, 0);
354DEFINE_TEST_ALLOC(vzalloc_node, vfree, 0, 0, 1);
355DEFINE_TEST_ALLOC(kvmalloc, kvfree, 0, 1, 0);
356DEFINE_TEST_ALLOC(kvmalloc_node, kvfree, 0, 1, 1);
357DEFINE_TEST_ALLOC(kvzalloc, kvfree, 0, 1, 0);
358DEFINE_TEST_ALLOC(kvzalloc_node, kvfree, 0, 1, 1);
359DEFINE_TEST_ALLOC(devm_kmalloc, devm_kfree, 1, 1, 0);
360DEFINE_TEST_ALLOC(devm_kzalloc, devm_kfree, 1, 1, 0);
361
362static int __init test_overflow_allocation(void)
363{
364 const char device_name[] = "overflow-test";
365 struct device *dev;
366 int err = 0;
367
368 /* Create dummy device for devm_kmalloc()-family tests. */
369 dev = root_device_register(device_name);
370 if (!dev) {
371 pr_warn("Cannot register test device\n");
372 return 1;
373 }
374
375 err |= test_kmalloc(NULL);
376 err |= test_kmalloc_node(NULL);
377 err |= test_kzalloc(NULL);
378 err |= test_kzalloc_node(NULL);
379 err |= test_kvmalloc(NULL);
380 err |= test_kvmalloc_node(NULL);
381 err |= test_kvzalloc(NULL);
382 err |= test_kvzalloc_node(NULL);
383 err |= test_vmalloc(NULL);
384 err |= test_vmalloc_node(NULL);
385 err |= test_vzalloc(NULL);
386 err |= test_vzalloc_node(NULL);
387 err |= test_devm_kmalloc(dev);
388 err |= test_devm_kzalloc(dev);
389
390 device_unregister(dev);
391
392 return err;
393}
394
395static int __init test_module_init(void)
396{
397 int err = 0;
398
399 err |= test_overflow_calculation();
400 err |= test_overflow_allocation();
401
402 if (err) {
403 pr_warn("FAIL!\n");
404 err = -EINVAL;
405 } else {
406 pr_info("all tests passed\n");
407 }
408
409 return err;
410}
411
412static void __exit test_module_exit(void)
413{ }
414
415module_init(test_module_init);
416module_exit(test_module_exit);
417MODULE_LICENSE("Dual MIT/GPL");
diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 21ac6e3b96bb..d7a7a2330ef7 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -62,7 +62,7 @@ struct ceph_monmap *ceph_monmap_decode(void *p, void *end)
62 62
63 if (num_mon > CEPH_MAX_MON) 63 if (num_mon > CEPH_MAX_MON)
64 goto bad; 64 goto bad;
65 m = kmalloc(sizeof(*m) + sizeof(m->mon_inst[0])*num_mon, GFP_NOFS); 65 m = kmalloc(struct_size(m, mon_inst, num_mon), GFP_NOFS);
66 if (m == NULL) 66 if (m == NULL)
67 return ERR_PTR(-ENOMEM); 67 return ERR_PTR(-ENOMEM);
68 m->fsid = fsid; 68 m->fsid = fsid;
@@ -1000,8 +1000,7 @@ static int build_initial_monmap(struct ceph_mon_client *monc)
1000 int i; 1000 int i;
1001 1001
1002 /* build initial monmap */ 1002 /* build initial monmap */
1003 monc->monmap = kzalloc(sizeof(*monc->monmap) + 1003 monc->monmap = kzalloc(struct_size(monc->monmap, mon_inst, num_mon),
1004 num_mon*sizeof(monc->monmap->mon_inst[0]),
1005 GFP_KERNEL); 1004 GFP_KERNEL);
1006 if (!monc->monmap) 1005 if (!monc->monmap)
1007 return -ENOMEM; 1006 return -ENOMEM;
diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
index d2667e5dddc3..69a2581ddbba 100644
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -584,8 +584,7 @@ struct ceph_osd_request *ceph_osdc_alloc_request(struct ceph_osd_client *osdc,
584 req = kmem_cache_alloc(ceph_osd_request_cache, gfp_flags); 584 req = kmem_cache_alloc(ceph_osd_request_cache, gfp_flags);
585 } else { 585 } else {
586 BUG_ON(num_ops > CEPH_OSD_MAX_OPS); 586 BUG_ON(num_ops > CEPH_OSD_MAX_OPS);
587 req = kmalloc(sizeof(*req) + num_ops * sizeof(req->r_ops[0]), 587 req = kmalloc(struct_size(req, r_ops, num_ops), gfp_flags);
588 gfp_flags);
589 } 588 }
590 if (unlikely(!req)) 589 if (unlikely(!req))
591 return NULL; 590 return NULL;
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 9bbfc17ce3ec..07085c22b19c 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -184,8 +184,7 @@ recent_entry_init(struct recent_table *t, const union nf_inet_addr *addr,
184 } 184 }
185 185
186 nstamps_max += 1; 186 nstamps_max += 1;
187 e = kmalloc(sizeof(*e) + sizeof(e->stamps[0]) * nstamps_max, 187 e = kmalloc(struct_size(e, stamps, nstamps_max), GFP_ATOMIC);
188 GFP_ATOMIC);
189 if (e == NULL) 188 if (e == NULL)
190 return NULL; 189 return NULL;
191 memcpy(&e->addr, addr, sizeof(e->addr)); 190 memcpy(&e->addr, addr, sizeof(e->addr));
diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c
index e2f5a3ee41a7..40c7eb941bc9 100644
--- a/net/sctp/endpointola.c
+++ b/net/sctp/endpointola.c
@@ -73,8 +73,8 @@ static struct sctp_endpoint *sctp_endpoint_init(struct sctp_endpoint *ep,
73 * variables. There are arrays that we encode directly 73 * variables. There are arrays that we encode directly
74 * into parameters to make the rest of the operations easier. 74 * into parameters to make the rest of the operations easier.
75 */ 75 */
76 auth_hmacs = kzalloc(sizeof(*auth_hmacs) + 76 auth_hmacs = kzalloc(struct_size(auth_hmacs, hmac_ids,
77 sizeof(__u16) * SCTP_AUTH_NUM_HMACS, gfp); 77 SCTP_AUTH_NUM_HMACS), gfp);
78 if (!auth_hmacs) 78 if (!auth_hmacs)
79 goto nomem; 79 goto nomem;
80 80
diff --git a/sound/core/vmaster.c b/sound/core/vmaster.c
index 58fa3f94722a..fd99d8abe2af 100644
--- a/sound/core/vmaster.c
+++ b/sound/core/vmaster.c
@@ -259,8 +259,8 @@ int _snd_ctl_add_slave(struct snd_kcontrol *master, struct snd_kcontrol *slave,
259 struct link_master *master_link = snd_kcontrol_chip(master); 259 struct link_master *master_link = snd_kcontrol_chip(master);
260 struct link_slave *srec; 260 struct link_slave *srec;
261 261
262 srec = kzalloc(sizeof(*srec) + 262 srec = kzalloc(struct_size(srec, slave.vd, slave->count),
263 slave->count * sizeof(*slave->vd), GFP_KERNEL); 263 GFP_KERNEL);
264 if (!srec) 264 if (!srec)
265 return -ENOMEM; 265 return -ENOMEM;
266 srec->kctl = slave; 266 srec->kctl = slave;
diff --git a/sound/soc/qcom/apq8016_sbc.c b/sound/soc/qcom/apq8016_sbc.c
index 704428735e3c..1dd23bba1bed 100644
--- a/sound/soc/qcom/apq8016_sbc.c
+++ b/sound/soc/qcom/apq8016_sbc.c
@@ -147,7 +147,8 @@ static struct apq8016_sbc_data *apq8016_sbc_parse_of(struct snd_soc_card *card)
147 num_links = of_get_child_count(node); 147 num_links = of_get_child_count(node);
148 148
149 /* Allocate the private data and the DAI link array */ 149 /* Allocate the private data and the DAI link array */
150 data = devm_kzalloc(dev, sizeof(*data) + sizeof(*link) * num_links, 150 data = devm_kzalloc(dev,
151 struct_size(data, dai_link, num_links),
151 GFP_KERNEL); 152 GFP_KERNEL);
152 if (!data) 153 if (!data)
153 return ERR_PTR(-ENOMEM); 154 return ERR_PTR(-ENOMEM);
diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c
index 36a39ba30226..255cad43a972 100644
--- a/sound/soc/soc-dapm.c
+++ b/sound/soc/soc-dapm.c
@@ -1086,7 +1086,7 @@ static int dapm_widget_list_create(struct snd_soc_dapm_widget_list **list,
1086 list_for_each(it, widgets) 1086 list_for_each(it, widgets)
1087 size++; 1087 size++;
1088 1088
1089 *list = kzalloc(sizeof(**list) + size * sizeof(*w), GFP_KERNEL); 1089 *list = kzalloc(struct_size(*list, widgets, size), GFP_KERNEL);
1090 if (*list == NULL) 1090 if (*list == NULL)
1091 return -ENOMEM; 1091 return -ENOMEM;
1092 1092
generated by cgit v1.2.2 (git 2.25.0) at 2025-10-11 12:10:44 -0400