RDMA/hfi1: Use struct_size() and flex_array_size() helpers

Make use of the struct_size() and flex_array_size() helpers instead of
open-coded versions, in order to avoid any potential type mistakes or
integer overflows that, in the worse scenario, could lead to heap
overflows.

Link: https://lore.kernel.org/r/20210927225333.GA192634@embeddedor
Link: https://github.com/KSPP/linux/issues/160
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
index 0c86e9d354f8ea2e6c1c6cb6ab84c8c952cd9b7f..186d3029126069b9f3184dc055831d5937e80429 100644 (file)
--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
@@ -692,8 +692,7 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd,
         * Allocate the node first so we can handle a potential
         * failure before we've programmed anything.
         */
-       node = kzalloc(sizeof(*node) + (sizeof(struct page *) * npages),
-                      GFP_KERNEL);
+       node = kzalloc(struct_size(node, pages, npages), GFP_KERNEL);
        if (!node)
                return -ENOMEM;
 
@@ -713,7 +712,7 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd,
        node->dma_addr = phys;
        node->grp = grp;
        node->freed = false;
-       memcpy(node->pages, pages, sizeof(struct page *) * npages);
+       memcpy(node->pages, pages, flex_array_size(node, pages, npages));
 
        if (fd->use_mn) {
                ret = mmu_interval_notifier_insert(