From: Rosen Penev Date: Sat, 23 May 2026 01:17:49 +0000 (-0700) Subject: ASoC: aw88395: use struct_size() and __counted_by() for aw_container X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=36cf16513f9dfc6dc5eee7ed5ca5fd4f649e1f1a;p=thirdparty%2Flinux.git ASoC: aw88395: use struct_size() and __counted_by() for aw_container The firmware container allocations passed cont->size + sizeof(int) to kzalloc(), which was wrong: the struct contains an int len followed by a u8 data[] flexible array. It ended up being the same as the struct's size is only the int member but still wrong. Use the modern struct_size helper for this. Add __counted_by for extra runtime analysis. Assisted-by: Claude:Opus-4.7 Signed-off-by: Rosen Penev Link: https://patch.msgid.link/20260523011749.101555-1-rosenp@gmail.com Signed-off-by: Mark Brown --- diff --git a/sound/soc/codecs/aw88081.c b/sound/soc/codecs/aw88081.c index a5ba177a48df7..d5e886a8f1067 100644 --- a/sound/soc/codecs/aw88081.c +++ b/sound/soc/codecs/aw88081.c @@ -1137,6 +1137,7 @@ static int aw88081_dev_init(struct aw88081 *aw88081, struct aw_container *aw_cfg static int aw88081_request_firmware_file(struct aw88081 *aw88081) { const struct firmware *cont = NULL; + struct aw_container *aw_cfg; int ret; aw88081->aw_pa->fw_status = AW88081_DEV_FW_FAILED; @@ -1148,13 +1149,16 @@ static int aw88081_request_firmware_file(struct aw88081 *aw88081) dev_dbg(aw88081->aw_pa->dev, "loaded %s - size: %zu\n", AW88081_ACF_FILE, cont ? cont->size : 0); - aw88081->aw_cfg = devm_kzalloc(aw88081->aw_pa->dev, cont->size + sizeof(int), GFP_KERNEL); - if (!aw88081->aw_cfg) { + aw_cfg = devm_kzalloc(aw88081->aw_pa->dev, struct_size(aw_cfg, data, cont->size), GFP_KERNEL); + if (!aw_cfg) { release_firmware(cont); return -ENOMEM; } - aw88081->aw_cfg->len = (int)cont->size; - memcpy(aw88081->aw_cfg->data, cont->data, cont->size); + aw_cfg->len = (int)cont->size; + memcpy(aw_cfg->data, cont->data, cont->size); + + aw88081->aw_cfg = aw_cfg; + release_firmware(cont); ret = aw88395_dev_load_acf_check(aw88081->aw_pa, aw88081->aw_cfg); diff --git a/sound/soc/codecs/aw88261.c b/sound/soc/codecs/aw88261.c index 50521dd2ebb1f..02e5cb8fc9094 100644 --- a/sound/soc/codecs/aw88261.c +++ b/sound/soc/codecs/aw88261.c @@ -1094,6 +1094,7 @@ static int aw88261_dev_init(struct aw88261 *aw88261, struct aw_container *aw_cfg static int aw88261_request_firmware_file(struct aw88261 *aw88261) { const struct firmware *cont = NULL; + struct aw_container *aw_cfg; const char *fw_name; int ret; @@ -1111,15 +1112,17 @@ static int aw88261_request_firmware_file(struct aw88261 *aw88261) dev_info(aw88261->aw_pa->dev, "loaded %s - size: %zu\n", fw_name, cont ? cont->size : 0); - aw88261->aw_cfg = devm_kzalloc(aw88261->aw_pa->dev, cont->size + sizeof(int), GFP_KERNEL); - if (!aw88261->aw_cfg) { + aw_cfg = devm_kzalloc(aw88261->aw_pa->dev, struct_size(aw_cfg, data, cont->size), GFP_KERNEL); + if (!aw_cfg) { release_firmware(cont); return -ENOMEM; } - aw88261->aw_cfg->len = (int)cont->size; - memcpy(aw88261->aw_cfg->data, cont->data, cont->size); + aw_cfg->len = (int)cont->size; + memcpy(aw_cfg->data, cont->data, cont->size); release_firmware(cont); + aw88261->aw_cfg = aw_cfg; + ret = aw88395_dev_load_acf_check(aw88261->aw_pa, aw88261->aw_cfg); if (ret) { dev_err(aw88261->aw_pa->dev, "load [%s] failed !", fw_name); diff --git a/sound/soc/codecs/aw88395/aw88395.c b/sound/soc/codecs/aw88395/aw88395.c index 982d54f2f8a37..ee0e8bd8c54cc 100644 --- a/sound/soc/codecs/aw88395/aw88395.c +++ b/sound/soc/codecs/aw88395/aw88395.c @@ -462,6 +462,7 @@ static void aw88395_hw_reset(struct aw88395 *aw88395) static int aw88395_request_firmware_file(struct aw88395 *aw88395) { const struct firmware *cont = NULL; + struct aw_container *aw_cfg; int ret; aw88395->aw_pa->fw_status = AW88395_DEV_FW_FAILED; @@ -475,15 +476,17 @@ static int aw88395_request_firmware_file(struct aw88395 *aw88395) dev_info(aw88395->aw_pa->dev, "loaded %s - size: %zu\n", AW88395_ACF_FILE, cont ? cont->size : 0); - aw88395->aw_cfg = devm_kzalloc(aw88395->aw_pa->dev, cont->size + sizeof(int), GFP_KERNEL); - if (!aw88395->aw_cfg) { + aw_cfg = devm_kzalloc(aw88395->aw_pa->dev, struct_size(aw_cfg, data, cont->size), GFP_KERNEL); + if (!aw_cfg) { release_firmware(cont); return -ENOMEM; } - aw88395->aw_cfg->len = (int)cont->size; - memcpy(aw88395->aw_cfg->data, cont->data, cont->size); + aw_cfg->len = (int)cont->size; + memcpy(aw_cfg->data, cont->data, cont->size); release_firmware(cont); + aw88395->aw_cfg = aw_cfg; + ret = aw88395_dev_load_acf_check(aw88395->aw_pa, aw88395->aw_cfg); if (ret < 0) { dev_err(aw88395->aw_pa->dev, "Load [%s] failed ....!", AW88395_ACF_FILE); diff --git a/sound/soc/codecs/aw88395/aw88395_device.h b/sound/soc/codecs/aw88395/aw88395_device.h index 3626f222899d4..7b74eeb84c432 100644 --- a/sound/soc/codecs/aw88395/aw88395_device.h +++ b/sound/soc/codecs/aw88395/aw88395_device.h @@ -152,7 +152,7 @@ struct aw_cali_desc { struct aw_container { int len; - u8 data[]; + u8 data[] __counted_by(len); }; struct aw_device {