"struct_size() + n" may cause a integer overflow,
use size_add() to handle it.

Signed-off-by: Li Qiong <liqiong@nfschina.com>
---
 drivers/gpu/drm/msm/msm_gem_submit.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
index c9e4aeb14f4a..3dec87e46e50 100644
--- a/drivers/gpu/drm/msm/msm_gem_submit.c
+++ b/drivers/gpu/drm/msm/msm_gem_submit.c
@@ -30,8 +30,8 @@ static struct msm_gem_submit *submit_create(struct drm_device *dev,
 	uint64_t sz;
 	int ret;
 
-	sz = struct_size(submit, bos, nr_bos) +
-			((u64)nr_cmds * sizeof(submit->cmd[0]));
+	sz = size_add(struct_size(submit, bos, nr_bos),
+			((u64)nr_cmds * sizeof(submit->cmd[0])));
 
 	if (sz > SIZE_MAX)
 		return ERR_PTR(-ENOMEM);
-- 
2.11.0

在 2022年09月26日 17:23, Li Qiong 写道:
> "struct_size() + n" may cause a integer overflow,
> use size_add() to handle it.
>
> Signed-off-by: Li Qiong <liqiong@nfschina.com>
> ---
>  drivers/gpu/drm/msm/msm_gem_submit.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
> index c9e4aeb14f4a..3dec87e46e50 100644
> --- a/drivers/gpu/drm/msm/msm_gem_submit.c
> +++ b/drivers/gpu/drm/msm/msm_gem_submit.c
> @@ -30,8 +30,8 @@ static struct msm_gem_submit *submit_create(struct drm_device *dev,
>  	uint64_t sz;
>  	int ret;
>  
> -	sz = struct_size(submit, bos, nr_bos) +
> -			((u64)nr_cmds * sizeof(submit->cmd[0]));
> +	sz = size_add(struct_size(submit, bos, nr_bos),
> +			((u64)nr_cmds * sizeof(submit->cmd[0])));
>  
>  	if (sz > SIZE_MAX)
>  		return ERR_PTR(-ENOMEM);

Sorry,  This patch a mistake, drop it ,  please.