From 09317b366f3c1bd53dd45178de097501f9ae0f4d Mon Sep 17 00:00:00 2001
From: Vincent Palomares <paillon@google.com>
Date: Thu, 10 Nov 2022 18:11:23 -0800
Subject: [PATCH] pixel_em: Fixing off-by-one buffer allocation

This could result in a buffer overflow.

Bug: 258701539
Signed-off-by: Vincent Palomares <paillon@google.com>
Change-Id: I5c7ce8431ee59457203bb6c6cea27e77ac103f89
---
 drivers/soc/google/vh/kernel/pixel_em/pixel_em.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/soc/google/vh/kernel/pixel_em/pixel_em.c b/drivers/soc/google/vh/kernel/pixel_em/pixel_em.c
index 0864b70a75c3..5c9053b07b72 100644
--- a/drivers/soc/google/vh/kernel/pixel_em/pixel_em.c
+++ b/drivers/soc/google/vh/kernel/pixel_em/pixel_em.c
@@ -478,11 +478,12 @@ static struct pixel_em_profile *generate_default_em_profile(const char *name)
 	if (!res->clusters)
 		goto failed_clusters_allocation;
 
-	res->cpu_to_cluster = kcalloc(pixel_em_max_cpu, sizeof(*res->cpu_to_cluster), GFP_KERNEL);
+	res->cpu_to_cluster = kcalloc(pixel_em_max_cpu + 1,
+				      sizeof(*res->cpu_to_cluster),
+				      GFP_KERNEL);
 	if (!res->cpu_to_cluster)
 		goto failed_cpu_to_cluster_allocation;
 
-
 	cpumask_copy(&unmatched_cpus, cpu_possible_mask);
 
 	while (!cpumask_empty(&unmatched_cpus)) {