From patchwork Fri Mar 9 06:38:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tobin Harding X-Patchwork-Id: 10269773 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 045BA602BD for ; Fri, 9 Mar 2018 06:38:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E7988292E7 for ; Fri, 9 Mar 2018 06:38:47 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DC0E72931C; Fri, 9 Mar 2018 06:38:47 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.3 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.wl.linuxfoundation.org (Postfix) with SMTP id F2CA4292E7 for ; Fri, 9 Mar 2018 06:38:46 +0000 (UTC) Received: (qmail 17438 invoked by uid 550); 9 Mar 2018 06:38:44 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Delivered-To: mailing list kernel-hardening@lists.openwall.com Received: (qmail 16377 invoked from network); 9 Mar 2018 06:38:44 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobin.cc; h=cc :date:from:message-id:subject:to:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=HByXHgim8Vu72FJRyOxclLN29S5yL6DhR03cG3B4F /c=; b=ZtGpFyUp6PvrpTcwmllzN+z960kY78kUEnEEmGJhsk0QQwVwbyyO9fHUT bgk4TSMEAr81klkf2ku23yOdFtV2vDjx+qgPmuePx0NUFWwGfqF1UE3jNGhr3Zzb QgbXGbdpy7URoieOahHJOcKvQGbRtOlIvQPeFIDtxPSckthwtSQM2cXkhITzYa1y zazFkUkQwpiWMPlotDuz6UEYGBZM3/gl4ZmDB3V6gGsjsGiqExV00dR/aeXK9mET QwrWxSBlr8Ks0+94voAtGBGyW4paAOOhO0R3Iy8qXg2Zd5eu6yp51Y1932o8aNsf Obr0k3edSqfdXY6Km2J9wcCmQAO6g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:date:from:message-id:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=HByXHgim8Vu72FJRy OxclLN29S5yL6DhR03cG3B4F/c=; b=CyLvH3LXFLQ7NqtjcG0Za2Vlhcqe+QxZ5 559bmAmsIfdPL7XtaV6YuFPJVtzHaz/IXaZ95F2iwd+FK469NaAQ474Z2Sr2uS0n Ar0TnuoO2/yY6pksI8llyjet6DzuJwArxjY7HJVstRa3SGDJSW6EYEUlwkmpiI1G IM2fYGi8F/Hntqt00MJpwx8W4+VtgFyo+cyI+DbfJPsqcuoyqIedoeGAwX1+xZrZ 45pkntHbwze9ZH8VyTySTpYKS86qzNeTd3UsMvBSo+GyZIANkWXS6AqLVYjFBnSm Huhs9XE4iVdyIOchYBKEyv5nq6Y0hl6KVH1Po2fbwEmLuOnG0ITbQ== X-ME-Sender: From: "Tobin C. Harding" To: Kalle Valo Cc: "Tobin C. Harding" , kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, Tycho Andersen , Kees Cook , "Gustavo A. R. Silva" Subject: [PATCH] rsi: Remove stack VLA usage Date: Fri, 9 Mar 2018 17:38:13 +1100 Message-Id: <1520577493-24603-1-git-send-email-me@tobin.cc> X-Mailer: git-send-email 2.7.4 X-Virus-Scanned: ClamAV using ClamSMTP The kernel would like to have all stack VLA usage removed[1]. rsi uses a VLA based on 'blksize'. Elsewhere in the SDIO code maximum block size is defined using a magic number. We can use a pre-processor defined constant and declare the array to maximum size. We add a check before accessing the array in case of programmer error. [1]: https://lkml.org/lkml/2018/3/7/621 Signed-off-by: Tobin C. Harding --- drivers/net/wireless/rsi/rsi_91x_hal.c | 13 +++++++------ drivers/net/wireless/rsi/rsi_91x_sdio.c | 9 +++++++-- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/rsi/rsi_91x_hal.c b/drivers/net/wireless/rsi/rsi_91x_hal.c index 1176de646942..839ebdd602df 100644 --- a/drivers/net/wireless/rsi/rsi_91x_hal.c +++ b/drivers/net/wireless/rsi/rsi_91x_hal.c @@ -641,7 +641,7 @@ static int ping_pong_write(struct rsi_hw *adapter, u8 cmd, u8 *addr, u32 size) u32 cmd_addr; u16 cmd_resp, cmd_req; u8 *str; - int status; + int status, ret; if (cmd == PING_WRITE) { cmd_addr = PING_BUFFER_ADDRESS; @@ -655,12 +655,13 @@ static int ping_pong_write(struct rsi_hw *adapter, u8 cmd, u8 *addr, u32 size) str = "PONG_VALID"; } - status = hif_ops->load_data_master_write(adapter, cmd_addr, size, + ret = hif_ops->load_data_master_write(adapter, cmd_addr, size, block_size, addr); - if (status) { - rsi_dbg(ERR_ZONE, "%s: Unable to write blk at addr %0x\n", - __func__, *addr); - return status; + if (ret) { + if (ret != -EINVAL) + rsi_dbg(ERR_ZONE, "%s: Unable to write blk at addr %0x\n", + __func__, *addr); + return ret; } status = bl_cmd(adapter, cmd_req, cmd_resp, str); diff --git a/drivers/net/wireless/rsi/rsi_91x_sdio.c b/drivers/net/wireless/rsi/rsi_91x_sdio.c index b0cf41195051..b766578b591a 100644 --- a/drivers/net/wireless/rsi/rsi_91x_sdio.c +++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c @@ -20,6 +20,8 @@ #include "rsi_common.h" #include "rsi_hal.h" +#define RSI_MAX_BLOCK_SIZE 256 + /** * rsi_sdio_set_cmd52_arg() - This function prepares cmd 52 read/write arg. * @rw: Read/write @@ -362,7 +364,7 @@ static int rsi_setblocklength(struct rsi_hw *adapter, u32 length) rsi_dbg(INIT_ZONE, "%s: Setting the block length\n", __func__); status = sdio_set_block_size(dev->pfunction, length); - dev->pfunction->max_blksize = 256; + dev->pfunction->max_blksize = RSI_MAX_BLOCK_SIZE; adapter->block_size = dev->pfunction->max_blksize; rsi_dbg(INFO_ZONE, @@ -567,9 +569,12 @@ static int rsi_sdio_load_data_master_write(struct rsi_hw *adapter, { u32 num_blocks, offset, i; u16 msb_address, lsb_address; - u8 temp_buf[block_size]; + u8 temp_buf[RSI_MAX_BLOCK_SIZE]; int status; + if (block_size > RSI_MAX_BLOCK_SIZE) + return -EINVAL; + num_blocks = instructions_sz / block_size; msb_address = base_address >> 16;