From patchwork Wed May 2 22:21:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 10376731 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 1B1536053D for ; Wed, 2 May 2018 22:24:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EF9F825F31 for ; Wed, 2 May 2018 22:24:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E46212018E; Wed, 2 May 2018 22:24:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C3E9628AAF for ; Wed, 2 May 2018 22:21:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751336AbeEBWVn (ORCPT ); Wed, 2 May 2018 18:21:43 -0400 Received: from mail-pg0-f66.google.com ([74.125.83.66]:39278 "EHLO mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751045AbeEBWVm (ORCPT ); Wed, 2 May 2018 18:21:42 -0400 Received: by mail-pg0-f66.google.com with SMTP id e1-v6so292843pga.6 for ; Wed, 02 May 2018 15:21:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:mime-version:content-disposition; bh=QpiV4lmSQyMg31LybVtRfEnMx9KNiJNIfTVSjVg6caM=; b=UE9hnI8iCADzH+8vnnSFk+n0pWqN1OX+4wstV4xwERJoV/pxMrT7HISj4A86IHcGhC Rqt0twFR8/ZISCNftZAQIk/f44X6eQ8tRP0qw/GCGaQys6WnmbWCimDx50KTzHLuntg0 eIIfsRMRxe0lxJqVO8ZgtKcLJzwuxNAOqKBfc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition; bh=QpiV4lmSQyMg31LybVtRfEnMx9KNiJNIfTVSjVg6caM=; b=GhauV3nPJx0+QPpbcyhncqN/z6LptwXa8gilMkxkDwOshKVTCx48B7YCsDxDTXw/d9 LEB1Et795ub6ip/670yVTK5w+CjP9fziwL2eRdkZ3uVe5Az1ohEbXXa9M8h7MK9odd2L LRobTTvJLXxgpM38G54AX1tSr5BlI+CKusQihcdN2plLScEfln5PyeuqgBWjdWKblxHS CmQaODC2iEoyLKqFkOsqV5KKSxzXLeyXdoihidSVtrPA0I4uqORwuCc2+oISwKmx+Xsz 7ZCAjEZhDnxrtDhmcdDT049tIKvvCZ16HWRqgbJuFxvcEf2LqYx14CiufhGla0cfJpFy mrKA== X-Gm-Message-State: ALQs6tBkfJYH6546abOfwi4XeCZjqt04DcnVLW+vlg6rvnIsQrNKUvmK taLQvdu+N1OjTyYifQDsqp1/tg== X-Google-Smtp-Source: AB8JxZqjTTnc1FlNw7kp17kU5AQrrVSLxjsWlcS0GsJEMx9RN7+kAmKqFJA/lZOXQTvdGv/uVt9ayA== X-Received: by 2002:a17:902:b949:: with SMTP id h9-v6mr21403636pls.146.1525299701860; Wed, 02 May 2018 15:21:41 -0700 (PDT) Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133]) by smtp.gmail.com with ESMTPSA id 81sm24202387pfl.92.2018.05.02.15.21.39 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 02 May 2018 15:21:39 -0700 (PDT) Date: Wed, 2 May 2018 15:21:38 -0700 From: Kees Cook To: "Martin K. Petersen" Cc: Adaptec OEM Raid Solutions , "James E.J. Bottomley" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] scsi: dpt_i2o: Remove VLA usage Message-ID: <20180502222138.GA22088@beast> MIME-Version: 1.0 Content-Disposition: inline Sender: linux-scsi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-scsi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On the quest to remove all VLAs from the kernel[1] this moves the sg_list variable off the stack, as already done for other allocated buffers in adpt_i2o_passthru(). Additionally consolidates the error path for kfree(). [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com Signed-off-by: Kees Cook --- drivers/scsi/dpt_i2o.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/drivers/scsi/dpt_i2o.c b/drivers/scsi/dpt_i2o.c index 5ceea8da7bb6..37de8fb186d7 100644 --- a/drivers/scsi/dpt_i2o.c +++ b/drivers/scsi/dpt_i2o.c @@ -1706,7 +1706,7 @@ static int adpt_i2o_passthru(adpt_hba* pHba, u32 __user *arg) u32 reply_size = 0; u32 __user *user_msg = arg; u32 __user * user_reply = NULL; - void *sg_list[pHba->sg_tablesize]; + void **sg_list = NULL; u32 sg_offset = 0; u32 sg_count = 0; int sg_index = 0; @@ -1748,19 +1748,23 @@ static int adpt_i2o_passthru(adpt_hba* pHba, u32 __user *arg) msg[2] = 0x40000000; // IOCTL context msg[3] = adpt_ioctl_to_context(pHba, reply); if (msg[3] == (u32)-1) { - kfree(reply); - return -EBUSY; + rcode = -EBUSY; + goto free; } - memset(sg_list,0, sizeof(sg_list[0])*pHba->sg_tablesize); + sg_list = kcalloc(pHba->sg_tablesize, sizeof(*sg_list), GFP_KERNEL); + if (!sg_list) { + rcode = -ENOMEM; + goto free; + } if(sg_offset) { // TODO add 64 bit API struct sg_simple_element *sg = (struct sg_simple_element*) (msg+sg_offset); sg_count = (size - sg_offset*4) / sizeof(struct sg_simple_element); if (sg_count > pHba->sg_tablesize){ printk(KERN_DEBUG"%s:IOCTL SG List too large (%u)\n", pHba->name,sg_count); - kfree (reply); - return -EINVAL; + rcode = -EINVAL; + goto free; } for(i = 0; i < sg_count; i++) { @@ -1879,7 +1883,6 @@ static int adpt_i2o_passthru(adpt_hba* pHba, u32 __user *arg) if (rcode != -ETIME && rcode != -EINTR) { struct sg_simple_element *sg = (struct sg_simple_element*) (msg +sg_offset); - kfree (reply); while(sg_index) { if(sg_list[--sg_index]) { dma_free_coherent(&pHba->pDev->dev, @@ -1889,6 +1892,10 @@ static int adpt_i2o_passthru(adpt_hba* pHba, u32 __user *arg) } } } + +free: + kfree(sg_list); + kfree(reply); return rcode; }