From patchwork Mon Mar 12 01:43:42 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tobin Harding <me@tobin.cc>
X-Patchwork-Id: 10274983
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	39BB260211 for <patchwork-linux-wireless@patchwork.kernel.org>;
	Mon, 12 Mar 2018 01:44:19 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2A97328BA9
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Mon, 12 Mar 2018 01:44:19 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 1EAC428C0F; Mon, 12 Mar 2018 01:44:19 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU,
	RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C299C28BA9
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Mon, 12 Mar 2018 01:44:18 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932486AbeCLBoF (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Sun, 11 Mar 2018 21:44:05 -0400
Received: from out2-smtp.messagingengine.com ([66.111.4.26]:42477 "EHLO
	out2-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S932419AbeCLBoE (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Sun, 11 Mar 2018 21:44:04 -0400
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45])
	by mailout.nyi.internal (Postfix) with ESMTP id BB9A9207B0;
	Sun, 11 Mar 2018 21:44:03 -0400 (EDT)
Received: from frontend1 ([10.202.2.160])
	by compute5.internal (MEProxy); Sun, 11 Mar 2018 21:44:03 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobin.cc; h=cc
	:date:from:message-id:subject:to:x-me-sender:x-me-sender
	:x-sasl-enc; s=fm2; bh=f7Qje+aVozVqfO83c+/uI0iBNECdFYN0FYeFBHIzH
	Ss=; b=gyn/LL2JGTCl1UfdFUKTfY2zN8fJ0IXM9hQi0E4aDim7+DeTIxVbGFZMJ
	nhB7GRdpGfVzbgDynzqKziIJ80QwsLZWSL4zEMxEGdNBuh/IBIdoxWpYa368kbes
	vrJY2v+QKz+Knsv7S7avDlL+JAkhxRTGCwSoQgOVKJA/rRh4nAQ6JqNqeEO1N5rJ
	pbNpU4uB8oX7OYg6UR/1fsJIAJ5SNVhP2F40x83r4CnI383Kwe7qKbtCMXo3wrsc
	J+DjrFDNGDUyWNu00yp/d/+9AkN7iRr0YdR8F9Y7EiAIh2BLPZi9SewyJzUlWqav
	OAqN4E0JnfPrd2p/ikoyPevS+LQNw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:date:from:message-id:subject:to
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=f7Qje+aVozVqfO83c
	+/uI0iBNECdFYN0FYeFBHIzHSs=; b=TYoIALDAztwnwFNH6MFhN3fJ1V3V5bxRy
	Wr25/gCmuVSvHjNOyUfuRXOH5OBQFhXviNcunfh0G1iHWr8Cd+FhcFS8InHThtwp
	adWF9yPVv6YoeMzIADoQRHaPlRhG8KHTBHdT7wlGf/OdzS1efQ5YraYKsxydSxm9
	G0oCGhbP5bqsgXpXq5EBJVrzIRLrLorBXLFd/NufbZmILme8WMS7f4QOdakkGN/N
	xfMls/7JB3/gjtxTOvbA0ozzq7Wus5Cv8khdtKvVeQfUSKQCotIVk1LficArup9g
	WrtpN+kDppkZ8D1GvAg3Zi2Q03ep8MrT2OLaAXMgpXftESyoaNQBg==
X-ME-Sender: <xms:Y9ulWgzsHN9sal2d_SGaSAdNjKqRvhLSvF9xRJ8zA_tkowcmLiWztQ>
Received: from localhost (124-170-217-156.dyn.iinet.net.au [124.170.217.156])
	by mail.messagingengine.com (Postfix) with ESMTPA id 03D3E7E140;
	Sun, 11 Mar 2018 21:44:02 -0400 (EDT)
From: "Tobin C. Harding" <me@tobin.cc>
To: Kalle Valo <kvalo@codeaurora.org>
Cc: "Tobin C. Harding" <me@tobin.cc>,
	kernel-hardening@lists.openwall.com, linux-kernel@vger.kernel.org,
	netdev@vger.kernel.org, linux-wireless@vger.kernel.org,
	Tycho Andersen <tycho@tycho.ws>, Kees Cook <keescook@chromium.org>
Subject: [RESEND PATCH] rsi: Remove stack VLA usage
Date: Mon, 12 Mar 2018 12:43:42 +1100
Message-Id: <1520819022-15238-1-git-send-email-me@tobin.cc>
X-Mailer: git-send-email 2.7.4
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The kernel would like to have all stack VLA usage removed[1].  rsi uses
a VLA based on 'blksize'.  Elsewhere in the SDIO code maximum block size
is defined using a magic number.  We can use a pre-processor defined
constant and declare the array to maximum size.  We add a check before
accessing the array in case of programmer error.

[1]: https://lkml.org/lkml/2018/3/7/621

Signed-off-by: Tobin C. Harding <me@tobin.cc>
---

RESEND: add wireless mailing list to CC's (requested by Kalle)

 drivers/net/wireless/rsi/rsi_91x_hal.c  | 13 +++++++------
 drivers/net/wireless/rsi/rsi_91x_sdio.c |  9 +++++++--
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/drivers/net/wireless/rsi/rsi_91x_hal.c b/drivers/net/wireless/rsi/rsi_91x_hal.c
index 1176de646942..839ebdd602df 100644
--- a/drivers/net/wireless/rsi/rsi_91x_hal.c
+++ b/drivers/net/wireless/rsi/rsi_91x_hal.c
@@ -641,7 +641,7 @@ static int ping_pong_write(struct rsi_hw *adapter, u8 cmd, u8 *addr, u32 size)
 	u32 cmd_addr;
 	u16 cmd_resp, cmd_req;
 	u8 *str;
-	int status;
+	int status, ret;
 
 	if (cmd == PING_WRITE) {
 		cmd_addr = PING_BUFFER_ADDRESS;
@@ -655,12 +655,13 @@ static int ping_pong_write(struct rsi_hw *adapter, u8 cmd, u8 *addr, u32 size)
 		str = "PONG_VALID";
 	}
 
-	status = hif_ops->load_data_master_write(adapter, cmd_addr, size,
+	ret = hif_ops->load_data_master_write(adapter, cmd_addr, size,
 					    block_size, addr);
-	if (status) {
-		rsi_dbg(ERR_ZONE, "%s: Unable to write blk at addr %0x\n",
-			__func__, *addr);
-		return status;
+	if (ret) {
+		if (ret != -EINVAL)
+			rsi_dbg(ERR_ZONE, "%s: Unable to write blk at addr %0x\n",
+				__func__, *addr);
+		return ret;
 	}
 
 	status = bl_cmd(adapter, cmd_req, cmd_resp, str);
diff --git a/drivers/net/wireless/rsi/rsi_91x_sdio.c b/drivers/net/wireless/rsi/rsi_91x_sdio.c
index b0cf41195051..b766578b591a 100644
--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c
+++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c
@@ -20,6 +20,8 @@
 #include "rsi_common.h"
 #include "rsi_hal.h"
 
+#define RSI_MAX_BLOCK_SIZE 256
+
 /**
  * rsi_sdio_set_cmd52_arg() - This function prepares cmd 52 read/write arg.
  * @rw: Read/write
@@ -362,7 +364,7 @@ static int rsi_setblocklength(struct rsi_hw *adapter, u32 length)
 	rsi_dbg(INIT_ZONE, "%s: Setting the block length\n", __func__);
 
 	status = sdio_set_block_size(dev->pfunction, length);
-	dev->pfunction->max_blksize = 256;
+	dev->pfunction->max_blksize = RSI_MAX_BLOCK_SIZE;
 	adapter->block_size = dev->pfunction->max_blksize;
 
 	rsi_dbg(INFO_ZONE,
@@ -567,9 +569,12 @@ static int rsi_sdio_load_data_master_write(struct rsi_hw *adapter,
 {
 	u32 num_blocks, offset, i;
 	u16 msb_address, lsb_address;
-	u8 temp_buf[block_size];
+	u8 temp_buf[RSI_MAX_BLOCK_SIZE];
 	int status;
 
+	if (block_size > RSI_MAX_BLOCK_SIZE)
+		return -EINVAL;
+
 	num_blocks = instructions_sz / block_size;
 	msb_address = base_address >> 16;