Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3134451pxj; Mon, 17 May 2021 18:41:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxxb9nRgYFNFukOlMCwn5+Tr2eQplZHAoOnAZPOBm3FwXoA2o7U0Sl7ycV+sQfha+PjvCH2 X-Received: by 2002:a02:c85b:: with SMTP id r27mr2849509jao.43.1621302106051; Mon, 17 May 2021 18:41:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621302106; cv=none; d=google.com; s=arc-20160816; b=mdVc7SDP8EZaWTWrPtJT36O+2H8hslZj5Q7Effp5aEhxdi1Btf/iaDuqalcmFliDM+ Xtf/9tIuf65HIe+xpRhiWjy/molmGNmHVN9iyyq/9pX8nkxDypjLGM2pssGockUkpYAd K83SbwtlTqym1CW2EFMVbBltIffvi0Ma501dETW17iSvbi1itoAtz0VXEPfsO5/Pv+7f wopvV4sPjZj4TtSiX0tlmepYQHmnsGfmHNyjpngyiW25NXykceuJTol9QydFkMc7PK+6 wlODHF2HK4GtcsJIB3D7dWtOJSjMeI13mMu4nz5QfSd9eGJPHLbDjrx89b+tLWxCGDAh ggpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=KRRyr9hJosuzzS7qG5gZ+24zT5op0MrTPh9IdCtxA5M=; b=d8vpLLmKdROHiNHYCi1g4KwtheYDmakvv5RGdjB/fTxRJ4Lz3N9ab6LhdIhavvuL+B u8MEWZCxbfcCdDWbZZ2t+qQn/zIlRvkTS5Qxf9PYgnozNGOua0ypuLm4vqG9qrzRDU9B RoEyySSvs3rgpF2bYkHCyk45R2NGjIi94WV52H9oPQ/SCtUxKsCpEVL7XzDmrvyRhopV WynhjukpLx3LPGY4BoieVCqenypKZLOSn++1IujxL+hlVUzVwCU0C3L1zfCZVDFBuGct KhPmxYjZbk0uSMQ/TAhvKuosB1Wa+/m17neBdn75snuHypftEEmhl6AOKVxRN7NHTGpT d8+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=bgQxJMWy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 17si9354437ilj.19.2021.05.17.18.41.33; Mon, 17 May 2021 18:41:46 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=bgQxJMWy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239308AbhEQOg1 (ORCPT + 99 others); Mon, 17 May 2021 10:36:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:43850 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235741AbhEQObv (ORCPT ); Mon, 17 May 2021 10:31:51 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C36B1613ED; Mon, 17 May 2021 14:15:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621260946; bh=0WFPPBJ9mm4YAuImocx6Z48TEVG4TPd96yLMMVLY/Gg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bgQxJMWyDfu3r+deCgfpV0ipgacgmnaQGcrbePIixA/mTC917peBV8yelH5vcDior WQIw4vGlMJDrbw63fjkTdX14Fqu48EYrr+3H3LbwnlhkhiM5kA+ER28ZvZFGL634DS vG4jVUVU5OscYzwLT3fNy14Lz1FsKNoBtc8/dbdY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Guangbin Huang , Huazhong Tan , "David S. Miller" , Sasha Levin Subject: [PATCH 5.11 040/329] net: hns3: remediate a potential overflow risk of bd_num_list Date: Mon, 17 May 2021 15:59:11 +0200 Message-Id: <20210517140303.401899315@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210517140302.043055203@linuxfoundation.org> References: <20210517140302.043055203@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Guangbin Huang [ Upstream commit a2ee6fd28a190588e142ad8ea9d40069cd3c9f98 ] The array size of bd_num_list is a fixed value, it may have potential overflow risk when array size of hclge_dfx_bd_offset_list is greater than that fixed value. So modify bd_num_list as a pointer and allocate memory for it according to array size of hclge_dfx_bd_offset_list. Signed-off-by: Guangbin Huang Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- .../hisilicon/hns3/hns3pf/hclge_main.c | 27 ++++++++++++++----- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c index 67764d930435..1c13cf34ae9f 100644 --- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c +++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c @@ -11284,7 +11284,6 @@ static int hclge_get_64_bit_regs(struct hclge_dev *hdev, u32 regs_num, #define REG_LEN_PER_LINE (REG_NUM_PER_LINE * sizeof(u32)) #define REG_SEPARATOR_LINE 1 #define REG_NUM_REMAIN_MASK 3 -#define BD_LIST_MAX_NUM 30 int hclge_query_bd_num_cmd_send(struct hclge_dev *hdev, struct hclge_desc *desc) { @@ -11378,15 +11377,19 @@ static int hclge_get_dfx_reg_len(struct hclge_dev *hdev, int *len) { u32 dfx_reg_type_num = ARRAY_SIZE(hclge_dfx_bd_offset_list); int data_len_per_desc, bd_num, i; - int bd_num_list[BD_LIST_MAX_NUM]; + int *bd_num_list; u32 data_len; int ret; + bd_num_list = kcalloc(dfx_reg_type_num, sizeof(int), GFP_KERNEL); + if (!bd_num_list) + return -ENOMEM; + ret = hclge_get_dfx_reg_bd_num(hdev, bd_num_list, dfx_reg_type_num); if (ret) { dev_err(&hdev->pdev->dev, "Get dfx reg bd num fail, status is %d.\n", ret); - return ret; + goto out; } data_len_per_desc = sizeof_field(struct hclge_desc, data); @@ -11397,6 +11400,8 @@ static int hclge_get_dfx_reg_len(struct hclge_dev *hdev, int *len) *len += (data_len / REG_LEN_PER_LINE + 1) * REG_LEN_PER_LINE; } +out: + kfree(bd_num_list); return ret; } @@ -11404,16 +11409,20 @@ static int hclge_get_dfx_reg(struct hclge_dev *hdev, void *data) { u32 dfx_reg_type_num = ARRAY_SIZE(hclge_dfx_bd_offset_list); int bd_num, bd_num_max, buf_len, i; - int bd_num_list[BD_LIST_MAX_NUM]; struct hclge_desc *desc_src; + int *bd_num_list; u32 *reg = data; int ret; + bd_num_list = kcalloc(dfx_reg_type_num, sizeof(int), GFP_KERNEL); + if (!bd_num_list) + return -ENOMEM; + ret = hclge_get_dfx_reg_bd_num(hdev, bd_num_list, dfx_reg_type_num); if (ret) { dev_err(&hdev->pdev->dev, "Get dfx reg bd num fail, status is %d.\n", ret); - return ret; + goto out; } bd_num_max = bd_num_list[0]; @@ -11422,8 +11431,10 @@ static int hclge_get_dfx_reg(struct hclge_dev *hdev, void *data) buf_len = sizeof(*desc_src) * bd_num_max; desc_src = kzalloc(buf_len, GFP_KERNEL); - if (!desc_src) - return -ENOMEM; + if (!desc_src) { + ret = -ENOMEM; + goto out; + } for (i = 0; i < dfx_reg_type_num; i++) { bd_num = bd_num_list[i]; @@ -11439,6 +11450,8 @@ static int hclge_get_dfx_reg(struct hclge_dev *hdev, void *data) } kfree(desc_src); +out: + kfree(bd_num_list); return ret; } -- 2.30.2