[PATCH kernel-4.19 17/73] net: hns3: remediate a potential overflow risk of bd_num_list

11 Sep 2021

From: Guangbin Huang huangguangbin2@huawei.com
mainline inclusion
from mainline-v5.13-rc1
commit a2ee6fd28a190588e142ad8ea9d40069cd3c9f98
category: bugfix
bugzilla: NA
CVE: NA
----------------------------
The array size of bd_num_list is a fixed value, it may have potential
overflow risk when array size of hclge_dfx_bd_offset_list is greater
than that fixed value. So modify bd_num_list as a pointer and allocate
memory for it according to array size of hclge_dfx_bd_offset_list.
Signed-off-by: Guangbin Huang huangguangbin2@huawei.com
Signed-off-by: Huazhong Tan tanhuazhong@huawei.com
Signed-off-by: David S. Miller davem@davemloft.net
Signed-off-by: Yonglong Liu liuyonglong@huawei.com
Reviewed-by: Junxin Chen chenjunxin1@huawei.com
Signed-off-by: Yang Yingliang yangyingliang@huawei.com
---
 .../hisilicon/hns3/hns3pf/hclge_main.c        | 27 ++++++++++++++-----
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
index a63d039b74267..943339f4bad60 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
@@ -11065,7 +11065,6 @@ static int hclge_get_64_bit_regs(struct hclge_dev *hdev, u32 regs_num,
 #define REG_LEN_PER_LINE	(REG_NUM_PER_LINE * sizeof(u32))
 #define REG_SEPARATOR_LINE	1
 #define REG_NUM_REMAIN_MASK	3
-#define BD_LIST_MAX_NUM		30
int hclge_query_bd_num_cmd_send(struct hclge_dev *hdev, struct hclge_desc *desc)
 {
@@ -11156,15 +11155,19 @@ static int hclge_get_dfx_reg_len(struct hclge_dev *hdev, int *len)
 {
    u32 dfx_reg_type_num = ARRAY_SIZE(hclge_dfx_bd_offset_list);
    int data_len_per_desc, bd_num, i;
-	int bd_num_list[BD_LIST_MAX_NUM];
+	int *bd_num_list;
    u32 data_len;
    int ret;
+	bd_num_list = kcalloc(dfx_reg_type_num, sizeof(int), GFP_KERNEL);
+	if (!bd_num_list)
+		return -ENOMEM;
+
    ret = hclge_get_dfx_reg_bd_num(hdev, bd_num_list, dfx_reg_type_num);
    if (ret) {
    	dev_err(&hdev->pdev->dev,
    		"Get dfx reg bd num fail, status is %d.\n", ret);
-		return ret;
+		goto out;
    }
data_len_per_desc = FIELD_SIZEOF(struct hclge_desc, data);
@@ -11175,6 +11178,8 @@ static int hclge_get_dfx_reg_len(struct hclge_dev *hdev, int *len)
    	*len += (data_len / REG_LEN_PER_LINE + 1) * REG_LEN_PER_LINE;
    }
+out:
+	kfree(bd_num_list);
    return ret;
 }
@@ -11182,16 +11187,20 @@ static int hclge_get_dfx_reg(struct hclge_dev *hdev, void *data)
 {
    u32 dfx_reg_type_num = ARRAY_SIZE(hclge_dfx_bd_offset_list);
    int bd_num, bd_num_max, buf_len, i;
-	int bd_num_list[BD_LIST_MAX_NUM];
    struct hclge_desc *desc_src;
+	int *bd_num_list;
    u32 *reg = data;
    int ret;
+	bd_num_list = kcalloc(dfx_reg_type_num, sizeof(int), GFP_KERNEL);
+	if (!bd_num_list)
+		return -ENOMEM;
+
    ret = hclge_get_dfx_reg_bd_num(hdev, bd_num_list, dfx_reg_type_num);
    if (ret) {
    	dev_err(&hdev->pdev->dev,
    		"Get dfx reg bd num fail, status is %d.\n", ret);
-		return ret;
+		goto out;
    }
bd_num_max = bd_num_list[0];
@@ -11200,8 +11209,10 @@ static int hclge_get_dfx_reg(struct hclge_dev *hdev, void *data)
buf_len = sizeof(*desc_src) * bd_num_max;
    desc_src = kzalloc(buf_len, GFP_KERNEL);
-	if (!desc_src)
-		return -ENOMEM;
+	if (!desc_src) {
+		ret = -ENOMEM;
+		goto out;
+	}
for (i = 0; i < dfx_reg_type_num; i++) {
    	bd_num = bd_num_list[i];
@@ -11217,6 +11228,8 @@ static int hclge_get_dfx_reg(struct hclge_dev *hdev, void *data)
    }
kfree(desc_src);
+out:
+	kfree(bd_num_list);
    return ret;
 }
-- 
2.25.1

    

2024

2023

2022

2021

2020

2019

[PATCH kernel-4.19 17/73] net: hns3: remediate a potential overflow risk of bd_num_list