* [PATCH][next] scsi: target: tcmu: Use struct_size() helper in kmalloc()
@ 2021-09-27 22:43 Gustavo A. R. Silva
2021-09-29 17:35 ` Bodo Stroesser
2021-10-12 20:35 ` Martin K. Petersen
0 siblings, 2 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2021-09-27 22:43 UTC (permalink / raw)
To: Bodo Stroesser, Martin K. Petersen
Cc: linux-scsi, target-devel, linux-kernel, Gustavo A. R. Silva,
linux-hardening
Make use of the struct_size() helper instead of an open-coded version,
in order to avoid any potential type mistakes or integer overflows
that, in the worst scenario, could lead to heap overflows.
Link: https://github.com/KSPP/linux/issues/160
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
drivers/target/target_core_user.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
index 9f552f48084c..dc220fad06fa 100644
--- a/drivers/target/target_core_user.c
+++ b/drivers/target/target_core_user.c
@@ -1255,7 +1255,6 @@ tcmu_tmr_notify(struct se_device *se_dev, enum tcm_tmreq_table tmf,
{
int i = 0, cmd_cnt = 0;
bool unqueued = false;
- uint16_t *cmd_ids = NULL;
struct tcmu_cmd *cmd;
struct se_cmd *se_cmd;
struct tcmu_tmr *tmr;
@@ -1292,7 +1291,7 @@ tcmu_tmr_notify(struct se_device *se_dev, enum tcm_tmreq_table tmf,
pr_debug("TMR event %d on dev %s, aborted cmds %d, afflicted cmd_ids %d\n",
tcmu_tmr_type(tmf), udev->name, i, cmd_cnt);
- tmr = kmalloc(sizeof(*tmr) + cmd_cnt * sizeof(*cmd_ids), GFP_NOIO);
+ tmr = kmalloc(struct_size(tmr, tmr_cmd_ids, cmd_cnt), GFP_NOIO);
if (!tmr)
goto unlock;
--
2.27.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH][next] scsi: target: tcmu: Use struct_size() helper in kmalloc()
2021-09-27 22:43 [PATCH][next] scsi: target: tcmu: Use struct_size() helper in kmalloc() Gustavo A. R. Silva
@ 2021-09-29 17:35 ` Bodo Stroesser
2021-10-12 20:35 ` Martin K. Petersen
1 sibling, 0 replies; 3+ messages in thread
From: Bodo Stroesser @ 2021-09-29 17:35 UTC (permalink / raw)
To: Gustavo A. R. Silva, Martin K. Petersen
Cc: linux-scsi, target-devel, linux-kernel, linux-hardening
On 28.09.21 00:43, Gustavo A. R. Silva wrote:
> Make use of the struct_size() helper instead of an open-coded version,
> in order to avoid any potential type mistakes or integer overflows
> that, in the worst scenario, could lead to heap overflows.
>
> Link: https://github.com/KSPP/linux/issues/160
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> ---
> drivers/target/target_core_user.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
> index 9f552f48084c..dc220fad06fa 100644
> --- a/drivers/target/target_core_user.c
> +++ b/drivers/target/target_core_user.c
> @@ -1255,7 +1255,6 @@ tcmu_tmr_notify(struct se_device *se_dev, enum tcm_tmreq_table tmf,
> {
> int i = 0, cmd_cnt = 0;
> bool unqueued = false;
> - uint16_t *cmd_ids = NULL;
> struct tcmu_cmd *cmd;
> struct se_cmd *se_cmd;
> struct tcmu_tmr *tmr;
> @@ -1292,7 +1291,7 @@ tcmu_tmr_notify(struct se_device *se_dev, enum tcm_tmreq_table tmf,
> pr_debug("TMR event %d on dev %s, aborted cmds %d, afflicted cmd_ids %d\n",
> tcmu_tmr_type(tmf), udev->name, i, cmd_cnt);
>
> - tmr = kmalloc(sizeof(*tmr) + cmd_cnt * sizeof(*cmd_ids), GFP_NOIO);
> + tmr = kmalloc(struct_size(tmr, tmr_cmd_ids, cmd_cnt), GFP_NOIO);
> if (!tmr)
> goto unlock;
>
>
Looks good. Thank you.
Reviewed-by: Bodo Stroesser <bostroesser@gmail.com>
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH][next] scsi: target: tcmu: Use struct_size() helper in kmalloc()
2021-09-27 22:43 [PATCH][next] scsi: target: tcmu: Use struct_size() helper in kmalloc() Gustavo A. R. Silva
2021-09-29 17:35 ` Bodo Stroesser
@ 2021-10-12 20:35 ` Martin K. Petersen
1 sibling, 0 replies; 3+ messages in thread
From: Martin K. Petersen @ 2021-10-12 20:35 UTC (permalink / raw)
To: Gustavo A. R. Silva, Bodo Stroesser
Cc: Martin K . Petersen, target-devel, linux-scsi, linux-kernel,
linux-hardening
On Mon, 27 Sep 2021 17:43:44 -0500, Gustavo A. R. Silva wrote:
> Make use of the struct_size() helper instead of an open-coded version,
> in order to avoid any potential type mistakes or integer overflows
> that, in the worst scenario, could lead to heap overflows.
>
>
Applied to 5.16/scsi-queue, thanks!
[1/1] scsi: target: tcmu: Use struct_size() helper in kmalloc()
https://git.kernel.org/mkp/scsi/c/c20bda341946
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-10-12 20:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-27 22:43 [PATCH][next] scsi: target: tcmu: Use struct_size() helper in kmalloc() Gustavo A. R. Silva
2021-09-29 17:35 ` Bodo Stroesser
2021-10-12 20:35 ` Martin K. Petersen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).