diff mbox series

[next] scsi: target: tcmu: Use struct_size() helper in kmalloc()

Message ID 20210927224344.GA190701@embeddedor (mailing list archive)
State Mainlined
Commit c20bda341946c8ee77baec3bec7c5cd615ddf869
Headers show
Series [next] scsi: target: tcmu: Use struct_size() helper in kmalloc() | expand

Commit Message

Gustavo A. R. Silva Sept. 27, 2021, 10:43 p.m. UTC
Make use of the struct_size() helper instead of an open-coded version,
in order to avoid any potential type mistakes or integer overflows
that, in the worst scenario, could lead to heap overflows.

Link: https://github.com/KSPP/linux/issues/160
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
 drivers/target/target_core_user.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

Comments

Bodo Stroesser Sept. 29, 2021, 5:35 p.m. UTC | #1
On 28.09.21 00:43, Gustavo A. R. Silva wrote:
> Make use of the struct_size() helper instead of an open-coded version,
> in order to avoid any potential type mistakes or integer overflows
> that, in the worst scenario, could lead to heap overflows.
> 
> Link: https://github.com/KSPP/linux/issues/160
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> ---
>   drivers/target/target_core_user.c | 3 +--
>   1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
> index 9f552f48084c..dc220fad06fa 100644
> --- a/drivers/target/target_core_user.c
> +++ b/drivers/target/target_core_user.c
> @@ -1255,7 +1255,6 @@ tcmu_tmr_notify(struct se_device *se_dev, enum tcm_tmreq_table tmf,
>   {
>   	int i = 0, cmd_cnt = 0;
>   	bool unqueued = false;
> -	uint16_t *cmd_ids = NULL;
>   	struct tcmu_cmd *cmd;
>   	struct se_cmd *se_cmd;
>   	struct tcmu_tmr *tmr;
> @@ -1292,7 +1291,7 @@ tcmu_tmr_notify(struct se_device *se_dev, enum tcm_tmreq_table tmf,
>   	pr_debug("TMR event %d on dev %s, aborted cmds %d, afflicted cmd_ids %d\n",
>   		 tcmu_tmr_type(tmf), udev->name, i, cmd_cnt);
>   
> -	tmr = kmalloc(sizeof(*tmr) + cmd_cnt * sizeof(*cmd_ids), GFP_NOIO);
> +	tmr = kmalloc(struct_size(tmr, tmr_cmd_ids, cmd_cnt), GFP_NOIO);
>   	if (!tmr)
>   		goto unlock;
>   
> 

Looks good. Thank you.

Reviewed-by: Bodo Stroesser <bostroesser@gmail.com>
Martin K. Petersen Oct. 12, 2021, 8:35 p.m. UTC | #2
On Mon, 27 Sep 2021 17:43:44 -0500, Gustavo A. R. Silva wrote:

> Make use of the struct_size() helper instead of an open-coded version,
> in order to avoid any potential type mistakes or integer overflows
> that, in the worst scenario, could lead to heap overflows.
> 
> 

Applied to 5.16/scsi-queue, thanks!

[1/1] scsi: target: tcmu: Use struct_size() helper in kmalloc()
      https://git.kernel.org/mkp/scsi/c/c20bda341946
diff mbox series

Patch

diff --git a/drivers/target/target_core_user.c b/drivers/target/target_core_user.c
index 9f552f48084c..dc220fad06fa 100644
--- a/drivers/target/target_core_user.c
+++ b/drivers/target/target_core_user.c
@@ -1255,7 +1255,6 @@  tcmu_tmr_notify(struct se_device *se_dev, enum tcm_tmreq_table tmf,
 {
 	int i = 0, cmd_cnt = 0;
 	bool unqueued = false;
-	uint16_t *cmd_ids = NULL;
 	struct tcmu_cmd *cmd;
 	struct se_cmd *se_cmd;
 	struct tcmu_tmr *tmr;
@@ -1292,7 +1291,7 @@  tcmu_tmr_notify(struct se_device *se_dev, enum tcm_tmreq_table tmf,
 	pr_debug("TMR event %d on dev %s, aborted cmds %d, afflicted cmd_ids %d\n",
 		 tcmu_tmr_type(tmf), udev->name, i, cmd_cnt);
 
-	tmr = kmalloc(sizeof(*tmr) + cmd_cnt * sizeof(*cmd_ids), GFP_NOIO);
+	tmr = kmalloc(struct_size(tmr, tmr_cmd_ids, cmd_cnt), GFP_NOIO);
 	if (!tmr)
 		goto unlock;