Commit a2ee6fd2 authored by Guangbin Huang's avatar Guangbin Huang Committed by David S. Miller

net: hns3: remediate a potential overflow risk of bd_num_list

The array size of bd_num_list is a fixed value, it may have potential
overflow risk when array size of hclge_dfx_bd_offset_list is greater
than that fixed value. So modify bd_num_list as a pointer and allocate
memory for it according to array size of hclge_dfx_bd_offset_list.
Signed-off-by: default avatarGuangbin Huang <huangguangbin2@huawei.com>
Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 64ff58fa
...@@ -11930,7 +11930,6 @@ static int hclge_get_64_bit_regs(struct hclge_dev *hdev, u32 regs_num, ...@@ -11930,7 +11930,6 @@ static int hclge_get_64_bit_regs(struct hclge_dev *hdev, u32 regs_num,
#define REG_LEN_PER_LINE (REG_NUM_PER_LINE * sizeof(u32)) #define REG_LEN_PER_LINE (REG_NUM_PER_LINE * sizeof(u32))
#define REG_SEPARATOR_LINE 1 #define REG_SEPARATOR_LINE 1
#define REG_NUM_REMAIN_MASK 3 #define REG_NUM_REMAIN_MASK 3
#define BD_LIST_MAX_NUM 30
int hclge_query_bd_num_cmd_send(struct hclge_dev *hdev, struct hclge_desc *desc) int hclge_query_bd_num_cmd_send(struct hclge_dev *hdev, struct hclge_desc *desc)
{ {
...@@ -12024,15 +12023,19 @@ static int hclge_get_dfx_reg_len(struct hclge_dev *hdev, int *len) ...@@ -12024,15 +12023,19 @@ static int hclge_get_dfx_reg_len(struct hclge_dev *hdev, int *len)
{ {
u32 dfx_reg_type_num = ARRAY_SIZE(hclge_dfx_bd_offset_list); u32 dfx_reg_type_num = ARRAY_SIZE(hclge_dfx_bd_offset_list);
int data_len_per_desc, bd_num, i; int data_len_per_desc, bd_num, i;
int bd_num_list[BD_LIST_MAX_NUM]; int *bd_num_list;
u32 data_len; u32 data_len;
int ret; int ret;
bd_num_list = kcalloc(dfx_reg_type_num, sizeof(int), GFP_KERNEL);
if (!bd_num_list)
return -ENOMEM;
ret = hclge_get_dfx_reg_bd_num(hdev, bd_num_list, dfx_reg_type_num); ret = hclge_get_dfx_reg_bd_num(hdev, bd_num_list, dfx_reg_type_num);
if (ret) { if (ret) {
dev_err(&hdev->pdev->dev, dev_err(&hdev->pdev->dev,
"Get dfx reg bd num fail, status is %d.\n", ret); "Get dfx reg bd num fail, status is %d.\n", ret);
return ret; goto out;
} }
data_len_per_desc = sizeof_field(struct hclge_desc, data); data_len_per_desc = sizeof_field(struct hclge_desc, data);
...@@ -12043,6 +12046,8 @@ static int hclge_get_dfx_reg_len(struct hclge_dev *hdev, int *len) ...@@ -12043,6 +12046,8 @@ static int hclge_get_dfx_reg_len(struct hclge_dev *hdev, int *len)
*len += (data_len / REG_LEN_PER_LINE + 1) * REG_LEN_PER_LINE; *len += (data_len / REG_LEN_PER_LINE + 1) * REG_LEN_PER_LINE;
} }
out:
kfree(bd_num_list);
return ret; return ret;
} }
...@@ -12050,16 +12055,20 @@ static int hclge_get_dfx_reg(struct hclge_dev *hdev, void *data) ...@@ -12050,16 +12055,20 @@ static int hclge_get_dfx_reg(struct hclge_dev *hdev, void *data)
{ {
u32 dfx_reg_type_num = ARRAY_SIZE(hclge_dfx_bd_offset_list); u32 dfx_reg_type_num = ARRAY_SIZE(hclge_dfx_bd_offset_list);
int bd_num, bd_num_max, buf_len, i; int bd_num, bd_num_max, buf_len, i;
int bd_num_list[BD_LIST_MAX_NUM];
struct hclge_desc *desc_src; struct hclge_desc *desc_src;
int *bd_num_list;
u32 *reg = data; u32 *reg = data;
int ret; int ret;
bd_num_list = kcalloc(dfx_reg_type_num, sizeof(int), GFP_KERNEL);
if (!bd_num_list)
return -ENOMEM;
ret = hclge_get_dfx_reg_bd_num(hdev, bd_num_list, dfx_reg_type_num); ret = hclge_get_dfx_reg_bd_num(hdev, bd_num_list, dfx_reg_type_num);
if (ret) { if (ret) {
dev_err(&hdev->pdev->dev, dev_err(&hdev->pdev->dev,
"Get dfx reg bd num fail, status is %d.\n", ret); "Get dfx reg bd num fail, status is %d.\n", ret);
return ret; goto out;
} }
bd_num_max = bd_num_list[0]; bd_num_max = bd_num_list[0];
...@@ -12068,8 +12077,10 @@ static int hclge_get_dfx_reg(struct hclge_dev *hdev, void *data) ...@@ -12068,8 +12077,10 @@ static int hclge_get_dfx_reg(struct hclge_dev *hdev, void *data)
buf_len = sizeof(*desc_src) * bd_num_max; buf_len = sizeof(*desc_src) * bd_num_max;
desc_src = kzalloc(buf_len, GFP_KERNEL); desc_src = kzalloc(buf_len, GFP_KERNEL);
if (!desc_src) if (!desc_src) {
return -ENOMEM; ret = -ENOMEM;
goto out;
}
for (i = 0; i < dfx_reg_type_num; i++) { for (i = 0; i < dfx_reg_type_num; i++) {
bd_num = bd_num_list[i]; bd_num = bd_num_list[i];
...@@ -12085,6 +12096,8 @@ static int hclge_get_dfx_reg(struct hclge_dev *hdev, void *data) ...@@ -12085,6 +12096,8 @@ static int hclge_get_dfx_reg(struct hclge_dev *hdev, void *data)
} }
kfree(desc_src); kfree(desc_src);
out:
kfree(bd_num_list);
return ret; return ret;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment