Re: [PATCH] ipmi: ipmb: don't allocate i2c_client on stack

[Corey Minyard <minyard@acm.org>]

On Wed, Jun 19, 2019 at 02:50:34PM +0200, Arnd Bergmann wrote:
> The i2c_client structure can be fairly large, which leads to
> a warning about possible kernel stack overflow in some
> configurations:
> 
> drivers/char/ipmi/ipmb_dev_int.c:115:16: error: stack frame size of 1032 bytes in function 'ipmb_write' [-Werror,-Wframe-larger-than=]
> 
> There is no real reason to even declare an i2c_client, as we can simply
> call i2c_smbus_xfer() directly instead of the i2c_smbus_write_block_data()
> wrapper.
> 
> Convert the ipmb_write() to use an open-coded i2c_smbus_write_block_data()
> here, without changing the behavior.
> 
> It seems that there is another problem with this implementation;
> when user space passes a length of more than I2C_SMBUS_BLOCK_MAX
> bytes, all the rest is silently ignored. This should probably be
> addressed in a separate patch, but I don't know what the intended
> behavior is here.
> 
> Fixes: 51bd6f291583 ("Add support for IPMB driver")
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>

I broke up the line with the call to i2c_smbus_xfer(), which was
longer than 80 characters, but that's it, it's in the IPMI next queue.

Thanks,

-corey

> ---
>  drivers/char/ipmi/ipmb_dev_int.c | 20 ++++++++++----------
>  1 file changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/drivers/char/ipmi/ipmb_dev_int.c b/drivers/char/ipmi/ipmb_dev_int.c
> index 2895abf72e61..c9724f6cf32d 100644
> --- a/drivers/char/ipmi/ipmb_dev_int.c
> +++ b/drivers/char/ipmi/ipmb_dev_int.c
> @@ -117,7 +117,7 @@ static ssize_t ipmb_write(struct file *file, const char __user *buf,
>  {
>  	struct ipmb_dev *ipmb_dev = to_ipmb_dev(file);
>  	u8 rq_sa, netf_rq_lun, msg_len;
> -	struct i2c_client rq_client;
> +	union i2c_smbus_data data;
>  	u8 msg[MAX_MSG_LEN];
>  	ssize_t ret;
>  
> @@ -138,17 +138,17 @@ static ssize_t ipmb_write(struct file *file, const char __user *buf,
>  
>  	/*
>  	 * subtract rq_sa and netf_rq_lun from the length of the msg passed to
> -	 * i2c_smbus_write_block_data_local
> +	 * i2c_smbus_xfer
>  	 */
>  	msg_len = msg[IPMB_MSG_LEN_IDX] - SMBUS_MSG_HEADER_LENGTH;
> -
> -	strcpy(rq_client.name, "ipmb_requester");
> -	rq_client.adapter = ipmb_dev->client->adapter;
> -	rq_client.flags = ipmb_dev->client->flags;
> -	rq_client.addr = rq_sa;
> -
> -	ret = i2c_smbus_write_block_data(&rq_client, netf_rq_lun, msg_len,
> -					msg + SMBUS_MSG_IDX_OFFSET);
> +	if (msg_len > I2C_SMBUS_BLOCK_MAX)
> +		msg_len = I2C_SMBUS_BLOCK_MAX;
> +
> +	data.block[0] = msg_len;
> +	memcpy(&data.block[1], msg + SMBUS_MSG_IDX_OFFSET, msg_len);
> +	ret = i2c_smbus_xfer(ipmb_dev->client->adapter, rq_sa, ipmb_dev->client->flags,
> +			     I2C_SMBUS_WRITE, netf_rq_lun,
> +			     I2C_SMBUS_BLOCK_DATA, &data);
>  
>  	return ret ? : count;
>  }
> -- 
> 2.20.0
>