From: Kees Cook <keescook@chromium.org>
To: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: aacraid@microsemi.com,
"James E.J. Bottomley" <jejb@linux.ibm.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>,
linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH 08/10][next] scsi: aacraid: Replace one-element array with flexible-array member in struct sgmap
Date: Wed, 28 Jun 2023 13:36:38 -0700 [thread overview]
Message-ID: <202306281311.3A69CB64@keescook> (raw)
In-Reply-To: <0c7402fe6448186cda5a2618a35eb5f8d1cbb313.1687974498.git.gustavoars@kernel.org>
On Wed, Jun 28, 2023 at 11:57:13AM -0600, Gustavo A. R. Silva wrote:
> Replace one-element array with flexible-array member in struct
> sgmap and refactor the rest of the code, accordingly.
>
> Issue found with the help of Coccinelle and audited and fixed,
> manually.
This change _does_ have binary output differences, although it looks
like you got most of them. I still see:
commsup.o:
- mov $0x40,%edx
+ mov $0x38,%edx
This appears to be the sizeof() here:
ret = aac_fib_send(ScsiPortCommand64, fibptr, sizeof(struct aac_srb),
FsaNormal, 1, 1, NULL, NULL);
struct aac_srb includes struct sgmap. I think this needs to explicitly
include the 1 sgmap, which seems to be sent in the fibptr:
srbcmd = (struct aac_srb *)fib_data(fibptr);
...
sg64 = (struct sgmap64 *)&srbcmd->sg;
sg64->count = cpu_to_le32(1);
i.e. "sending 1". This seems to fix it:
- ret = aac_fib_send(ScsiPortCommand64, fibptr, sizeof(struct aac_srb),
+ ret = aac_fib_send(ScsiPortCommand64, fibptr,
+ struct_size(srbcmd, sg.sg, 1),
Then I see changes in both aac_write_block() and aac_scsi_32(), but they
match the changes you made to get the correct size (it's just an easier
calculation for the compiler to perform, so the code is slightly
simplified).
So I think with the hunk I suggested at the start, and a comment on the
(expected) binary changes, this should be good to go.
-Kees
> Link: https://github.com/KSPP/linux/issues/79
> Link: https://github.com/ClangBuiltLinux/linux/issues/1851
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
> ---
> drivers/scsi/aacraid/aachba.c | 24 ++++++++++--------------
> drivers/scsi/aacraid/aacraid.h | 2 +-
> drivers/scsi/aacraid/commctrl.c | 4 ++--
> drivers/scsi/aacraid/comminit.c | 3 +--
> 4 files changed, 14 insertions(+), 19 deletions(-)
>
> diff --git a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c
> index 03ba974f6b2a..b2849e5cc104 100644
> --- a/drivers/scsi/aacraid/aachba.c
> +++ b/drivers/scsi/aacraid/aachba.c
> @@ -1336,8 +1336,7 @@ static int aac_read_block(struct fib * fib, struct scsi_cmnd * cmd, u64 lba, u32
> if (ret < 0)
> return ret;
> fibsize = sizeof(struct aac_read) +
> - ((le32_to_cpu(readcmd->sg.count) - 1) *
> - sizeof (struct sgentry));
> + le32_to_cpu(readcmd->sg.count) * sizeof(struct sgentry);
> BUG_ON (fibsize > (fib->dev->max_fib_size -
> sizeof(struct aac_fibhdr)));
> /*
> @@ -1471,8 +1470,7 @@ static int aac_write_block(struct fib * fib, struct scsi_cmnd * cmd, u64 lba, u3
> if (ret < 0)
> return ret;
> fibsize = sizeof(struct aac_write) +
> - ((le32_to_cpu(writecmd->sg.count) - 1) *
> - sizeof (struct sgentry));
> + le32_to_cpu(writecmd->sg.count) * sizeof(struct sgentry);
> BUG_ON (fibsize > (fib->dev->max_fib_size -
> sizeof(struct aac_fibhdr)));
> /*
> @@ -1590,9 +1588,9 @@ static int aac_scsi_64(struct fib * fib, struct scsi_cmnd * cmd)
> /*
> * Build Scatter/Gather list
> */
> - fibsize = sizeof (struct aac_srb) - sizeof (struct sgentry) +
> - ((le32_to_cpu(srbcmd->sg.count) & 0xff) *
> - sizeof (struct sgentry64));
> + fibsize = sizeof(struct aac_srb) +
> + (le32_to_cpu(srbcmd->sg.count) & 0xff) *
> + sizeof(struct sgentry64);
> BUG_ON (fibsize > (fib->dev->max_fib_size -
> sizeof(struct aac_fibhdr)));
>
> @@ -1621,9 +1619,9 @@ static int aac_scsi_32(struct fib * fib, struct scsi_cmnd * cmd)
> /*
> * Build Scatter/Gather list
> */
> - fibsize = sizeof (struct aac_srb) +
> - (((le32_to_cpu(srbcmd->sg.count) & 0xff) - 1) *
> - sizeof (struct sgentry));
> + fibsize = sizeof(struct aac_srb) +
> + (le32_to_cpu(srbcmd->sg.count) & 0xff) *
> + sizeof(struct sgentry);
> BUG_ON (fibsize > (fib->dev->max_fib_size -
> sizeof(struct aac_fibhdr)));
>
> @@ -1691,8 +1689,7 @@ static int aac_send_safw_bmic_cmd(struct aac_dev *dev,
> fibptr->hw_fib_va->header.XferState &=
> ~cpu_to_le32(FastResponseCapable);
>
> - fibsize = sizeof(struct aac_srb) - sizeof(struct sgentry) +
> - sizeof(struct sgentry64);
> + fibsize = sizeof(struct aac_srb) + sizeof(struct sgentry64);
>
> /* allocate DMA buffer for response */
> addr = dma_map_single(&dev->pdev->dev, xfer_buf, xfer_len,
> @@ -2264,8 +2261,7 @@ int aac_get_adapter_info(struct aac_dev* dev)
> dev->a_ops.adapter_bounds = aac_bounds_32;
> dev->scsi_host_ptr->sg_tablesize = (dev->max_fib_size -
> sizeof(struct aac_fibhdr) -
> - sizeof(struct aac_write) + sizeof(struct sgentry)) /
> - sizeof(struct sgentry);
> + sizeof(struct aac_write)) / sizeof(struct sgentry);
> if (dev->dac_support) {
> dev->a_ops.adapter_read = aac_read_block64;
> dev->a_ops.adapter_write = aac_write_block64;
> diff --git a/drivers/scsi/aacraid/aacraid.h b/drivers/scsi/aacraid/aacraid.h
> index 94eb83d38be6..3fbc22ae72b6 100644
> --- a/drivers/scsi/aacraid/aacraid.h
> +++ b/drivers/scsi/aacraid/aacraid.h
> @@ -507,7 +507,7 @@ struct sge_ieee1212 {
>
> struct sgmap {
> __le32 count;
> - struct sgentry sg[1];
> + struct sgentry sg[];
> };
>
> struct user_sgmap {
> diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c
> index e7cc927ed952..df811ad4afaa 100644
> --- a/drivers/scsi/aacraid/commctrl.c
> +++ b/drivers/scsi/aacraid/commctrl.c
> @@ -561,8 +561,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg)
> rcode = -EINVAL;
> goto cleanup;
> }
> - actual_fibsize = sizeof(struct aac_srb) - sizeof(struct sgentry) +
> - ((user_srbcmd->sg.count & 0xff) * sizeof(struct sgentry));
> + actual_fibsize = sizeof(struct aac_srb) +
> + (user_srbcmd->sg.count & 0xff) * sizeof(struct sgentry);
> actual_fibsize64 = actual_fibsize + (user_srbcmd->sg.count & 0xff) *
> (sizeof(struct sgentry64) - sizeof(struct sgentry));
> /* User made a mistake - should not continue */
> diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c
> index bd99c5492b7d..d8dd89c87b01 100644
> --- a/drivers/scsi/aacraid/comminit.c
> +++ b/drivers/scsi/aacraid/comminit.c
> @@ -523,8 +523,7 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev)
> dev->max_fib_size = sizeof(struct hw_fib);
> dev->sg_tablesize = host->sg_tablesize = (dev->max_fib_size
> - sizeof(struct aac_fibhdr)
> - - sizeof(struct aac_write) + sizeof(struct sgentry))
> - / sizeof(struct sgentry);
> + - sizeof(struct aac_write)) / sizeof(struct sgentry);
> dev->comm_interface = AAC_COMM_PRODUCER;
> dev->raw_io_interface = dev->raw_io_64 = 0;
>
> --
> 2.34.1
>
--
Kees Cook
next prev parent reply other threads:[~2023-06-28 20:39 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-28 17:53 [PATCH 00/10][next] scsi: aacraid: Replace one-element arrays with flexible-array members Gustavo A. R. Silva
2023-06-28 17:54 ` [PATCH 01/10][next] scsi: aacraid: Replace one-element array with flexible-array member Gustavo A. R. Silva
2023-06-28 20:09 ` Kees Cook
2023-06-28 17:54 ` [PATCH 02/10][next] scsi: aacraid: Use struct_size() helper in aac_get_safw_ciss_luns() Gustavo A. R. Silva
2023-06-28 20:51 ` Kees Cook
2023-06-28 17:55 ` [PATCH 03/10][next] scsi: aacraid: Replace one-element array with flexible-array member in struct aac_aifcmd Gustavo A. R. Silva
2023-06-28 20:10 ` Kees Cook
2023-06-28 17:55 ` [PATCH 04/10][next] scsi: aacraid: Replace one-element array with flexible-array member in struct user_sgmapraw Gustavo A. R. Silva
2023-06-28 20:10 ` Kees Cook
2023-06-28 17:56 ` [PATCH 05/10][next] scsi: aacraid: Replace one-element array with flexible-array member in struct sgmapraw Gustavo A. R. Silva
2023-06-28 20:49 ` Kees Cook
2023-06-28 17:56 ` [PATCH 06/10][next] scsi: aacraid: Use struct_size() helper in code related to " Gustavo A. R. Silva
2023-06-28 20:51 ` Kees Cook
2023-06-28 20:52 ` Kees Cook
2023-06-28 17:56 ` [PATCH 07/10][next] scsi: aacraid: Replace one-element array with flexible-array member in struct user_sgmap64 Gustavo A. R. Silva
2023-06-28 20:10 ` Kees Cook
2023-06-28 17:57 ` [PATCH 08/10][next] scsi: aacraid: Replace one-element array with flexible-array member in struct sgmap Gustavo A. R. Silva
2023-06-28 20:36 ` Kees Cook [this message]
2023-06-28 21:15 ` Gustavo A. R. Silva
2023-06-28 17:57 ` [PATCH 09/10][next] scsi: aacraid: Replace one-element array with flexible-array member in struct sgmap64 Gustavo A. R. Silva
2023-06-28 20:46 ` Kees Cook
2023-06-28 17:57 ` [PATCH 10/10][next] scsi: aacraid: Replace one-element array with flexible-array member in struct user_sgmap Gustavo A. R. Silva
2023-06-28 20:11 ` Kees Cook
2023-06-28 20:08 ` [PATCH 00/10][next] scsi: aacraid: Replace one-element arrays with flexible-array members Kees Cook
2023-06-28 20:16 ` Gustavo A. R. Silva
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202306281311.3A69CB64@keescook \
--to=keescook@chromium.org \
--cc=aacraid@microsemi.com \
--cc=gustavoars@kernel.org \
--cc=jejb@linux.ibm.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.