libata-scsi: Move sense buffers onto stack

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

To support future compile-time sizeof() checks that will be able to
validate the length of sense buffers, this removes the only dynamically
allocated sense buffers in the tree by putting the 96 byte sense buffers
on the stack.

Reviewed-by: Christoph Hellwig <hch@lst.de>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

authored by

Kees Cook and committed by

Jens Axboe 7 years ago 429296cc 4e178c17

+6 -12

1 changed file

expand all

drivers

ata

libata-scsi.c

+6 -12

drivers/ata/libata-scsi.c

··· 597 597 int ata_cmd_ioctl(struct scsi_device *scsidev, void __user *arg) 598 598 { 599 599 int rc = 0; 600 + u8 sensebuf[SCSI_SENSE_BUFFERSIZE]; 600 601 u8 scsi_cmd[MAX_COMMAND_SIZE]; 601 - u8 args[4], *argbuf = NULL, *sensebuf = NULL; 602 + u8 args[4], *argbuf = NULL; 602 603 int argsize = 0; 603 604 enum dma_data_direction data_dir; 604 605 struct scsi_sense_hdr sshdr; ··· 611 610 if (copy_from_user(args, arg, sizeof(args))) 612 611 return -EFAULT; 613 612 614 - sensebuf = kzalloc(SCSI_SENSE_BUFFERSIZE, GFP_NOIO); 615 - if (!sensebuf) 616 - return -ENOMEM; 617 - 613 + memset(sensebuf, 0, sizeof(sensebuf)); 618 614 memset(scsi_cmd, 0, sizeof(scsi_cmd)); 619 615 620 616 if (args[3]) { ··· 683 685 && copy_to_user(arg + sizeof(args), argbuf, argsize)) 684 686 rc = -EFAULT; 685 687 error: 686 - kfree(sensebuf); 687 688 kfree(argbuf); 688 689 return rc; 689 690 } ··· 701 704 int ata_task_ioctl(struct scsi_device *scsidev, void __user *arg) 702 705 { 703 706 int rc = 0; 707 + u8 sensebuf[SCSI_SENSE_BUFFERSIZE]; 704 708 u8 scsi_cmd[MAX_COMMAND_SIZE]; 705 - u8 args[7], *sensebuf = NULL; 709 + u8 args[7]; 706 710 struct scsi_sense_hdr sshdr; 707 711 int cmd_result; 708 712 ··· 713 715 if (copy_from_user(args, arg, sizeof(args))) 714 716 return -EFAULT; 715 717 716 - sensebuf = kzalloc(SCSI_SENSE_BUFFERSIZE, GFP_NOIO); 717 - if (!sensebuf) 718 - return -ENOMEM; 719 - 718 + memset(sensebuf, 0, sizeof(sensebuf)); 720 719 memset(scsi_cmd, 0, sizeof(scsi_cmd)); 721 720 scsi_cmd[0] = ATA_16; 722 721 scsi_cmd[1] = (3 << 1); /* Non-data */ ··· 764 769 } 765 770 766 771 error: 767 - kfree(sensebuf); 768 772 return rc; 769 773 } 770 774