On Thu, Jul 12, 2018 at 8:11 AM, Arnd Bergmann <arnd@xxxxxxxx> wrote: > On Wed, Jul 11, 2018 at 10:36 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: >> Two uses of SKCIPHER_REQUEST_ON_STACK() will trigger FRAME_WARN warnings >> (when less than 2048) once the VLA is no longer hidden from the check: >> >> net/rxrpc/rxkad.c:398:1: warning: the frame size of 1152 bytes is larger than 1024 bytes [-Wframe-larger-than=] >> net/rxrpc/rxkad.c:242:1: warning: the frame size of 1152 bytes is larger than 1024 bytes [-Wframe-larger-than=] >> >> This bumps the affected objects by 20% to silence the warnings while >> still providing coverage is anything grows even more. >> >> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> > > (adding David Howells to cc) > > I don't think these are in a fast path, it should be possible to just use > skcipher_alloc_req() instead of SKCIPHER_REQUEST_ON_STACK() here. > From what I can tell, neither of the two are called in atomic context, so > you should be able to use a GFP_KERNEL allocation. Sure, I can do that instead. -Kees -- Kees Cook Pixel Security