On Mon, 2020-06-15 at 16:47 -0500, Gustavo A. R. Silva wrote: > The get_order() function has no 2-factor argument form, so > multiplication > factors need to be wrapped in array_size(). > > This issue was found with the help of Coccinelle and, audited and > fixed > manually. > > Addresses-KSPP-ID: https://github.com/KSPP/linux/issues/83 > Signed-off-by: Gustavo A. R. Silva <gustavoars@xxxxxxxxxx> > --- > drivers/scsi/megaraid/megaraid_sas_fusion.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/drivers/scsi/megaraid/megaraid_sas_fusion.c > b/drivers/scsi/megaraid/megaraid_sas_fusion.c > index 319f241da4b6..6de44ed4cde7 100644 > --- a/drivers/scsi/megaraid/megaraid_sas_fusion.c > +++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c > @@ -5180,8 +5180,8 @@ megasas_alloc_fusion_context(struct > megasas_instance *instance) > > fusion = instance->ctrl_context; > > - fusion->log_to_span_pages = get_order(MAX_LOGICAL_DRIVES_EXT > * > - sizeof(LD_SPAN_INFO)); > + fusion->log_to_span_pages = > get_order(array_size(MAX_LOGICAL_DRIVES_EXT, > + sizeof(LD_SPAN_INFO))) > ; What's the point of this? You're replacing a constant multiplication the compiler can compute with one it can't on the theory there might be an overflow, which is pretty far fetched given MAX_LOGICAL_DRIVES_EXT is 256 and sizeof(LD_SPAN_INFO) is around 82. I thought the whole point of overflow detection was to use it for instances where we could be tricked into triggering one by userspace which may result in a buffer under or overflow ... this is two constants, how could this ever be a source of an exploit? James
