On Wed, 1 May 2024, James Bottomley wrote: > > The code itself is fine unless you have a 32-bit system with a > > malicious card, so yeah, near zero risk. > > Well, no actually zero: we assume plugged in hardware to operate > correctly (had this argument in the driver hardening thread a while > ago), but in this particular case you'd have to have a card with a very > high number of ports, which would cause kernel allocations to fail long > before anything could introduce an overflow of sizeof(struct csio_lnode > *) * hw->num_lns. >
Then it should be safe to add an equivalent assertion. E.g. BUG_ON(hw->num_lns > X) where X was derived either from knowledge of the hardware or from some known-safe kalloc() limit. Though I wonder whether BUG_ON() is the best way to encode preconditions for the benfit of static checkers...
