drm/i2c: tda9950: Remove VLA usage

In the quest to remove all stack VLA usage from the kernel[1], this
sets the buffer to maximum size and adds a sanity check.

[1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com

Cc: David Airlie <airlied@linux.ie>
Cc: Hans Verkuil <hans.verkuil@cisco.com>
Cc: Russell King <rmk+kernel@armlinux.org.uk>
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook <keescook@chromium.org>

diff --git a/drivers/gpu/drm/i2c/tda9950.c b/drivers/gpu/drm/i2c/tda9950.c
index 3f7396c..5d2f0d5 100644 (file)
--- a/drivers/gpu/drm/i2c/tda9950.c
+++ b/drivers/gpu/drm/i2c/tda9950.c
@@ -76,9 +76,12 @@ struct tda9950_priv {
 static int tda9950_write_range(struct i2c_client *client, u8 addr, u8 *p, int cnt)
 {
        struct i2c_msg msg;
-       u8 buf[cnt + 1];
+       u8 buf[CEC_MAX_MSG_SIZE + 3];
        int ret;
 
+       if (WARN_ON(cnt > sizeof(buf) - 1))
+               return -EINVAL;
+
        buf[0] = addr;
        memcpy(buf + 1, p, cnt);