| Message ID | 20231102191308.52046-2-pstanner@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | drivers/infiniband: copy userspace arrays safely | expand |
On 11/2/23 3:13 PM, Philipp Stanner wrote: > Currently, memdup_user() is utilized at two positions to copy userspace > arrays. This is done without overflow checks. > > Use the new wrapper memdup_array_user() to copy the arrays more safely. > > Suggested-by: Dave Airlie <airlied@redhat.com> > Signed-off-by: Philipp Stanner <pstanner@redhat.com> > --- > drivers/infiniband/hw/hfi1/user_exp_rcv.c | 4 ++-- > drivers/infiniband/hw/hfi1/user_sdma.c | 4 ++-- > 2 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c > index 96058baf36ed..53a623892d9d 100644 > --- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c > +++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c > @@ -491,8 +491,8 @@ int hfi1_user_exp_rcv_clear(struct hfi1_filedata *fd, > if (unlikely(tinfo->tidcnt > fd->tid_used)) > return -EINVAL; > > - tidinfo = memdup_user(u64_to_user_ptr(tinfo->tidlist), > - sizeof(tidinfo[0]) * tinfo->tidcnt); > + tidinfo = memdup_array_user(u64_to_user_ptr(tinfo->tidlist), > + tinfo->tidcnt, sizeof(tidinfo[0])); > if (IS_ERR(tidinfo)) > return PTR_ERR(tidinfo); > > diff --git a/drivers/infiniband/hw/hfi1/user_sdma.c b/drivers/infiniband/hw/hfi1/user_sdma.c > index 29ae7beb9b03..f7fa8e699a78 100644 > --- a/drivers/infiniband/hw/hfi1/user_sdma.c > +++ b/drivers/infiniband/hw/hfi1/user_sdma.c > @@ -494,8 +494,8 @@ int hfi1_user_sdma_process_request(struct hfi1_filedata *fd, > * equal to the pkt count. However, there is no way to > * tell at this point. > */ > - tmp = memdup_user(iovec[idx].iov_base, > - ntids * sizeof(*req->tids)); > + tmp = memdup_array_user(iovec[idx].iov_base, > + ntids, sizeof(*req->tids)); > if (IS_ERR(tmp)) { > ret = PTR_ERR(tmp); > SDMA_DBG(req, "Failed to copy %d TIDs (%d)", Acked-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
On Thu, 02 Nov 2023 20:13:09 +0100, Philipp Stanner wrote: > Currently, memdup_user() is utilized at two positions to copy userspace > arrays. This is done without overflow checks. > > Use the new wrapper memdup_array_user() to copy the arrays more safely. > > Applied, thanks! [1/1] drivers/infiniband: copy userspace arrays safely https://git.kernel.org/rdma/rdma/c/c170d4ff21a8a5 Best regards,
diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c index 96058baf36ed..53a623892d9d 100644 --- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c +++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c @@ -491,8 +491,8 @@ int hfi1_user_exp_rcv_clear(struct hfi1_filedata *fd, if (unlikely(tinfo->tidcnt > fd->tid_used)) return -EINVAL; - tidinfo = memdup_user(u64_to_user_ptr(tinfo->tidlist), - sizeof(tidinfo[0]) * tinfo->tidcnt); + tidinfo = memdup_array_user(u64_to_user_ptr(tinfo->tidlist), + tinfo->tidcnt, sizeof(tidinfo[0])); if (IS_ERR(tidinfo)) return PTR_ERR(tidinfo); diff --git a/drivers/infiniband/hw/hfi1/user_sdma.c b/drivers/infiniband/hw/hfi1/user_sdma.c index 29ae7beb9b03..f7fa8e699a78 100644 --- a/drivers/infiniband/hw/hfi1/user_sdma.c +++ b/drivers/infiniband/hw/hfi1/user_sdma.c @@ -494,8 +494,8 @@ int hfi1_user_sdma_process_request(struct hfi1_filedata *fd, * equal to the pkt count. However, there is no way to * tell at this point. */ - tmp = memdup_user(iovec[idx].iov_base, - ntids * sizeof(*req->tids)); + tmp = memdup_array_user(iovec[idx].iov_base, + ntids, sizeof(*req->tids)); if (IS_ERR(tmp)) { ret = PTR_ERR(tmp); SDMA_DBG(req, "Failed to copy %d TIDs (%d)",
Currently, memdup_user() is utilized at two positions to copy userspace arrays. This is done without overflow checks. Use the new wrapper memdup_array_user() to copy the arrays more safely. Suggested-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Philipp Stanner <pstanner@redhat.com> --- drivers/infiniband/hw/hfi1/user_exp_rcv.c | 4 ++-- drivers/infiniband/hw/hfi1/user_sdma.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-)