@@ -683,7 +683,7 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd,
{
int ret;
struct hfi1_ctxtdata *uctxt = fd->uctxt;
- struct tid_rb_node *node;
+ struct tid_rb_node *node = NULL;
struct hfi1_devdata *dd = uctxt->dd;
dma_addr_t phys;
struct page **pages = tbuf->pages + pageidx;
@@ -692,8 +692,7 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd,
* Allocate the node first so we can handle a potential
* failure before we've programmed anything.
*/
- node = kzalloc(struct_size(node, pages, npages), GFP_KERNEL);
- if (!node)
+ if (mem_to_flex_dup(&node, pages, npages, GFP_KERNEL))
return -ENOMEM;
phys = dma_map_single(&dd->pcidev->dev, __va(page_to_phys(pages[0])),
@@ -707,12 +706,10 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd,
node->fdata = fd;
node->phys = page_to_phys(pages[0]);
- node->npages = npages;
node->rcventry = rcventry;
node->dma_addr = phys;
node->grp = grp;
node->freed = false;
- memcpy(node->pages, pages, flex_array_size(node, pages, npages));
if (fd->use_mn) {
ret = mmu_interval_notifier_insert(
@@ -32,8 +32,8 @@ struct tid_rb_node {
u32 rcventry;
dma_addr_t dma_addr;
bool freed;
- unsigned int npages;
- struct page *pages[];
+ DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(unsigned int, npages);
+ DECLARE_FLEX_ARRAY_ELEMENTS(struct page *, pages);
};
static inline int num_user_pages(unsigned long addr,
As part of the work to perform bounds checking on all memcpy() uses, replace the open-coded a deserialization of bytes out of memory into a trailing flexible array by using a flex_array.h helper to perform the allocation, bounds checking, and copying. Cc: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com> Cc: Jason Gunthorpe <jgg@ziepe.ca> Cc: Leon Romanovsky <leon@kernel.org> Cc: linux-rdma@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> --- drivers/infiniband/hw/hfi1/user_exp_rcv.c | 7 ++----- drivers/infiniband/hw/hfi1/user_exp_rcv.h | 4 ++-- 2 files changed, 4 insertions(+), 7 deletions(-)