* [PATCH] drivers/infiniband: copy userspace arrays safely
@ 2023-11-02 19:13 Philipp Stanner
2023-11-08 15:07 ` Dennis Dalessandro
2023-11-13 8:39 ` Leon Romanovsky
0 siblings, 2 replies; 3+ messages in thread
From: Philipp Stanner @ 2023-11-02 19:13 UTC (permalink / raw
To: Dennis Dalessandro, Jason Gunthorpe, Leon Romanovsky
Cc: linux-rdma, linux-kernel, Philipp Stanner, Dave Airlie
Currently, memdup_user() is utilized at two positions to copy userspace
arrays. This is done without overflow checks.
Use the new wrapper memdup_array_user() to copy the arrays more safely.
Suggested-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
---
drivers/infiniband/hw/hfi1/user_exp_rcv.c | 4 ++--
drivers/infiniband/hw/hfi1/user_sdma.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
index 96058baf36ed..53a623892d9d 100644
--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
@@ -491,8 +491,8 @@ int hfi1_user_exp_rcv_clear(struct hfi1_filedata *fd,
if (unlikely(tinfo->tidcnt > fd->tid_used))
return -EINVAL;
- tidinfo = memdup_user(u64_to_user_ptr(tinfo->tidlist),
- sizeof(tidinfo[0]) * tinfo->tidcnt);
+ tidinfo = memdup_array_user(u64_to_user_ptr(tinfo->tidlist),
+ tinfo->tidcnt, sizeof(tidinfo[0]));
if (IS_ERR(tidinfo))
return PTR_ERR(tidinfo);
diff --git a/drivers/infiniband/hw/hfi1/user_sdma.c b/drivers/infiniband/hw/hfi1/user_sdma.c
index 29ae7beb9b03..f7fa8e699a78 100644
--- a/drivers/infiniband/hw/hfi1/user_sdma.c
+++ b/drivers/infiniband/hw/hfi1/user_sdma.c
@@ -494,8 +494,8 @@ int hfi1_user_sdma_process_request(struct hfi1_filedata *fd,
* equal to the pkt count. However, there is no way to
* tell at this point.
*/
- tmp = memdup_user(iovec[idx].iov_base,
- ntids * sizeof(*req->tids));
+ tmp = memdup_array_user(iovec[idx].iov_base,
+ ntids, sizeof(*req->tids));
if (IS_ERR(tmp)) {
ret = PTR_ERR(tmp);
SDMA_DBG(req, "Failed to copy %d TIDs (%d)",
--
2.41.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] drivers/infiniband: copy userspace arrays safely
2023-11-02 19:13 [PATCH] drivers/infiniband: copy userspace arrays safely Philipp Stanner
@ 2023-11-08 15:07 ` Dennis Dalessandro
2023-11-13 8:39 ` Leon Romanovsky
1 sibling, 0 replies; 3+ messages in thread
From: Dennis Dalessandro @ 2023-11-08 15:07 UTC (permalink / raw
To: Philipp Stanner, Jason Gunthorpe, Leon Romanovsky
Cc: linux-rdma, linux-kernel, Dave Airlie
On 11/2/23 3:13 PM, Philipp Stanner wrote:
> Currently, memdup_user() is utilized at two positions to copy userspace
> arrays. This is done without overflow checks.
>
> Use the new wrapper memdup_array_user() to copy the arrays more safely.
>
> Suggested-by: Dave Airlie <airlied@redhat.com>
> Signed-off-by: Philipp Stanner <pstanner@redhat.com>
> ---
> drivers/infiniband/hw/hfi1/user_exp_rcv.c | 4 ++--
> drivers/infiniband/hw/hfi1/user_sdma.c | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
> index 96058baf36ed..53a623892d9d 100644
> --- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
> +++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
> @@ -491,8 +491,8 @@ int hfi1_user_exp_rcv_clear(struct hfi1_filedata *fd,
> if (unlikely(tinfo->tidcnt > fd->tid_used))
> return -EINVAL;
>
> - tidinfo = memdup_user(u64_to_user_ptr(tinfo->tidlist),
> - sizeof(tidinfo[0]) * tinfo->tidcnt);
> + tidinfo = memdup_array_user(u64_to_user_ptr(tinfo->tidlist),
> + tinfo->tidcnt, sizeof(tidinfo[0]));
> if (IS_ERR(tidinfo))
> return PTR_ERR(tidinfo);
>
> diff --git a/drivers/infiniband/hw/hfi1/user_sdma.c b/drivers/infiniband/hw/hfi1/user_sdma.c
> index 29ae7beb9b03..f7fa8e699a78 100644
> --- a/drivers/infiniband/hw/hfi1/user_sdma.c
> +++ b/drivers/infiniband/hw/hfi1/user_sdma.c
> @@ -494,8 +494,8 @@ int hfi1_user_sdma_process_request(struct hfi1_filedata *fd,
> * equal to the pkt count. However, there is no way to
> * tell at this point.
> */
> - tmp = memdup_user(iovec[idx].iov_base,
> - ntids * sizeof(*req->tids));
> + tmp = memdup_array_user(iovec[idx].iov_base,
> + ntids, sizeof(*req->tids));
> if (IS_ERR(tmp)) {
> ret = PTR_ERR(tmp);
> SDMA_DBG(req, "Failed to copy %d TIDs (%d)",
Acked-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] drivers/infiniband: copy userspace arrays safely
2023-11-02 19:13 [PATCH] drivers/infiniband: copy userspace arrays safely Philipp Stanner
2023-11-08 15:07 ` Dennis Dalessandro
@ 2023-11-13 8:39 ` Leon Romanovsky
1 sibling, 0 replies; 3+ messages in thread
From: Leon Romanovsky @ 2023-11-13 8:39 UTC (permalink / raw
To: Dennis Dalessandro, Jason Gunthorpe, Philipp Stanner
Cc: linux-rdma, linux-kernel, Dave Airlie
On Thu, 02 Nov 2023 20:13:09 +0100, Philipp Stanner wrote:
> Currently, memdup_user() is utilized at two positions to copy userspace
> arrays. This is done without overflow checks.
>
> Use the new wrapper memdup_array_user() to copy the arrays more safely.
>
>
Applied, thanks!
[1/1] drivers/infiniband: copy userspace arrays safely
https://git.kernel.org/rdma/rdma/c/c170d4ff21a8a5
Best regards,
--
Leon Romanovsky <leon@kernel.org>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-11-13 8:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-11-02 19:13 [PATCH] drivers/infiniband: copy userspace arrays safely Philipp Stanner
2023-11-08 15:07 ` Dennis Dalessandro
2023-11-13 8:39 ` Leon Romanovsky
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).