drivers/infiniband/hw/hfi1/user_exp_rcv.c | 4 ++-- drivers/infiniband/hw/hfi1/user_sdma.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-)
Currently, memdup_user() is utilized at two positions to copy userspace
arrays. This is done without overflow checks.
Use the new wrapper memdup_array_user() to copy the arrays more safely.
Suggested-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
---
drivers/infiniband/hw/hfi1/user_exp_rcv.c | 4 ++--
drivers/infiniband/hw/hfi1/user_sdma.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
index 96058baf36ed..53a623892d9d 100644
--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
@@ -491,8 +491,8 @@ int hfi1_user_exp_rcv_clear(struct hfi1_filedata *fd,
if (unlikely(tinfo->tidcnt > fd->tid_used))
return -EINVAL;
- tidinfo = memdup_user(u64_to_user_ptr(tinfo->tidlist),
- sizeof(tidinfo[0]) * tinfo->tidcnt);
+ tidinfo = memdup_array_user(u64_to_user_ptr(tinfo->tidlist),
+ tinfo->tidcnt, sizeof(tidinfo[0]));
if (IS_ERR(tidinfo))
return PTR_ERR(tidinfo);
diff --git a/drivers/infiniband/hw/hfi1/user_sdma.c b/drivers/infiniband/hw/hfi1/user_sdma.c
index 29ae7beb9b03..f7fa8e699a78 100644
--- a/drivers/infiniband/hw/hfi1/user_sdma.c
+++ b/drivers/infiniband/hw/hfi1/user_sdma.c
@@ -494,8 +494,8 @@ int hfi1_user_sdma_process_request(struct hfi1_filedata *fd,
* equal to the pkt count. However, there is no way to
* tell at this point.
*/
- tmp = memdup_user(iovec[idx].iov_base,
- ntids * sizeof(*req->tids));
+ tmp = memdup_array_user(iovec[idx].iov_base,
+ ntids, sizeof(*req->tids));
if (IS_ERR(tmp)) {
ret = PTR_ERR(tmp);
SDMA_DBG(req, "Failed to copy %d TIDs (%d)",
--
2.41.0
On Thu, 02 Nov 2023 20:13:09 +0100, Philipp Stanner wrote:
> Currently, memdup_user() is utilized at two positions to copy userspace
> arrays. This is done without overflow checks.
>
> Use the new wrapper memdup_array_user() to copy the arrays more safely.
>
>
Applied, thanks!
[1/1] drivers/infiniband: copy userspace arrays safely
https://git.kernel.org/rdma/rdma/c/c170d4ff21a8a5
Best regards,
--
Leon Romanovsky <leon@kernel.org>
On 11/2/23 3:13 PM, Philipp Stanner wrote:
> Currently, memdup_user() is utilized at two positions to copy userspace
> arrays. This is done without overflow checks.
>
> Use the new wrapper memdup_array_user() to copy the arrays more safely.
>
> Suggested-by: Dave Airlie <airlied@redhat.com>
> Signed-off-by: Philipp Stanner <pstanner@redhat.com>
> ---
> drivers/infiniband/hw/hfi1/user_exp_rcv.c | 4 ++--
> drivers/infiniband/hw/hfi1/user_sdma.c | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
> index 96058baf36ed..53a623892d9d 100644
> --- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
> +++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
> @@ -491,8 +491,8 @@ int hfi1_user_exp_rcv_clear(struct hfi1_filedata *fd,
> if (unlikely(tinfo->tidcnt > fd->tid_used))
> return -EINVAL;
>
> - tidinfo = memdup_user(u64_to_user_ptr(tinfo->tidlist),
> - sizeof(tidinfo[0]) * tinfo->tidcnt);
> + tidinfo = memdup_array_user(u64_to_user_ptr(tinfo->tidlist),
> + tinfo->tidcnt, sizeof(tidinfo[0]));
> if (IS_ERR(tidinfo))
> return PTR_ERR(tidinfo);
>
> diff --git a/drivers/infiniband/hw/hfi1/user_sdma.c b/drivers/infiniband/hw/hfi1/user_sdma.c
> index 29ae7beb9b03..f7fa8e699a78 100644
> --- a/drivers/infiniband/hw/hfi1/user_sdma.c
> +++ b/drivers/infiniband/hw/hfi1/user_sdma.c
> @@ -494,8 +494,8 @@ int hfi1_user_sdma_process_request(struct hfi1_filedata *fd,
> * equal to the pkt count. However, there is no way to
> * tell at this point.
> */
> - tmp = memdup_user(iovec[idx].iov_base,
> - ntids * sizeof(*req->tids));
> + tmp = memdup_array_user(iovec[idx].iov_base,
> + ntids, sizeof(*req->tids));
> if (IS_ERR(tmp)) {
> ret = PTR_ERR(tmp);
> SDMA_DBG(req, "Failed to copy %d TIDs (%d)",
Acked-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
© 2016 - 2025 Red Hat, Inc.