[PATCH 1/2] net/mlx4: fix build error from usercopy size check

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Arnd Bergmann <arnd@kernel.org>
To: Tariq Toukan <tariqt@nvidia.com>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	netdev@vger.kernel.org, linux-rdma@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH 1/2] net/mlx4: fix build error from usercopy size check
Date: Tue, 18 Apr 2023 13:47:11 +0200	[thread overview]
Message-ID: <20230418114730.3674657-1-arnd@kernel.org> (raw)

From: Arnd Bergmann <arnd@arndb.de>

The array_size() helper is used here to prevent accidental overflow in
mlx4_init_user_cqes(), but as this returns SIZE_MAX in case an overflow
would happen, the logic in copy_to_user() now detects that as overflowing
the source:

In file included from arch/x86/include/asm/preempt.h:9,
                 from include/linux/preempt.h:78,
                 from include/linux/percpu.h:6,
                 from include/linux/context_tracking_state.h:5,
                 from include/linux/hardirq.h:5,
                 from drivers/net/ethernet/mellanox/mlx4/cq.c:37:
In function 'check_copy_size',
    inlined from 'copy_to_user' at include/linux/uaccess.h:190:6,
    inlined from 'mlx4_init_user_cqes' at drivers/net/ethernet/mellanox/mlx4/cq.c:317:9,
    inlined from 'mlx4_cq_alloc' at drivers/net/ethernet/mellanox/mlx4/cq.c:394:10:
include/linux/thread_info.h:244:4: error: call to '__bad_copy_from' declared with attribute error: copy source size is too small
  244 |    __bad_copy_from();
      |    ^~~~~~~~~~~~~~~~~

Move the size logic out, and instead use the same size value for the
comparison and the copy.

Fixes: f69bf5dee7ef ("net/mlx4: Use array_size() helper in copy_to_user()")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
 drivers/net/ethernet/mellanox/mlx4/cq.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c
index 4d4f9cf9facb..020cb8e2883f 100644
--- a/drivers/net/ethernet/mellanox/mlx4/cq.c
+++ b/drivers/net/ethernet/mellanox/mlx4/cq.c
@@ -290,6 +290,7 @@ static void mlx4_cq_free_icm(struct mlx4_dev *dev, int cqn)
 static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
 {
 	int entries_per_copy = PAGE_SIZE / cqe_size;
+	size_t copy_size = array_size(entries, cqe_size);
 	void *init_ents;
 	int err = 0;
 	int i;
@@ -304,7 +305,7 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
 	 */
 	memset(init_ents, 0xcc, PAGE_SIZE);
 
-	if (entries_per_copy < entries) {
+	if (copy_size > PAGE_SIZE) {
 		for (i = 0; i < entries / entries_per_copy; i++) {
 			err = copy_to_user((void __user *)buf, init_ents, PAGE_SIZE) ?
 				-EFAULT : 0;
@@ -315,7 +316,7 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
 		}
 	} else {
 		err = copy_to_user((void __user *)buf, init_ents,
-				   array_size(entries, cqe_size)) ?
+				   copy_size) ?
 			-EFAULT : 0;
 	}
 
-- 
2.39.2

next             reply	other threads:[~2023-04-18 11:49 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-04-18 11:47 Arnd Bergmann [this message]
2023-04-18 11:47 ` [PATCH 2/2] net/mlx4: avoid overloading user/kernel pointers Arnd Bergmann
2023-04-19  7:09   ` Tariq Toukan
2023-04-20  8:51     ` Arnd Bergmann
2023-04-23 14:42   ` kernel test robot
2023-05-01 23:34   ` kernel test robot
2023-05-08  7:10   ` kernel test robot
2023-04-18 12:26 ` [PATCH 1/2] net/mlx4: fix build error from usercopy size check Tariq Toukan
2025-02-11  7:49 ` YinFengwei

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4d4f9cf9fac dfblob:020cb8e2883 )
 OR (
bs:"[PATCH 1/2] net/mlx4: fix build error from usercopy size check" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230418114730.3674657-1-arnd@kernel.org \
    --to=arnd@kernel.org \
    --cc=arnd@arndb.de \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=gustavoars@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-rdma@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=tariqt@nvidia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.