From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Philipp Stanner <pstanner@redhat.com>,
David Airlie <airlied@redhat.com>,
Kees Cook <keescook@chromium.org>, Zack Rusin <zackr@vmware.com>,
Sasha Levin <sashal@kernel.org>,
brauner@kernel.org, ddiss@suse.de, code@siddh.me,
dhowells@redhat.com, nick.alcock@oracle.com
Subject: [PATCH AUTOSEL 5.15 06/20] kernel: watch_queue: copy user-array safely
Date: Tue, 7 Nov 2023 07:29:00 -0500 [thread overview]
Message-ID: <20231107122940.3762228-6-sashal@kernel.org> (raw)
In-Reply-To: <20231107122940.3762228-1-sashal@kernel.org>
From: Philipp Stanner <pstanner@redhat.com>
[ Upstream commit ca0776571d3163bd03b3e8c9e3da936abfaecbf6 ]
Currently, there is no overflow-check with memdup_user().
Use the new function memdup_array_user() instead of memdup_user() for
duplicating the user-space array safely.
Suggested-by: David Airlie <airlied@redhat.com>
Signed-off-by: Philipp Stanner <pstanner@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Zack Rusin <zackr@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230920123612.16914-5-pstanner@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/watch_queue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/watch_queue.c b/kernel/watch_queue.c
index 54cbaa9711398..ae31bf8d2feb1 100644
--- a/kernel/watch_queue.c
+++ b/kernel/watch_queue.c
@@ -338,7 +338,7 @@ long watch_queue_set_filter(struct pipe_inode_info *pipe,
filter.__reserved != 0)
return -EINVAL;
- tf = memdup_user(_filter->filters, filter.nr_filters * sizeof(*tf));
+ tf = memdup_array_user(_filter->filters, filter.nr_filters, sizeof(*tf));
if (IS_ERR(tf))
return PTR_ERR(tf);
--
2.42.0
next prev parent reply other threads:[~2023-11-07 12:42 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-07 12:28 [PATCH AUTOSEL 5.15 01/20] drm/komeda: drop all currently held locks if deadlock happens Sasha Levin
2023-11-07 12:28 ` [PATCH AUTOSEL 5.15 02/20] drm/amdkfd: Fix a race condition of vram buffer unref in svm code Sasha Levin
2023-11-07 12:28 ` [PATCH AUTOSEL 5.15 03/20] drm/amd/display: use full update for clip size increase of large plane source Sasha Levin
2023-11-07 12:28 ` [PATCH AUTOSEL 5.15 04/20] string.h: add array-wrappers for (v)memdup_user() Sasha Levin
2023-11-07 12:28 ` [PATCH AUTOSEL 5.15 05/20] kernel: kexec: copy user-array safely Sasha Levin
2023-11-07 12:29 ` Sasha Levin [this message]
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 07/20] drm: vmwgfx_surface.c: " Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 08/20] drm/msm/dp: skip validity check for DP CTS EDID checksum Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 09/20] drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 10/20] drm/radeon: Fix UBSAN array-index-out-of-bounds for Radeon HD 5430 Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 11/20] drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 12/20] drm/amdgpu: Fix potential null pointer derefernce Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 13/20] drm/panel: fix a possible null pointer dereference Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 14/20] drm/panel/panel-tpo-tpg110: " Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 15/20] drm/amdgpu/vkms: " Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 16/20] drm/panel: st7703: Pick different reset sequence Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 17/20] drm/amdkfd: Fix shift out-of-bounds issue Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 18/20] drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 19/20] arm64: dts: ls208xa: use a pseudo-bus to constrain usb dma size Sasha Levin
2023-11-07 12:29 ` [PATCH AUTOSEL 5.15 20/20] selftests/efivarfs: create-read: fix a resource leak Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231107122940.3762228-6-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=airlied@redhat.com \
--cc=brauner@kernel.org \
--cc=code@siddh.me \
--cc=ddiss@suse.de \
--cc=dhowells@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nick.alcock@oracle.com \
--cc=pstanner@redhat.com \
--cc=stable@vger.kernel.org \
--cc=zackr@vmware.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox