Thread (4 messages) 4 messages, 3 authors, 2021-09-29

Re: [PATCH][net-next] net/mlx4: Use array_size() helper in copy_to_user()

From: Eric Dumazet <hidden>
Date: 2021-09-29 17:21:55
Also in: linux-hardening, lkml, netdev


On 9/29/21 3:24 AM, Tariq Toukan wrote:

On 9/28/2021 11:17 PM, Gustavo A. R. Silva wrote:
quoted
Use array_size() helper instead of the open-coded version in
copy_to_user(). These sorts of multiplication factors need
to be wrapped in array_size().

Link: https://github.com/KSPP/linux/issues/160
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
  drivers/net/ethernet/mellanox/mlx4/cq.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c
index f7053a74e6a8..4d4f9cf9facb 100644
--- a/drivers/net/ethernet/mellanox/mlx4/cq.c
+++ b/drivers/net/ethernet/mellanox/mlx4/cq.c
@@ -314,7 +314,8 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
              buf += PAGE_SIZE;
          }
      } else {
-        err = copy_to_user((void __user *)buf, init_ents, entries * cqe_size) ?
+        err = copy_to_user((void __user *)buf, init_ents,
+                   array_size(entries, cqe_size)) ?
              -EFAULT : 0;
      }
 
Thanks for your patch.
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Not sure why avoiding size_t overflows would make this code safer.
init_ents contains PAGE_SIZE bytes...

BTW

Is @entries guaranteed to be a power of two ?

This function seems to either copy one chunk ( <= PAGE_SIZE),
or a number of full pages.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help