Use array_size() helper instead of the open-coded version in
copy_to_user(). These sorts of multiplication factors need
to be wrapped in array_size().
Link: https://github.com/KSPP/linux/issues/160
Signed-off-by: Gustavo A. R. Silva <[email protected]>
---
drivers/net/ethernet/mellanox/mlx4/cq.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c
index f7053a74e6a8..4d4f9cf9facb 100644
--- a/drivers/net/ethernet/mellanox/mlx4/cq.c
+++ b/drivers/net/ethernet/mellanox/mlx4/cq.c
@@ -314,7 +314,8 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
buf += PAGE_SIZE;
}
} else {
- err = copy_to_user((void __user *)buf, init_ents, entries * cqe_size) ?
+ err = copy_to_user((void __user *)buf, init_ents,
+ array_size(entries, cqe_size)) ?
-EFAULT : 0;
}
--
2.27.0
On 9/28/2021 11:17 PM, Gustavo A. R. Silva wrote:
> Use array_size() helper instead of the open-coded version in
> copy_to_user(). These sorts of multiplication factors need
> to be wrapped in array_size().
>
> Link: https://github.com/KSPP/linux/issues/160
> Signed-off-by: Gustavo A. R. Silva <[email protected]>
> ---
> drivers/net/ethernet/mellanox/mlx4/cq.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c
> index f7053a74e6a8..4d4f9cf9facb 100644
> --- a/drivers/net/ethernet/mellanox/mlx4/cq.c
> +++ b/drivers/net/ethernet/mellanox/mlx4/cq.c
> @@ -314,7 +314,8 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
> buf += PAGE_SIZE;
> }
> } else {
> - err = copy_to_user((void __user *)buf, init_ents, entries * cqe_size) ?
> + err = copy_to_user((void __user *)buf, init_ents,
> + array_size(entries, cqe_size)) ?
> -EFAULT : 0;
> }
>
>
Thanks for your patch.
Reviewed-by: Tariq Toukan <[email protected]>
On 9/29/21 3:24 AM, Tariq Toukan wrote:
>
>
> On 9/28/2021 11:17 PM, Gustavo A. R. Silva wrote:
>> Use array_size() helper instead of the open-coded version in
>> copy_to_user(). These sorts of multiplication factors need
>> to be wrapped in array_size().
>>
>> Link: https://github.com/KSPP/linux/issues/160
>> Signed-off-by: Gustavo A. R. Silva <[email protected]>
>> ---
>> drivers/net/ethernet/mellanox/mlx4/cq.c | 3 ++-
>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c
>> index f7053a74e6a8..4d4f9cf9facb 100644
>> --- a/drivers/net/ethernet/mellanox/mlx4/cq.c
>> +++ b/drivers/net/ethernet/mellanox/mlx4/cq.c
>> @@ -314,7 +314,8 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
>> buf += PAGE_SIZE;
>> }
>> } else {
>> - err = copy_to_user((void __user *)buf, init_ents, entries * cqe_size) ?
>> + err = copy_to_user((void __user *)buf, init_ents,
>> + array_size(entries, cqe_size)) ?
>> -EFAULT : 0;
>> }
>>
>
> Thanks for your patch.
> Reviewed-by: Tariq Toukan <[email protected]>
Not sure why avoiding size_t overflows would make this code safer.
init_ents contains PAGE_SIZE bytes...
BTW
Is @entries guaranteed to be a power of two ?
This function seems to either copy one chunk ( <= PAGE_SIZE),
or a number of full pages.
On 9/29/2021 8:21 PM, Eric Dumazet wrote:
>
>
> On 9/29/21 3:24 AM, Tariq Toukan wrote:
>>
>>
>> On 9/28/2021 11:17 PM, Gustavo A. R. Silva wrote:
>>> Use array_size() helper instead of the open-coded version in
>>> copy_to_user(). These sorts of multiplication factors need
>>> to be wrapped in array_size().
>>>
>>> Link: https://github.com/KSPP/linux/issues/160
>>> Signed-off-by: Gustavo A. R. Silva <[email protected]>
>>> ---
>>> drivers/net/ethernet/mellanox/mlx4/cq.c | 3 ++-
>>> 1 file changed, 2 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c
>>> index f7053a74e6a8..4d4f9cf9facb 100644
>>> --- a/drivers/net/ethernet/mellanox/mlx4/cq.c
>>> +++ b/drivers/net/ethernet/mellanox/mlx4/cq.c
>>> @@ -314,7 +314,8 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
>>> buf += PAGE_SIZE;
>>> }
>>> } else {
>>> - err = copy_to_user((void __user *)buf, init_ents, entries * cqe_size) ?
>>> + err = copy_to_user((void __user *)buf, init_ents,
>>> + array_size(entries, cqe_size)) ?
>>> -EFAULT : 0;
>>> }
>>>
>>
>> Thanks for your patch.
>> Reviewed-by: Tariq Toukan <[email protected]>
>
> Not sure why avoiding size_t overflows would make this code safer.
> init_ents contains PAGE_SIZE bytes...
>
> BTW
>
> Is @entries guaranteed to be a power of two ?
Yes.
>
> This function seems to either copy one chunk ( <= PAGE_SIZE),
> or a number of full pages.
>
Exactly. No remainder handling is needed, for the reason you mentioned
above.