Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Message-ID: <86a8848d-0ebf-2d0d-4a4a-444560a8651a@nvidia.com>
Date:   Tue, 18 Apr 2023 15:26:06 +0300
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
 Thunderbird/102.9.1
Subject: Re: [PATCH 1/2] net/mlx4: fix build error from usercopy size check
Content-Language: en-US
To:     Arnd Bergmann <arnd@kernel.org>,
        "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc:     Arnd Bergmann <arnd@arndb.de>,
        "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>, netdev@vger.kernel.org,
        linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org
References: <20230418114730.3674657-1-arnd@kernel.org>
From:   Tariq Toukan <tariqt@nvidia.com>
In-Reply-To: <20230418114730.3674657-1-arnd@kernel.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?VmNtTnpZWFJLdUxXS2c4L2JXY3FzRi9tbEZZQ1JnMEI0ajd2bEdNMml0VDY0?=
 =?utf-8?B?Zk9VK2hsdXhHUVdpcEUwbFJWamdxWGM2QWxpbTZYWWZjWTBiUjdOcnJRek9Y?=
 =?utf-8?B?akhONUl6Q3IrREkwYTAwWklLRThnMHRmQ1Z1TFMxck9MMU83UkJVWFNTRitE?=
 =?utf-8?B?ekI0ZCtPOTN2QjRIVEl5M3VFMEJpWmRxYjVLWUlCekV4eVVDQ3hzK3VYZVB0?=
 =?utf-8?B?OHROY3RIL1lBckZJTGFiYm1yZ2l2d3pLUnNJbnNyZ1lqRThVSk1QNW16REFY?=
 =?utf-8?B?VC9FV21Yc2RTZTZ2VTRrZXhseXBFcnFKN01EdE50QzJmRHZQWG9VVGlRUFpp?=
 =?utf-8?B?dDhUZDFnU2JBNm5WWURVUjNYMFVxaWtlN2pEczhodFpPUFhKNjF1anpWTzdL?=
 =?utf-8?B?SUZnOTR5QzMyNlNuQ09jS2dEd0JuYUozb01wODh0S1E5bFhyakQ0aXJNYkVx?=
 =?utf-8?B?Ym5hRmU3QVNxZ1EwbHFiS1BmSG5ZRFNJMzVtYk5iV3lrVEMzeTVUSjJlMWNY?=
 =?utf-8?B?bDRDa3piYkZxbmc4YzZwY2pncmRQRUFKSTdWYnYvd1FlekJLVE56Q0x1bzdG?=
 =?utf-8?B?ZE5kRXBxQWM4eTM3VDNQYXZZd0djNWdRcnJuRkN6cGU5akN2dWEyNFRNNFk5?=
 =?utf-8?B?V1drK1hJTCtzSXNrQ3VrV091YWE3bytIZFI0cjN3ZEpjY3lRMFZ0SStIZ1pK?=
 =?utf-8?B?SGR1c0ZsRWRkSXlYNEtuVXdZMUVCVmFYdEo2eSt5M244MHlMNjFYLzBGb3R5?=
 =?utf-8?B?dTVyYVUzVkxLN2J1b3BHNVBScVVjWlBDQWp0V3dJSDhpMklhY2MyRVRoWExO?=
 =?utf-8?B?dzUrSDVIWHowMXdBUExKOFF1QjR1RTZ5Qno3K0NlL1JuY3NSU2JLaWFGSlgw?=
 =?utf-8?B?Z3dHMEZadmxEc1NDaGR0NCtsbmVDMnhvN1FobE9NS0c0RDVHYkErWENCa1p6?=
 =?utf-8?B?czNuOGVLejVjR0lvNXdCWGdUVnhEY3pFR000NFpXVVhpQ1JSbFpabXdwemhH?=
 =?utf-8?B?S2ZYR2RoeUtWV3V4OTRUMDI0Rjk3ckdkVFJjUU5FM21OMlI4Zys5ZlhQY3Fm?=
 =?utf-8?B?QnVvdTRvSk1rWDBJOXdnTFF0SS9qNjU1US9sRDVFa0FUWlFZTksvWnZhY1VD?=
 =?utf-8?B?VS9RMzd0bXF3T1g0VmVWNGNjb1NnR1dmdWtnZnNOZG83bHlheXh4MHlzMHI0?=
 =?utf-8?B?SldTZEFtQlZVMVRrMXBWUzF0czQxMzhoaU5QWjdsTGRNMkZoNFBEeUpLck1E?=
 =?utf-8?B?bGp6YmtjOWpvQmlUWjY3d0hPNHE4R25uNC9ucGVvb2M2MmxLbFovMlVzblBn?=
 =?utf-8?B?RzcwaktqSjlkZnEzTEJRbGxaaU81ZEJZNFpqKzN2dHNIQU4zckVSZUNyVXJQ?=
 =?utf-8?B?UUJldlBrdGNFZHo0UGRSVWlNUHhCYkcyM0tJQkNiWFo0Qnc5SUxtYTYva3NO?=
 =?utf-8?B?VU05M0xoK29vcUc1UVJEUUMrNDcxRDlUY0NIYUNDaWtCdUFpY1dOUWJSbEN2?=
 =?utf-8?B?MW5SL2FKTVA4UTc1eVRIbjczZXZRakdJOFZyZjN1WlV4S3VnbW1hUnNDZms4?=
 =?utf-8?B?Mi83ODZWM1Mra1lGZm9iRFphYllZRnZocVBPRWk5TXFUbUtnNW5xT29BVGMv?=
 =?utf-8?B?Qjk2ajVXcjRpbGlUR0FjdldnVlpLb1l1MEk3NjRMRWhJbWQwQ1FVNHg2OHBo?=
 =?utf-8?B?Qzlxd3pyOWdjR1pYenNvQW9JUE04ZWdFQjNqNWhsR0FyUXk4a25IaSsyZDJz?=
 =?utf-8?B?N1VtYnJyZjYyNUE4SWo0VFprVmZhZjlDN1lIUGtFMFdQaWVEREtXOXVaajk0?=
 =?utf-8?B?dmpRRHBuQitsNWtDSWNqTTl3UE5hTnRJQlV5c2FOaXZwc3BVSFA1VFNSV0Uv?=
 =?utf-8?B?a1pYamUxYjN6cDBDbDN6S3pWa3hvY1g0WU5sMC91US90cFUwcDdOOXh2WCtH?=
 =?utf-8?B?Tmt1bStQczJybVFxenFOVHpDcXVxZlpxTTllem5FdVRMOGx2OHRvK2RKZ2RR?=
 =?utf-8?B?Q0Ivd0JybGN6Z0h2bTllL0QyWTlYZjNrNWFXcGNnN3ZvTytGOGlCWlN0YjYv?=
 =?utf-8?B?Sit6Kzl1anJkTjBGNU9XOE5VTWtYUG04YS9lUk15KzhZbDJlRzRiNEJTR2Z0?=
 =?utf-8?Q?kbyzInOixSjahWEW/EIiII+Xh?=
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 44c0f536-8f6a-4494-53c6-08db40081abb
X-MS-Exchange-CrossTenant-AuthSource: MW2PR12MB2489.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Apr 2023 12:26:16.0970
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: S1nq6nCLfmmIRVyBL8Uh2KJ+CEAjb/jDCOaqwDcb2LiKPVD1PiI+ekan0AiZ6ybMOb+2IVC/zWLkJO++xf9ipQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY5PR12MB6598
X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_SPF_HELO,
        NICE_REPLY_A,SPF_HELO_PASS,SPF_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


On 18/04/2023 14:47, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
> 
> The array_size() helper is used here to prevent accidental overflow in
> mlx4_init_user_cqes(), but as this returns SIZE_MAX in case an overflow
> would happen, the logic in copy_to_user() now detects that as overflowing
> the source:
> 
> In file included from arch/x86/include/asm/preempt.h:9,
>                   from include/linux/preempt.h:78,
>                   from include/linux/percpu.h:6,
>                   from include/linux/context_tracking_state.h:5,
>                   from include/linux/hardirq.h:5,
>                   from drivers/net/ethernet/mellanox/mlx4/cq.c:37:
> In function 'check_copy_size',
>      inlined from 'copy_to_user' at include/linux/uaccess.h:190:6,
>      inlined from 'mlx4_init_user_cqes' at drivers/net/ethernet/mellanox/mlx4/cq.c:317:9,
>      inlined from 'mlx4_cq_alloc' at drivers/net/ethernet/mellanox/mlx4/cq.c:394:10:
> include/linux/thread_info.h:244:4: error: call to '__bad_copy_from' declared with attribute error: copy source size is too small
>    244 |    __bad_copy_from();
>        |    ^~~~~~~~~~~~~~~~~
> 
> Move the size logic out, and instead use the same size value for the
> comparison and the copy.
> 
> Fixes: f69bf5dee7ef ("net/mlx4: Use array_size() helper in copy_to_user()")
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
>   drivers/net/ethernet/mellanox/mlx4/cq.c | 5 +++--
>   1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c
> index 4d4f9cf9facb..020cb8e2883f 100644
> --- a/drivers/net/ethernet/mellanox/mlx4/cq.c
> +++ b/drivers/net/ethernet/mellanox/mlx4/cq.c
> @@ -290,6 +290,7 @@ static void mlx4_cq_free_icm(struct mlx4_dev *dev, int cqn)
>   static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
>   {
>   	int entries_per_copy = PAGE_SIZE / cqe_size;
> +	size_t copy_size = array_size(entries, cqe_size);
>   	void *init_ents;
>   	int err = 0;
>   	int i;
> @@ -304,7 +305,7 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
>   	 */
>   	memset(init_ents, 0xcc, PAGE_SIZE);
>   
> -	if (entries_per_copy < entries) {
> +	if (copy_size > PAGE_SIZE) {
>   		for (i = 0; i < entries / entries_per_copy; i++) {
>   			err = copy_to_user((void __user *)buf, init_ents, PAGE_SIZE) ?
>   				-EFAULT : 0;
> @@ -315,7 +316,7 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
>   		}
>   	} else {
>   		err = copy_to_user((void __user *)buf, init_ents,
> -				   array_size(entries, cqe_size)) ?
> +				   copy_size) ?
>   			-EFAULT : 0;
>   	}
>   

Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Thanks for your patch.