On Tue, Jul 11, 2023 at 2:22 PM Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
>
> The simple_write_to_buffer() function is designed to handle partial
> writes. It returns negatives on error, otherwise it returns the number
> of bytes that were able to be copied. This code doesn't check the
> return properly. We only know that the first byte is written, the rest
> of the buffer might be uninitialized.
>
> There is no need to use the simple_write_to_buffer() function.
> Partial writes are prohibited by the "if (*ppos != 0)" check at the
> start of the function. Just use memdup_user() and copy the whole
> buffer.
>
> Fixes: d3cbb907ae57 ("netdevsim: add ACL trap reporting cookie as a metadata")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> drivers/net/netdevsim/dev.c | 9 +++------
> 1 file changed, 3 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c
> index 6045bece2654..b4d3b9cde8bd 100644
> --- a/drivers/net/netdevsim/dev.c
> +++ b/drivers/net/netdevsim/dev.c
> @@ -184,13 +184,10 @@ static ssize_t nsim_dev_trap_fa_cookie_write(struct file *file,
> cookie_len = (count - 1) / 2;
> if ((count - 1) % 2)
> return -EINVAL;
> - buf = kmalloc(count, GFP_KERNEL | __GFP_NOWARN);
> - if (!buf)
> - return -ENOMEM;
>
> - ret = simple_write_to_buffer(buf, count, ppos, data, count);
> - if (ret < 0)
> - goto free_buf;
> + buf = memdup_user(data, count);
Looks good to me except that now memory comes from GFP_USER.
Within limits it still looks all fine to me.
Reviewed-by: Pavan Chebbi <pavan.chebbi@xxxxxxxxxxxx>
> + if (IS_ERR(buf))
> + return PTR_ERR(buf);
>
> fa_cookie = kmalloc(sizeof(*fa_cookie) + cookie_len,
> GFP_KERNEL | __GFP_NOWARN);
> --
> 2.39.2
>
>
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
