On Tue, Feb 09, 2021 at 04:02:55PM -0800, Ben Widawsky wrote:
> +static int handle_mailbox_cmd_from_user(struct cxl_memdev *cxlmd,
> + const struct cxl_mem_command *cmd,
> + u64 in_payload, u64 out_payload,
> + struct cxl_send_command __user *s)
> +{
> + struct cxl_mem *cxlm = cxlmd->cxlm;
> + struct device *dev = &cxlmd->dev;
> + struct mbox_cmd mbox_cmd = {
> + .opcode = cmd->opcode,
> + .size_in = cmd->info.size_in,
> + };
> + s32 user_size_out;
> + int rc;
> +
> + if (get_user(user_size_out, &s->out.size))
> + return -EFAULT;
You have already copied it in. Never reread stuff from userland - it *can*
change under you.
