On 11/2/23 3:13 PM, Philipp Stanner wrote:
> Currently, memdup_user() is utilized at two positions to copy userspace
> arrays. This is done without overflow checks.
>
> Use the new wrapper memdup_array_user() to copy the arrays more safely.
>
> Suggested-by: Dave Airlie <airlied@xxxxxxxxxx>
> Signed-off-by: Philipp Stanner <pstanner@xxxxxxxxxx>
> ---
> drivers/infiniband/hw/hfi1/user_exp_rcv.c | 4 ++--
> drivers/infiniband/hw/hfi1/user_sdma.c | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
> index 96058baf36ed..53a623892d9d 100644
> --- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
> +++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
> @@ -491,8 +491,8 @@ int hfi1_user_exp_rcv_clear(struct hfi1_filedata *fd,
> if (unlikely(tinfo->tidcnt > fd->tid_used))
> return -EINVAL;
>
> - tidinfo = memdup_user(u64_to_user_ptr(tinfo->tidlist),
> - sizeof(tidinfo[0]) * tinfo->tidcnt);
> + tidinfo = memdup_array_user(u64_to_user_ptr(tinfo->tidlist),
> + tinfo->tidcnt, sizeof(tidinfo[0]));
> if (IS_ERR(tidinfo))
> return PTR_ERR(tidinfo);
>
> diff --git a/drivers/infiniband/hw/hfi1/user_sdma.c b/drivers/infiniband/hw/hfi1/user_sdma.c
> index 29ae7beb9b03..f7fa8e699a78 100644
> --- a/drivers/infiniband/hw/hfi1/user_sdma.c
> +++ b/drivers/infiniband/hw/hfi1/user_sdma.c
> @@ -494,8 +494,8 @@ int hfi1_user_sdma_process_request(struct hfi1_filedata *fd,
> * equal to the pkt count. However, there is no way to
> * tell at this point.
> */
> - tmp = memdup_user(iovec[idx].iov_base,
> - ntids * sizeof(*req->tids));
> + tmp = memdup_array_user(iovec[idx].iov_base,
> + ntids, sizeof(*req->tids));
> if (IS_ERR(tmp)) {
> ret = PTR_ERR(tmp);
> SDMA_DBG(req, "Failed to copy %d TIDs (%d)",
Acked-by: Dennis Dalessandro <dennis.dalessandro@xxxxxxxxxxxxxxxxxxxx>
