On Tue, Aug 11, 2020 at 02:14:57PM -0500, Bob Pearson wrote: > by copying to user space from the stack instead of slab cache. > This affects the rdma_rxe driver causing a warning once per boot. > The alternative is to ifigure out how to whitelist the xxx_qp struct ifigure -> figure > but this seems simple and clean. We have multiple cases like this in the code, what is the error exactly? And what is "hardened user copy"? > > --- Signed-off-by is missing. > drivers/infiniband/core/uverbs_std_types_qp.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/infiniband/core/uverbs_std_types_qp.c b/drivers/infiniband/core/uverbs_std_types_qp.c > index 3bf8dcdfe7eb..2f8b14003b95 100644 > --- a/drivers/infiniband/core/uverbs_std_types_qp.c > +++ b/drivers/infiniband/core/uverbs_std_types_qp.c > @@ -98,6 +98,7 @@ static int UVERBS_HANDLER(UVERBS_METHOD_QP_CREATE)( > struct ib_device *device; > u64 user_handle; > int ret; > + int qp_num; > > ret = uverbs_copy_from_or_zero(&cap, attrs, > UVERBS_ATTR_CREATE_QP_CAP); > @@ -293,9 +294,10 @@ static int UVERBS_HANDLER(UVERBS_METHOD_QP_CREATE)( > if (ret) > return ret; > > + /* copy from stack to avoid whitelisting issues */ > + qp_num = qp->qp_num; > ret = uverbs_copy_to(attrs, UVERBS_ATTR_CREATE_QP_RESP_QP_NUM, > - &qp->qp_num, > - sizeof(qp->qp_num)); > + &qp_num, sizeof(qp_num)); > > return ret; > err_put: > -- > 2.25.1 >
