| Message ID | 20230418114730.3674657-1-arnd@kernel.org |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp2785328vqo;
Tue, 18 Apr 2023 04:58:21 -0700 (PDT)
X-Google-Smtp-Source:
AKy350YyWi5FI2Q7xCpQVSrwoGs4Xf4yIuE67RUcAkqCm/7WWapqVtM96cHlXfCvNqx9cG1sDoP8
X-Received: by 2002:a17:902:d4d0:b0:1a0:450d:a481 with SMTP id
o16-20020a170902d4d000b001a0450da481mr2167945plg.35.1681819101018;
Tue, 18 Apr 2023 04:58:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1681819101; cv=none;
d=google.com; s=arc-20160816;
b=FMDsKtytZ/54TjlTHwWUgq1dSbhS7KCn6LhmRWYZ8wWANIrIuB2ZYAU3tK/i9FXcip
Wv8KNAA2rqoHwfSesGKJ7ME0KEhYmpAuYzSORIs0E3fe8nJcRicSkiuAHpVJh0Fxk5uX
2welrhLlL9V+I8A7PAkAXnG+dTJj0QjEQASNvjZRhxGmkGgkZB+bIe3SsVQiPKxMuPdn
bV+Qwxf5sOY8O+1RDayaLdZBuoj+8h07OtFSsWXINtLR3RG4h3FhlpS92zeg2nr8gluZ
BHIDnNySVom10TemQFM/jqv2Ma43TsggAN8AXbzgqwXtl4f7AQbPZ7zTS5j3R2YN4+15
J3/Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=7Fr2WSQbL8kUSBfNsrTW3AgCckrn6KVqKNFfCTkATOw=;
b=ag2uk5yYJCaaHW+UMAFkxa7pUUMEqmGQITnrwFvaoFm+zfAL0xohaj6gkiMXb2i9Bm
EBz4wtfH3QcZFN8hJdDyh/8lUt96WwARTBoQY/IcRcvSTvJNyH1A5XvzTY0wBHSbqYxw
65BrdV+dx/NWqxslY0oygAIP9kLjYWxuNeqHL3SbTy+COJFAxNL7Iv67oABErrAYmfNc
HqpOkmrsKcHbwzUcNyUL/DfRFIn5F70mJPP7efJhiEWiOkp1cLJM7OsWEjbBLsewCPkR
rEOyQ0x0LKtoQX0mX7BHhFkt2PV+D0j3CW36mmGRNsBLNnBLg9nciTNI2D9BLRJ1hw0x
u8kA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Pu7EsVWW;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
y17-20020a1709029b9100b001a6e9d170c1si3534394plp.511.2023.04.18.04.58.09;
Tue, 18 Apr 2023 04:58:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Pu7EsVWW;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231624AbjDRLtS (ORCPT <rfc822;leviz.kernel.dev@gmail.com>
+ 99 others); Tue, 18 Apr 2023 07:49:18 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59044 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231629AbjDRLtJ (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 18 Apr 2023 07:49:09 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org
[IPv6:2604:1380:4641:c500::1])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BF646A248;
Tue, 18 Apr 2023 04:48:41 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by dfw.source.kernel.org (Postfix) with ESMTPS id D64FA62CDB;
Tue, 18 Apr 2023 11:47:36 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0D9F8C433EF;
Tue, 18 Apr 2023 11:47:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
s=k20201202; t=1681818456;
bh=hF5srHhGnVubFYKGy6gt95dlRe4xzC55sgy5w3GdgdE=;
h=From:To:Cc:Subject:Date:From;
b=Pu7EsVWW6KN8l4XdS7ObjsFpLgL28DsnhGalbcRrHrC+nh78H9i9mGpn2ddlWBCHQ
cqxNLbZDznoi8kdXxtDNZHTaf+wtCUXz5aE7ARsZJ+Lrmkni36dSS6jOQrLog0fRGB
ATFLjWdqU16Bcl9xkiefUxgrTVM0FARWVHwII6MKKqSCqTfwLZ828LrfGk/8thUATi
HAm6exx7vEUNlUMiGhryDHaBRbnsH91ntQAhmoPLoVrlaS6evi5Yy6rINzx0a1WuaN
H/v8Y5Wa1KfSY+AnITXBUZVME12g4jBS0Pc5XfE/lhH03X//a4nlbHGt5TzYs0k91g
v0pF0Ibr6HZSQ==
From: Arnd Bergmann <arnd@kernel.org>
To: Tariq Toukan <tariqt@nvidia.com>,
"Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>, netdev@vger.kernel.org,
linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 1/2] net/mlx4: fix build error from usercopy size check
Date: Tue, 18 Apr 2023 13:47:11 +0200
Message-Id: <20230418114730.3674657-1-arnd@kernel.org>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1763515145380045075?=
X-GMAIL-MSGID: =?utf-8?q?1763515145380045075?=
|
| Series |
[1/2] net/mlx4: fix build error from usercopy size check
|
|
Commit Message
Arnd Bergmann
April 18, 2023, 11:47 a.m. UTC
From: Arnd Bergmann <arnd@arndb.de> The array_size() helper is used here to prevent accidental overflow in mlx4_init_user_cqes(), but as this returns SIZE_MAX in case an overflow would happen, the logic in copy_to_user() now detects that as overflowing the source: In file included from arch/x86/include/asm/preempt.h:9, from include/linux/preempt.h:78, from include/linux/percpu.h:6, from include/linux/context_tracking_state.h:5, from include/linux/hardirq.h:5, from drivers/net/ethernet/mellanox/mlx4/cq.c:37: In function 'check_copy_size', inlined from 'copy_to_user' at include/linux/uaccess.h:190:6, inlined from 'mlx4_init_user_cqes' at drivers/net/ethernet/mellanox/mlx4/cq.c:317:9, inlined from 'mlx4_cq_alloc' at drivers/net/ethernet/mellanox/mlx4/cq.c:394:10: include/linux/thread_info.h:244:4: error: call to '__bad_copy_from' declared with attribute error: copy source size is too small 244 | __bad_copy_from(); | ^~~~~~~~~~~~~~~~~ Move the size logic out, and instead use the same size value for the comparison and the copy. Fixes: f69bf5dee7ef ("net/mlx4: Use array_size() helper in copy_to_user()") Signed-off-by: Arnd Bergmann <arnd@arndb.de> --- drivers/net/ethernet/mellanox/mlx4/cq.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
Comments
On 18/04/2023 14:47, Arnd Bergmann wrote: > From: Arnd Bergmann <arnd@arndb.de> > > The array_size() helper is used here to prevent accidental overflow in > mlx4_init_user_cqes(), but as this returns SIZE_MAX in case an overflow > would happen, the logic in copy_to_user() now detects that as overflowing > the source: > > In file included from arch/x86/include/asm/preempt.h:9, > from include/linux/preempt.h:78, > from include/linux/percpu.h:6, > from include/linux/context_tracking_state.h:5, > from include/linux/hardirq.h:5, > from drivers/net/ethernet/mellanox/mlx4/cq.c:37: > In function 'check_copy_size', > inlined from 'copy_to_user' at include/linux/uaccess.h:190:6, > inlined from 'mlx4_init_user_cqes' at drivers/net/ethernet/mellanox/mlx4/cq.c:317:9, > inlined from 'mlx4_cq_alloc' at drivers/net/ethernet/mellanox/mlx4/cq.c:394:10: > include/linux/thread_info.h:244:4: error: call to '__bad_copy_from' declared with attribute error: copy source size is too small > 244 | __bad_copy_from(); > | ^~~~~~~~~~~~~~~~~ > > Move the size logic out, and instead use the same size value for the > comparison and the copy. > > Fixes: f69bf5dee7ef ("net/mlx4: Use array_size() helper in copy_to_user()") > Signed-off-by: Arnd Bergmann <arnd@arndb.de> > --- > drivers/net/ethernet/mellanox/mlx4/cq.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c > index 4d4f9cf9facb..020cb8e2883f 100644 > --- a/drivers/net/ethernet/mellanox/mlx4/cq.c > +++ b/drivers/net/ethernet/mellanox/mlx4/cq.c > @@ -290,6 +290,7 @@ static void mlx4_cq_free_icm(struct mlx4_dev *dev, int cqn) > static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size) > { > int entries_per_copy = PAGE_SIZE / cqe_size; > + size_t copy_size = array_size(entries, cqe_size); > void *init_ents; > int err = 0; > int i; > @@ -304,7 +305,7 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size) > */ > memset(init_ents, 0xcc, PAGE_SIZE); > > - if (entries_per_copy < entries) { > + if (copy_size > PAGE_SIZE) { > for (i = 0; i < entries / entries_per_copy; i++) { > err = copy_to_user((void __user *)buf, init_ents, PAGE_SIZE) ? > -EFAULT : 0; > @@ -315,7 +316,7 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size) > } > } else { > err = copy_to_user((void __user *)buf, init_ents, > - array_size(entries, cqe_size)) ? > + copy_size) ? > -EFAULT : 0; > } > Reviewed-by: Tariq Toukan <tariqt@nvidia.com> Thanks for your patch.
diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c index 4d4f9cf9facb..020cb8e2883f 100644 --- a/drivers/net/ethernet/mellanox/mlx4/cq.c +++ b/drivers/net/ethernet/mellanox/mlx4/cq.c @@ -290,6 +290,7 @@ static void mlx4_cq_free_icm(struct mlx4_dev *dev, int cqn) static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size) { int entries_per_copy = PAGE_SIZE / cqe_size; + size_t copy_size = array_size(entries, cqe_size); void *init_ents; int err = 0; int i; @@ -304,7 +305,7 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size) */ memset(init_ents, 0xcc, PAGE_SIZE); - if (entries_per_copy < entries) { + if (copy_size > PAGE_SIZE) { for (i = 0; i < entries / entries_per_copy; i++) { err = copy_to_user((void __user *)buf, init_ents, PAGE_SIZE) ? -EFAULT : 0; @@ -315,7 +316,7 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size) } } else { err = copy_to_user((void __user *)buf, init_ents, - array_size(entries, cqe_size)) ? + copy_size) ? -EFAULT : 0; }