[PATCH 24/32] IB/hfi1: Use mem_to_flex_dup() for struct tid_rb_node

Tue, 03 May 2022 22:17:35 -0700 

As part of the work to perform bounds checking on all memcpy() uses,
replace the open-coded a deserialization of bytes out of memory into a
trailing flexible array by using a flex_array.h helper to perform the
allocation, bounds checking, and copying.

Cc: Dennis Dalessandro <dennis.dalessan...@cornelisnetworks.com>
Cc: Jason Gunthorpe <j...@ziepe.ca>
Cc: Leon Romanovsky <l...@kernel.org>
Cc: linux-r...@vger.kernel.org
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
 drivers/infiniband/hw/hfi1/user_exp_rcv.c | 7 ++-----
 drivers/infiniband/hw/hfi1/user_exp_rcv.h | 4 ++--
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.c 
b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
index 186d30291260..f14846662ac9 100644
--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.c
+++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.c
@@ -683,7 +683,7 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd,
 {
        int ret;
        struct hfi1_ctxtdata *uctxt = fd->uctxt;
-       struct tid_rb_node *node;
+       struct tid_rb_node *node = NULL;
        struct hfi1_devdata *dd = uctxt->dd;
        dma_addr_t phys;
        struct page **pages = tbuf->pages + pageidx;
@@ -692,8 +692,7 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd,
         * Allocate the node first so we can handle a potential
         * failure before we've programmed anything.
         */
-       node = kzalloc(struct_size(node, pages, npages), GFP_KERNEL);
-       if (!node)
+       if (mem_to_flex_dup(&node, pages, npages, GFP_KERNEL))
                return -ENOMEM;
 
        phys = dma_map_single(&dd->pcidev->dev, __va(page_to_phys(pages[0])),
@@ -707,12 +706,10 @@ static int set_rcvarray_entry(struct hfi1_filedata *fd,
 
        node->fdata = fd;
        node->phys = page_to_phys(pages[0]);
-       node->npages = npages;
        node->rcventry = rcventry;
        node->dma_addr = phys;
        node->grp = grp;
        node->freed = false;
-       memcpy(node->pages, pages, flex_array_size(node, pages, npages));
 
        if (fd->use_mn) {
                ret = mmu_interval_notifier_insert(
diff --git a/drivers/infiniband/hw/hfi1/user_exp_rcv.h 
b/drivers/infiniband/hw/hfi1/user_exp_rcv.h
index 8c53e416bf84..4be3446c4d25 100644
--- a/drivers/infiniband/hw/hfi1/user_exp_rcv.h
+++ b/drivers/infiniband/hw/hfi1/user_exp_rcv.h
@@ -32,8 +32,8 @@ struct tid_rb_node {
        u32 rcventry;
        dma_addr_t dma_addr;
        bool freed;
-       unsigned int npages;
-       struct page *pages[];
+       DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(unsigned int, npages);
+       DECLARE_FLEX_ARRAY_ELEMENTS(struct page *, pages);
 };
 
 static inline int num_user_pages(unsigned long addr,
-- 
2.32.0

Reply via email to