[PATCH 14/20] Addresses an issue with hardened user copy

From: Bob Pearson <rpearsonhpe@gmail.com>
To: linux-rdma@vger.kernel.org
Cc: Bob Pearson <rpearson@hpe.com>
Subject: [PATCH 14/20] Addresses an issue with hardened user copy
Date: Fri, 14 Aug 2020 23:58:38 -0500	[thread overview]
Message-ID: <20200815045912.8626-15-rpearson@hpe.com> (raw)
In-Reply-To: <20200815045912.8626-1-rpearson@hpe.com>

Copying to user space from the stack instead of slab cache cured
a kernel oops that was toubling me.A

Signed-off-by: Bob Pearson <rpearson@hpe.com>
---
 drivers/infiniband/core/uverbs_std_types_qp.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/core/uverbs_std_types_qp.c b/drivers/infiniband/core/uverbs_std_types_qp.c
index 3bf8dcdfe7eb..2f8b14003b95 100644
--- a/drivers/infiniband/core/uverbs_std_types_qp.c
+++ b/drivers/infiniband/core/uverbs_std_types_qp.c
@@ -98,6 +98,7 @@ static int UVERBS_HANDLER(UVERBS_METHOD_QP_CREATE)(
 	struct ib_device *device;
 	u64 user_handle;
 	int ret;
+	int qp_num;
 
 	ret = uverbs_copy_from_or_zero(&cap, attrs,
 			       UVERBS_ATTR_CREATE_QP_CAP);
@@ -293,9 +294,10 @@ static int UVERBS_HANDLER(UVERBS_METHOD_QP_CREATE)(
 	if (ret)
 		return ret;
 
+	/* copy from stack to avoid whitelisting issues */
+	qp_num = qp->qp_num;
 	ret = uverbs_copy_to(attrs, UVERBS_ATTR_CREATE_QP_RESP_QP_NUM,
-			     &qp->qp_num,
-			     sizeof(qp->qp_num));
+			     &qp_num, sizeof(qp_num));
 
 	return ret;
 err_put:
-- 
2.25.1

