@@ -293,6 +293,7 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
void *init_ents;
int err = 0;
int i;
+ size_t size = array_size(entries, cqe_size);
init_ents = kmalloc(PAGE_SIZE, GFP_KERNEL);
if (!init_ents)
@@ -314,9 +315,7 @@ static int mlx4_init_user_cqes(void *buf, int entries, int cqe_size)
buf += PAGE_SIZE;
}
} else {
- err = copy_to_user((void __user *)buf, init_ents,
- array_size(entries, cqe_size)) ?
- -EFAULT : 0;
+ err = copy_to_user((void __user *)buf, init_ents, size) ? -EFAULT : 0;
}
out:
When compiling the kernel in my environment (with gcc version gcc 10.3.1), I encountered the following compilation check error: In function ‘check_copy_size’, inlined from ‘copy_to_user’ at ./include/linux/uaccess.h:210:7, inlined from ‘mlx4_init_user_cqes’ at drivers/net/ethernet/mellanox/mlx4/cq.c:317:9: ./include/linux/thread_info.h:244:4: error: call to ‘__bad_copy_from’ declared with attribute error: copy source size is too small 244 | __bad_copy_from(); mlx4_init_user_cqes() checks the size of the buf before copying data, ensuring that there will be no out-of-bounds copying, so this should be a false positive. I searched the git commit history and found that the commit 75da0eba0a47 ("rapidio: avoid bogus __alloc_size warning") fixed a similar issue, where the compiler encountered an error when expanding the arguments of check_copy_size(). Saving the result of array_size() to a temporary variable and using this variable as the argument of copy_to_user() can avoid this gcc warning. Additionally, I tested older (9.4.0) and newer (10.3.5) versions and did not encounter the same problem, so this should be a bug in a specific intermediate version. Signed-off-by: Li Huafei <lihuafei1@huawei.com> --- drivers/net/ethernet/mellanox/mlx4/cq.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)