From: Stanislav Fomichev <sdf@google.com>
Date: Fri, 4 Feb 2022 23:58:49 +0000 (-0800)
Subject: bpf: test_run: Fix overflow in bpf_test_finish frags parsing
X-Git-Tag: v6.1-rc5~1746^2~392^2~8
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=5d1e9f437df5ef21e7567f1970a00fda3b5d1126;p=platform%2Fkernel%2Flinux-starfive.git

bpf: test_run: Fix overflow in bpf_test_finish frags parsing

This place also uses signed min_t and passes this singed int to
copy_to_user (which accepts unsigned argument). I don't think
there is an issue, but let's be consistent.

Fixes: 7855e0db150ad ("bpf: test_run: add xdp_shared_info pointer in bpf_test_finish signature")
Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/20220204235849.14658-2-sdf@google.com
---

diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index 5819a7a..cb150f7 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -154,7 +154,8 @@ static int bpf_test_finish(const union bpf_attr *kattr,
 			goto out;
 
 		if (sinfo) {
-			int i, offset = len, data_len;
+			int i, offset = len;
+			u32 data_len;
 
 			for (i = 0; i < sinfo->nr_frags; i++) {
 				skb_frag_t *frag = &sinfo->frags[i];
@@ -164,7 +165,7 @@ static int bpf_test_finish(const union bpf_attr *kattr,
 					break;
 				}
 
-				data_len = min_t(int, copy_size - offset,
+				data_len = min_t(u32, copy_size - offset,
 						 skb_frag_size(frag));
 
 				if (copy_to_user(data_out + offset,