rapidio/rio_mport_cdev: use array_size() helper in copy_{from,to}_user()

Use array_size() helper instead of the open-coded version in
copy_{from,to}_user().  These sorts of multiplication factors need to be
wrapped in array_size().

This issue was found with the help of Coccinelle and, audited and fixed
manually.

Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: Matt Porter <mporter@kernel.crashing.org>
Cc: Alexandre Bounine <alex.bou9@gmail.com>
Link: http://lkml.kernel.org/r/20200616183050.GA31840@embeddedor
Addresses-KSPP-ID: https://github.com/KSPP/linux/issues/83
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
index 3abbba8..c07ceec 100644 (file)
--- a/drivers/rapidio/devices/rio_mport_cdev.c
+++ b/drivers/rapidio/devices/rio_mport_cdev.c
@@ -981,7 +981,7 @@ static int rio_mport_transfer_ioctl(struct file *filp, void __user *arg)
 
        if (unlikely(copy_from_user(transfer,
                                    (void __user *)(uintptr_t)transaction.block,
-                                   transaction.count * sizeof(*transfer)))) {
+                                   array_size(sizeof(*transfer), transaction.count)))) {
                ret = -EFAULT;
                goto out_free;
        }
@@ -994,7 +994,7 @@ static int rio_mport_transfer_ioctl(struct file *filp, void __user *arg)
 
        if (unlikely(copy_to_user((void __user *)(uintptr_t)transaction.block,
                                  transfer,
-                                 transaction.count * sizeof(*transfer))))
+                                 array_size(sizeof(*transfer), transaction.count))))
                ret = -EFAULT;
 
 out_free: