drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: kernel test robot <lkp@intel.com>
To: kbuild@lists.01.org
Subject: drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
Date: Sun, 24 Jan 2021 23:50:15 +0800	[thread overview]
Message-ID: <202101242357.atnl19AZ-lkp@intel.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 7954 bytes --]

CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Christoph Hellwig <hch@lst.de>
CC: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   e1ae4b0be15891faf46d390e9f3dc9bd71a8cae1
commit: c17536d0abde2fd24afca542e3bb73b45a299633 usb: usbfs: stop using compat_alloc_user_space
date:   6 months ago
:::::: branch date: 20 hours ago
:::::: commit date: 6 months ago
config: arc-randconfig-m031-20210124 (attached as .config)
compiler: arceb-elf-gcc (GCC) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

New smatch warnings:
drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)

Old smatch warnings:
arch/arc/include/asm/thread_info.h:65 current_thread_info() error: uninitialized symbol 'sp'.

vim +/tbuf +1155 drivers/usb/core/devio.c

^1da177e4c3f4152 Linus Torvalds     2005-04-16  1104  
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1105  static int do_proc_control(struct usb_dev_state *ps,
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1106  		struct usbdevfs_ctrltransfer *ctrl)
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1107  {
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1108  	struct usb_device *dev = ps->dev;
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1109  	unsigned int tmo;
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1110  	unsigned char *tbuf;
ff66e3ce35241251 Andrew Morton      2008-03-12  1111  	unsigned wLength;
4c6e8971cbe01480 Alan Stern         2009-06-29  1112  	int i, pipe, ret;
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1113  
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1114  	ret = check_ctrlrecip(ps, ctrl->bRequestType, ctrl->bRequest,
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1115  			      ctrl->wIndex);
04e482ffd81437e7 Greg Kroah-Hartman 2008-01-30  1116  	if (ret)
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1117  		return ret;
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1118  	wLength = ctrl->wLength;	/* To suppress 64k PAGE_SIZE warning */
ff66e3ce35241251 Andrew Morton      2008-03-12  1119  	if (wLength > PAGE_SIZE)
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1120  		return -EINVAL;
add1aaeabe6b08ed Alan Stern         2011-11-17  1121  	ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
add1aaeabe6b08ed Alan Stern         2011-11-17  1122  			sizeof(struct usb_ctrlrequest));
add1aaeabe6b08ed Alan Stern         2011-11-17  1123  	if (ret)
add1aaeabe6b08ed Alan Stern         2011-11-17  1124  		return ret;
04e482ffd81437e7 Greg Kroah-Hartman 2008-01-30  1125  	tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
add1aaeabe6b08ed Alan Stern         2011-11-17  1126  	if (!tbuf) {
add1aaeabe6b08ed Alan Stern         2011-11-17  1127  		ret = -ENOMEM;
add1aaeabe6b08ed Alan Stern         2011-11-17  1128  		goto done;
add1aaeabe6b08ed Alan Stern         2011-11-17  1129  	}
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1130  	tmo = ctrl->timeout;
0880aef49e40abd1 Chris Frey         2010-01-26  1131  	snoop(&dev->dev, "control urb: bRequestType=%02x "
0880aef49e40abd1 Chris Frey         2010-01-26  1132  		"bRequest=%02x wValue=%04x "
0880aef49e40abd1 Chris Frey         2010-01-26  1133  		"wIndex=%04x wLength=%04x\n",
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1134  		ctrl->bRequestType, ctrl->bRequest, ctrl->wValue,
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1135  		ctrl->wIndex, ctrl->wLength);
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1136  	if (ctrl->bRequestType & 0x80) {
4c6e8971cbe01480 Alan Stern         2009-06-29  1137  		pipe = usb_rcvctrlpipe(dev, 0);
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1138  		snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT, NULL, 0);
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1139  
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1140  		usb_unlock_device(dev);
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1141  		i = usb_control_msg(dev, pipe, ctrl->bRequest,
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1142  				    ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1143  				    tbuf, ctrl->wLength, tmo);
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1144  		usb_lock_device(dev);
0880aef49e40abd1 Chris Frey         2010-01-26  1145  		snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
9d02b42614149ebc Michal Sojka       2011-03-15  1146  			  tbuf, max(i, 0));
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1147  		if ((i > 0) && ctrl->wLength) {
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1148  			if (copy_to_user(ctrl->data, tbuf, i)) {
52fb743d3aa7ee27 Alan Stern         2011-11-17  1149  				ret = -EFAULT;
52fb743d3aa7ee27 Alan Stern         2011-11-17  1150  				goto done;
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1151  			}
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1152  		}
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1153  	} else {
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1154  		if (ctrl->wLength) {
c17536d0abde2fd2 Christoph Hellwig  2020-07-22 @1155  			if (copy_from_user(tbuf, ctrl->data, ctrl->wLength)) {
52fb743d3aa7ee27 Alan Stern         2011-11-17  1156  				ret = -EFAULT;
52fb743d3aa7ee27 Alan Stern         2011-11-17  1157  				goto done;
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1158  			}
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1159  		}
4c6e8971cbe01480 Alan Stern         2009-06-29  1160  		pipe = usb_sndctrlpipe(dev, 0);
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1161  		snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT,
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1162  			tbuf, ctrl->wLength);
4c6e8971cbe01480 Alan Stern         2009-06-29  1163  
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1164  		usb_unlock_device(dev);
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1165  		i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl->bRequest,
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1166  				    ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1167  				    tbuf, ctrl->wLength, tmo);
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1168  		usb_lock_device(dev);
0880aef49e40abd1 Chris Frey         2010-01-26  1169  		snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1170  	}
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1171  	if (i < 0 && i != -EPIPE) {
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1172  		dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1173  			   "failed cmd %s rqt %u rq %u len %u ret %d\n",
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1174  			   current->comm, ctrl->bRequestType, ctrl->bRequest,
c17536d0abde2fd2 Christoph Hellwig  2020-07-22  1175  			   ctrl->wLength, i);
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1176  	}
52fb743d3aa7ee27 Alan Stern         2011-11-17  1177  	ret = i;
52fb743d3aa7ee27 Alan Stern         2011-11-17  1178   done:
52fb743d3aa7ee27 Alan Stern         2011-11-17  1179  	free_page((unsigned long) tbuf);
add1aaeabe6b08ed Alan Stern         2011-11-17  1180  	usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
add1aaeabe6b08ed Alan Stern         2011-11-17  1181  			sizeof(struct usb_ctrlrequest));
52fb743d3aa7ee27 Alan Stern         2011-11-17  1182  	return ret;
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1183  }
^1da177e4c3f4152 Linus Torvalds     2005-04-16  1184  

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org

[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 19961 bytes --]

next             reply	other threads:[~2021-01-24 15:50 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-24 15:50 kernel test robot [this message]
  -- strict thread matches above, loose matches on Subject: below --
2020-08-08  5:26 drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192) kernel test robot
2020-08-08  5:26 ` kernel test robot
2020-08-10 12:12 ` Christoph Hellwig
2020-08-10 12:12   ` Christoph Hellwig
2020-08-10 12:14   ` Christoph Hellwig
2020-08-10 12:14     ` Christoph Hellwig
2020-08-10 13:34     ` Dan Carpenter
2020-08-10 13:34       ` Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202101242357.atnl19AZ-lkp@intel.com \
    --to=lkp@intel.com \
    --cc=kbuild@lists.01.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.