From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751668AbbLJLed (ORCPT <rfc822;w@1wt.eu>);
	Thu, 10 Dec 2015 06:34:33 -0500
Received: from userp1040.oracle.com ([156.151.31.81]:32603 "EHLO
	userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750762AbbLJLec (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 10 Dec 2015 06:34:32 -0500
Date: Thu, 10 Dec 2015 14:34:21 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Wim de With <nauxuron@wimdewith.com>
Cc: devel@driverdev.osuosl.org, gregkh@linuxfoundation.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH] staging: gdm72xx: add userspace data struct
Message-ID: <20151210113421.GE5284@mwanda>
References: <1449738672-24429-1-git-send-email-nauxuron@wimdewith.com>
 <20151210093720.GD5284@mwanda>
 <566948F6.80904@wimdewith.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <566948F6.80904@wimdewith.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Dec 10, 2015 at 10:42:14AM +0100, Wim de With wrote:
> On 10-12-2015 10:37, Dan Carpenter wrote:
> > On Thu, Dec 10, 2015 at 10:11:12AM +0100, Wim de With wrote:
> >> @@ -482,8 +483,16 @@ static int gdm_wimax_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
> >>  				/* NOTE: gdm_update_fsm should be called
> >>  				 * before gdm_wimax_ioctl_set_data is called.
> >>  				 */
> >> -				gdm_update_fsm(dev,
> >> -					       req->data.buf);
> >> +				fsm_buf = kmalloc(sizeof(fsm_s), GFP_KERNEL);
> >> +				if (!fsm_buf)
> >> +					return -ENOMEM;
> >> +				if (copy_from_user(fsm_buf, req->data.buf,
> >> +						   sizeof(fsm_s))) {
> >> +					kfree(fsm_buf);
> >> +					return -EFAULT;
> >> +				}
> >> +				gdm_update_fsm(dev, fsm_buf);
> >> +				kfree(fsm_buf);
> > 
> > 
> > No.  This change is a bug.
> > 
> > regards,
> > dan carpenter
> > 
> 
> But what if I just keep it as:
> 
> 	gdm_update_fsm(dev, req->data.buf)
> 
> Then it would just trust a __user pointer right?

I appologize, I didn't read the patch carefully.  This is a bugfix.  Can
you resend the patch with a better patch description where you replace
the last paragraph and say:

Once I updated the Sparse annotations, I noticed a bug in
gdm_wimax_ioctl() where we pass a user space pointer to gdm_update_fsm()
which dereferences it.  I fixed this.

regards,
dan carpenter