* drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
@ 2020-08-08 5:26 ` kernel test robot
0 siblings, 0 replies; 9+ messages in thread
From: kernel test robot @ 2020-08-08 5:26 UTC (permalink / raw)
To: Christoph Hellwig; +Cc: kbuild-all, linux-kernel, Greg Kroah-Hartman
[-- Attachment #1: Type: text/plain, Size: 3644 bytes --]
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 049eb096da48db0421dd5e358b9b082a1a8a2025
commit: c17536d0abde2fd24afca542e3bb73b45a299633 usb: usbfs: stop using compat_alloc_user_space
date: 2 weeks ago
config: nds32-randconfig-m031-20200808 (attached as .config)
compiler: nds32le-linux-gcc (GCC) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
smatch warnings:
drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
vim +/tbuf +1155 drivers/usb/core/devio.c
1104
1105 static int do_proc_control(struct usb_dev_state *ps,
1106 struct usbdevfs_ctrltransfer *ctrl)
1107 {
1108 struct usb_device *dev = ps->dev;
1109 unsigned int tmo;
1110 unsigned char *tbuf;
1111 unsigned wLength;
1112 int i, pipe, ret;
1113
1114 ret = check_ctrlrecip(ps, ctrl->bRequestType, ctrl->bRequest,
1115 ctrl->wIndex);
1116 if (ret)
1117 return ret;
1118 wLength = ctrl->wLength; /* To suppress 64k PAGE_SIZE warning */
1119 if (wLength > PAGE_SIZE)
1120 return -EINVAL;
1121 ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1122 sizeof(struct usb_ctrlrequest));
1123 if (ret)
1124 return ret;
1125 tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
1126 if (!tbuf) {
1127 ret = -ENOMEM;
1128 goto done;
1129 }
1130 tmo = ctrl->timeout;
1131 snoop(&dev->dev, "control urb: bRequestType=%02x "
1132 "bRequest=%02x wValue=%04x "
1133 "wIndex=%04x wLength=%04x\n",
1134 ctrl->bRequestType, ctrl->bRequest, ctrl->wValue,
1135 ctrl->wIndex, ctrl->wLength);
1136 if (ctrl->bRequestType & 0x80) {
1137 pipe = usb_rcvctrlpipe(dev, 0);
1138 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT, NULL, 0);
1139
1140 usb_unlock_device(dev);
1141 i = usb_control_msg(dev, pipe, ctrl->bRequest,
1142 ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
1143 tbuf, ctrl->wLength, tmo);
1144 usb_lock_device(dev);
1145 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
1146 tbuf, max(i, 0));
1147 if ((i > 0) && ctrl->wLength) {
1148 if (copy_to_user(ctrl->data, tbuf, i)) {
1149 ret = -EFAULT;
1150 goto done;
1151 }
1152 }
1153 } else {
1154 if (ctrl->wLength) {
> 1155 if (copy_from_user(tbuf, ctrl->data, ctrl->wLength)) {
1156 ret = -EFAULT;
1157 goto done;
1158 }
1159 }
1160 pipe = usb_sndctrlpipe(dev, 0);
1161 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT,
1162 tbuf, ctrl->wLength);
1163
1164 usb_unlock_device(dev);
1165 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl->bRequest,
1166 ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
1167 tbuf, ctrl->wLength, tmo);
1168 usb_lock_device(dev);
1169 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
1170 }
1171 if (i < 0 && i != -EPIPE) {
1172 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
1173 "failed cmd %s rqt %u rq %u len %u ret %d\n",
1174 current->comm, ctrl->bRequestType, ctrl->bRequest,
1175 ctrl->wLength, i);
1176 }
1177 ret = i;
1178 done:
1179 free_page((unsigned long) tbuf);
1180 usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1181 sizeof(struct usb_ctrlrequest));
1182 return ret;
1183 }
1184
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 28151 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
@ 2020-08-08 5:26 ` kernel test robot
0 siblings, 0 replies; 9+ messages in thread
From: kernel test robot @ 2020-08-08 5:26 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 3746 bytes --]
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: 049eb096da48db0421dd5e358b9b082a1a8a2025
commit: c17536d0abde2fd24afca542e3bb73b45a299633 usb: usbfs: stop using compat_alloc_user_space
date: 2 weeks ago
config: nds32-randconfig-m031-20200808 (attached as .config)
compiler: nds32le-linux-gcc (GCC) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
smatch warnings:
drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
vim +/tbuf +1155 drivers/usb/core/devio.c
1104
1105 static int do_proc_control(struct usb_dev_state *ps,
1106 struct usbdevfs_ctrltransfer *ctrl)
1107 {
1108 struct usb_device *dev = ps->dev;
1109 unsigned int tmo;
1110 unsigned char *tbuf;
1111 unsigned wLength;
1112 int i, pipe, ret;
1113
1114 ret = check_ctrlrecip(ps, ctrl->bRequestType, ctrl->bRequest,
1115 ctrl->wIndex);
1116 if (ret)
1117 return ret;
1118 wLength = ctrl->wLength; /* To suppress 64k PAGE_SIZE warning */
1119 if (wLength > PAGE_SIZE)
1120 return -EINVAL;
1121 ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1122 sizeof(struct usb_ctrlrequest));
1123 if (ret)
1124 return ret;
1125 tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
1126 if (!tbuf) {
1127 ret = -ENOMEM;
1128 goto done;
1129 }
1130 tmo = ctrl->timeout;
1131 snoop(&dev->dev, "control urb: bRequestType=%02x "
1132 "bRequest=%02x wValue=%04x "
1133 "wIndex=%04x wLength=%04x\n",
1134 ctrl->bRequestType, ctrl->bRequest, ctrl->wValue,
1135 ctrl->wIndex, ctrl->wLength);
1136 if (ctrl->bRequestType & 0x80) {
1137 pipe = usb_rcvctrlpipe(dev, 0);
1138 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT, NULL, 0);
1139
1140 usb_unlock_device(dev);
1141 i = usb_control_msg(dev, pipe, ctrl->bRequest,
1142 ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
1143 tbuf, ctrl->wLength, tmo);
1144 usb_lock_device(dev);
1145 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
1146 tbuf, max(i, 0));
1147 if ((i > 0) && ctrl->wLength) {
1148 if (copy_to_user(ctrl->data, tbuf, i)) {
1149 ret = -EFAULT;
1150 goto done;
1151 }
1152 }
1153 } else {
1154 if (ctrl->wLength) {
> 1155 if (copy_from_user(tbuf, ctrl->data, ctrl->wLength)) {
1156 ret = -EFAULT;
1157 goto done;
1158 }
1159 }
1160 pipe = usb_sndctrlpipe(dev, 0);
1161 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT,
1162 tbuf, ctrl->wLength);
1163
1164 usb_unlock_device(dev);
1165 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl->bRequest,
1166 ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
1167 tbuf, ctrl->wLength, tmo);
1168 usb_lock_device(dev);
1169 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
1170 }
1171 if (i < 0 && i != -EPIPE) {
1172 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
1173 "failed cmd %s rqt %u rq %u len %u ret %d\n",
1174 current->comm, ctrl->bRequestType, ctrl->bRequest,
1175 ctrl->wLength, i);
1176 }
1177 ret = i;
1178 done:
1179 free_page((unsigned long) tbuf);
1180 usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
1181 sizeof(struct usb_ctrlrequest));
1182 return ret;
1183 }
1184
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 28151 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
2020-08-08 5:26 ` kernel test robot
@ 2020-08-10 12:12 ` Christoph Hellwig
-1 siblings, 0 replies; 9+ messages in thread
From: Christoph Hellwig @ 2020-08-10 12:12 UTC (permalink / raw)
To: kernel test robot
Cc: Christoph Hellwig, kbuild-all, linux-kernel, Greg Kroah-Hartman
As far as I can tell the warning is valid as we copy a user controlled
amount into a fixed sized buffer. But this an old condition not actually
created by this commit..
On Sat, Aug 08, 2020 at 01:26:39PM +0800, kernel test robot wrote:
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> head: 049eb096da48db0421dd5e358b9b082a1a8a2025
> commit: c17536d0abde2fd24afca542e3bb73b45a299633 usb: usbfs: stop using compat_alloc_user_space
> date: 2 weeks ago
> config: nds32-randconfig-m031-20200808 (attached as .config)
> compiler: nds32le-linux-gcc (GCC) 9.3.0
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@intel.com>
>
> smatch warnings:
> drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
>
> vim +/tbuf +1155 drivers/usb/core/devio.c
>
> 1104
> 1105 static int do_proc_control(struct usb_dev_state *ps,
> 1106 struct usbdevfs_ctrltransfer *ctrl)
> 1107 {
> 1108 struct usb_device *dev = ps->dev;
> 1109 unsigned int tmo;
> 1110 unsigned char *tbuf;
> 1111 unsigned wLength;
> 1112 int i, pipe, ret;
> 1113
> 1114 ret = check_ctrlrecip(ps, ctrl->bRequestType, ctrl->bRequest,
> 1115 ctrl->wIndex);
> 1116 if (ret)
> 1117 return ret;
> 1118 wLength = ctrl->wLength; /* To suppress 64k PAGE_SIZE warning */
> 1119 if (wLength > PAGE_SIZE)
> 1120 return -EINVAL;
> 1121 ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
> 1122 sizeof(struct usb_ctrlrequest));
> 1123 if (ret)
> 1124 return ret;
> 1125 tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
> 1126 if (!tbuf) {
> 1127 ret = -ENOMEM;
> 1128 goto done;
> 1129 }
> 1130 tmo = ctrl->timeout;
> 1131 snoop(&dev->dev, "control urb: bRequestType=%02x "
> 1132 "bRequest=%02x wValue=%04x "
> 1133 "wIndex=%04x wLength=%04x\n",
> 1134 ctrl->bRequestType, ctrl->bRequest, ctrl->wValue,
> 1135 ctrl->wIndex, ctrl->wLength);
> 1136 if (ctrl->bRequestType & 0x80) {
> 1137 pipe = usb_rcvctrlpipe(dev, 0);
> 1138 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT, NULL, 0);
> 1139
> 1140 usb_unlock_device(dev);
> 1141 i = usb_control_msg(dev, pipe, ctrl->bRequest,
> 1142 ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
> 1143 tbuf, ctrl->wLength, tmo);
> 1144 usb_lock_device(dev);
> 1145 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
> 1146 tbuf, max(i, 0));
> 1147 if ((i > 0) && ctrl->wLength) {
> 1148 if (copy_to_user(ctrl->data, tbuf, i)) {
> 1149 ret = -EFAULT;
> 1150 goto done;
> 1151 }
> 1152 }
> 1153 } else {
> 1154 if (ctrl->wLength) {
> > 1155 if (copy_from_user(tbuf, ctrl->data, ctrl->wLength)) {
> 1156 ret = -EFAULT;
> 1157 goto done;
> 1158 }
> 1159 }
> 1160 pipe = usb_sndctrlpipe(dev, 0);
> 1161 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT,
> 1162 tbuf, ctrl->wLength);
> 1163
> 1164 usb_unlock_device(dev);
> 1165 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl->bRequest,
> 1166 ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
> 1167 tbuf, ctrl->wLength, tmo);
> 1168 usb_lock_device(dev);
> 1169 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
> 1170 }
> 1171 if (i < 0 && i != -EPIPE) {
> 1172 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
> 1173 "failed cmd %s rqt %u rq %u len %u ret %d\n",
> 1174 current->comm, ctrl->bRequestType, ctrl->bRequest,
> 1175 ctrl->wLength, i);
> 1176 }
> 1177 ret = i;
> 1178 done:
> 1179 free_page((unsigned long) tbuf);
> 1180 usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
> 1181 sizeof(struct usb_ctrlrequest));
> 1182 return ret;
> 1183 }
> 1184
>
> ---
> 0-DAY CI Kernel Test Service, Intel Corporation
> https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
---end quoted text---
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
@ 2020-08-10 12:12 ` Christoph Hellwig
0 siblings, 0 replies; 9+ messages in thread
From: Christoph Hellwig @ 2020-08-10 12:12 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 4214 bytes --]
As far as I can tell the warning is valid as we copy a user controlled
amount into a fixed sized buffer. But this an old condition not actually
created by this commit..
On Sat, Aug 08, 2020 at 01:26:39PM +0800, kernel test robot wrote:
> tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> head: 049eb096da48db0421dd5e358b9b082a1a8a2025
> commit: c17536d0abde2fd24afca542e3bb73b45a299633 usb: usbfs: stop using compat_alloc_user_space
> date: 2 weeks ago
> config: nds32-randconfig-m031-20200808 (attached as .config)
> compiler: nds32le-linux-gcc (GCC) 9.3.0
>
> If you fix the issue, kindly add following tag as appropriate
> Reported-by: kernel test robot <lkp@intel.com>
>
> smatch warnings:
> drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
>
> vim +/tbuf +1155 drivers/usb/core/devio.c
>
> 1104
> 1105 static int do_proc_control(struct usb_dev_state *ps,
> 1106 struct usbdevfs_ctrltransfer *ctrl)
> 1107 {
> 1108 struct usb_device *dev = ps->dev;
> 1109 unsigned int tmo;
> 1110 unsigned char *tbuf;
> 1111 unsigned wLength;
> 1112 int i, pipe, ret;
> 1113
> 1114 ret = check_ctrlrecip(ps, ctrl->bRequestType, ctrl->bRequest,
> 1115 ctrl->wIndex);
> 1116 if (ret)
> 1117 return ret;
> 1118 wLength = ctrl->wLength; /* To suppress 64k PAGE_SIZE warning */
> 1119 if (wLength > PAGE_SIZE)
> 1120 return -EINVAL;
> 1121 ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
> 1122 sizeof(struct usb_ctrlrequest));
> 1123 if (ret)
> 1124 return ret;
> 1125 tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
> 1126 if (!tbuf) {
> 1127 ret = -ENOMEM;
> 1128 goto done;
> 1129 }
> 1130 tmo = ctrl->timeout;
> 1131 snoop(&dev->dev, "control urb: bRequestType=%02x "
> 1132 "bRequest=%02x wValue=%04x "
> 1133 "wIndex=%04x wLength=%04x\n",
> 1134 ctrl->bRequestType, ctrl->bRequest, ctrl->wValue,
> 1135 ctrl->wIndex, ctrl->wLength);
> 1136 if (ctrl->bRequestType & 0x80) {
> 1137 pipe = usb_rcvctrlpipe(dev, 0);
> 1138 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT, NULL, 0);
> 1139
> 1140 usb_unlock_device(dev);
> 1141 i = usb_control_msg(dev, pipe, ctrl->bRequest,
> 1142 ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
> 1143 tbuf, ctrl->wLength, tmo);
> 1144 usb_lock_device(dev);
> 1145 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
> 1146 tbuf, max(i, 0));
> 1147 if ((i > 0) && ctrl->wLength) {
> 1148 if (copy_to_user(ctrl->data, tbuf, i)) {
> 1149 ret = -EFAULT;
> 1150 goto done;
> 1151 }
> 1152 }
> 1153 } else {
> 1154 if (ctrl->wLength) {
> > 1155 if (copy_from_user(tbuf, ctrl->data, ctrl->wLength)) {
> 1156 ret = -EFAULT;
> 1157 goto done;
> 1158 }
> 1159 }
> 1160 pipe = usb_sndctrlpipe(dev, 0);
> 1161 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT,
> 1162 tbuf, ctrl->wLength);
> 1163
> 1164 usb_unlock_device(dev);
> 1165 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl->bRequest,
> 1166 ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
> 1167 tbuf, ctrl->wLength, tmo);
> 1168 usb_lock_device(dev);
> 1169 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
> 1170 }
> 1171 if (i < 0 && i != -EPIPE) {
> 1172 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
> 1173 "failed cmd %s rqt %u rq %u len %u ret %d\n",
> 1174 current->comm, ctrl->bRequestType, ctrl->bRequest,
> 1175 ctrl->wLength, i);
> 1176 }
> 1177 ret = i;
> 1178 done:
> 1179 free_page((unsigned long) tbuf);
> 1180 usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
> 1181 sizeof(struct usb_ctrlrequest));
> 1182 return ret;
> 1183 }
> 1184
>
> ---
> 0-DAY CI Kernel Test Service, Intel Corporation
> https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
---end quoted text---
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
2020-08-10 12:12 ` Christoph Hellwig
@ 2020-08-10 12:14 ` Christoph Hellwig
-1 siblings, 0 replies; 9+ messages in thread
From: Christoph Hellwig @ 2020-08-10 12:14 UTC (permalink / raw)
To: kernel test robot
Cc: Christoph Hellwig, kbuild-all, linux-kernel, Greg Kroah-Hartman,
Dan Carpenter
On Mon, Aug 10, 2020 at 02:12:23PM +0200, Christoph Hellwig wrote:
> As far as I can tell the warning is valid as we copy a user controlled
> amount into a fixed sized buffer. But this an old condition not actually
> created by this commit..
Actually, is is not. do_proc_control checks the legnth, but does it
using a somewhat pointless local variable, which might have confused
smatch.
>
> On Sat, Aug 08, 2020 at 01:26:39PM +0800, kernel test robot wrote:
> > tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> > head: 049eb096da48db0421dd5e358b9b082a1a8a2025
> > commit: c17536d0abde2fd24afca542e3bb73b45a299633 usb: usbfs: stop using compat_alloc_user_space
> > date: 2 weeks ago
> > config: nds32-randconfig-m031-20200808 (attached as .config)
> > compiler: nds32le-linux-gcc (GCC) 9.3.0
> >
> > If you fix the issue, kindly add following tag as appropriate
> > Reported-by: kernel test robot <lkp@intel.com>
> >
> > smatch warnings:
> > drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
> >
> > vim +/tbuf +1155 drivers/usb/core/devio.c
> >
> > 1104
> > 1105 static int do_proc_control(struct usb_dev_state *ps,
> > 1106 struct usbdevfs_ctrltransfer *ctrl)
> > 1107 {
> > 1108 struct usb_device *dev = ps->dev;
> > 1109 unsigned int tmo;
> > 1110 unsigned char *tbuf;
> > 1111 unsigned wLength;
> > 1112 int i, pipe, ret;
> > 1113
> > 1114 ret = check_ctrlrecip(ps, ctrl->bRequestType, ctrl->bRequest,
> > 1115 ctrl->wIndex);
> > 1116 if (ret)
> > 1117 return ret;
> > 1118 wLength = ctrl->wLength; /* To suppress 64k PAGE_SIZE warning */
> > 1119 if (wLength > PAGE_SIZE)
> > 1120 return -EINVAL;
> > 1121 ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
> > 1122 sizeof(struct usb_ctrlrequest));
> > 1123 if (ret)
> > 1124 return ret;
> > 1125 tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
> > 1126 if (!tbuf) {
> > 1127 ret = -ENOMEM;
> > 1128 goto done;
> > 1129 }
> > 1130 tmo = ctrl->timeout;
> > 1131 snoop(&dev->dev, "control urb: bRequestType=%02x "
> > 1132 "bRequest=%02x wValue=%04x "
> > 1133 "wIndex=%04x wLength=%04x\n",
> > 1134 ctrl->bRequestType, ctrl->bRequest, ctrl->wValue,
> > 1135 ctrl->wIndex, ctrl->wLength);
> > 1136 if (ctrl->bRequestType & 0x80) {
> > 1137 pipe = usb_rcvctrlpipe(dev, 0);
> > 1138 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT, NULL, 0);
> > 1139
> > 1140 usb_unlock_device(dev);
> > 1141 i = usb_control_msg(dev, pipe, ctrl->bRequest,
> > 1142 ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
> > 1143 tbuf, ctrl->wLength, tmo);
> > 1144 usb_lock_device(dev);
> > 1145 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
> > 1146 tbuf, max(i, 0));
> > 1147 if ((i > 0) && ctrl->wLength) {
> > 1148 if (copy_to_user(ctrl->data, tbuf, i)) {
> > 1149 ret = -EFAULT;
> > 1150 goto done;
> > 1151 }
> > 1152 }
> > 1153 } else {
> > 1154 if (ctrl->wLength) {
> > > 1155 if (copy_from_user(tbuf, ctrl->data, ctrl->wLength)) {
> > 1156 ret = -EFAULT;
> > 1157 goto done;
> > 1158 }
> > 1159 }
> > 1160 pipe = usb_sndctrlpipe(dev, 0);
> > 1161 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT,
> > 1162 tbuf, ctrl->wLength);
> > 1163
> > 1164 usb_unlock_device(dev);
> > 1165 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl->bRequest,
> > 1166 ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
> > 1167 tbuf, ctrl->wLength, tmo);
> > 1168 usb_lock_device(dev);
> > 1169 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
> > 1170 }
> > 1171 if (i < 0 && i != -EPIPE) {
> > 1172 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
> > 1173 "failed cmd %s rqt %u rq %u len %u ret %d\n",
> > 1174 current->comm, ctrl->bRequestType, ctrl->bRequest,
> > 1175 ctrl->wLength, i);
> > 1176 }
> > 1177 ret = i;
> > 1178 done:
> > 1179 free_page((unsigned long) tbuf);
> > 1180 usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
> > 1181 sizeof(struct usb_ctrlrequest));
> > 1182 return ret;
> > 1183 }
> > 1184
> >
> > ---
> > 0-DAY CI Kernel Test Service, Intel Corporation
> > https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
>
>
> ---end quoted text---
---end quoted text---
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
@ 2020-08-10 12:14 ` Christoph Hellwig
0 siblings, 0 replies; 9+ messages in thread
From: Christoph Hellwig @ 2020-08-10 12:14 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 4674 bytes --]
On Mon, Aug 10, 2020 at 02:12:23PM +0200, Christoph Hellwig wrote:
> As far as I can tell the warning is valid as we copy a user controlled
> amount into a fixed sized buffer. But this an old condition not actually
> created by this commit..
Actually, is is not. do_proc_control checks the legnth, but does it
using a somewhat pointless local variable, which might have confused
smatch.
>
> On Sat, Aug 08, 2020 at 01:26:39PM +0800, kernel test robot wrote:
> > tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> > head: 049eb096da48db0421dd5e358b9b082a1a8a2025
> > commit: c17536d0abde2fd24afca542e3bb73b45a299633 usb: usbfs: stop using compat_alloc_user_space
> > date: 2 weeks ago
> > config: nds32-randconfig-m031-20200808 (attached as .config)
> > compiler: nds32le-linux-gcc (GCC) 9.3.0
> >
> > If you fix the issue, kindly add following tag as appropriate
> > Reported-by: kernel test robot <lkp@intel.com>
> >
> > smatch warnings:
> > drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
> >
> > vim +/tbuf +1155 drivers/usb/core/devio.c
> >
> > 1104
> > 1105 static int do_proc_control(struct usb_dev_state *ps,
> > 1106 struct usbdevfs_ctrltransfer *ctrl)
> > 1107 {
> > 1108 struct usb_device *dev = ps->dev;
> > 1109 unsigned int tmo;
> > 1110 unsigned char *tbuf;
> > 1111 unsigned wLength;
> > 1112 int i, pipe, ret;
> > 1113
> > 1114 ret = check_ctrlrecip(ps, ctrl->bRequestType, ctrl->bRequest,
> > 1115 ctrl->wIndex);
> > 1116 if (ret)
> > 1117 return ret;
> > 1118 wLength = ctrl->wLength; /* To suppress 64k PAGE_SIZE warning */
> > 1119 if (wLength > PAGE_SIZE)
> > 1120 return -EINVAL;
> > 1121 ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
> > 1122 sizeof(struct usb_ctrlrequest));
> > 1123 if (ret)
> > 1124 return ret;
> > 1125 tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
> > 1126 if (!tbuf) {
> > 1127 ret = -ENOMEM;
> > 1128 goto done;
> > 1129 }
> > 1130 tmo = ctrl->timeout;
> > 1131 snoop(&dev->dev, "control urb: bRequestType=%02x "
> > 1132 "bRequest=%02x wValue=%04x "
> > 1133 "wIndex=%04x wLength=%04x\n",
> > 1134 ctrl->bRequestType, ctrl->bRequest, ctrl->wValue,
> > 1135 ctrl->wIndex, ctrl->wLength);
> > 1136 if (ctrl->bRequestType & 0x80) {
> > 1137 pipe = usb_rcvctrlpipe(dev, 0);
> > 1138 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT, NULL, 0);
> > 1139
> > 1140 usb_unlock_device(dev);
> > 1141 i = usb_control_msg(dev, pipe, ctrl->bRequest,
> > 1142 ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
> > 1143 tbuf, ctrl->wLength, tmo);
> > 1144 usb_lock_device(dev);
> > 1145 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
> > 1146 tbuf, max(i, 0));
> > 1147 if ((i > 0) && ctrl->wLength) {
> > 1148 if (copy_to_user(ctrl->data, tbuf, i)) {
> > 1149 ret = -EFAULT;
> > 1150 goto done;
> > 1151 }
> > 1152 }
> > 1153 } else {
> > 1154 if (ctrl->wLength) {
> > > 1155 if (copy_from_user(tbuf, ctrl->data, ctrl->wLength)) {
> > 1156 ret = -EFAULT;
> > 1157 goto done;
> > 1158 }
> > 1159 }
> > 1160 pipe = usb_sndctrlpipe(dev, 0);
> > 1161 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT,
> > 1162 tbuf, ctrl->wLength);
> > 1163
> > 1164 usb_unlock_device(dev);
> > 1165 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl->bRequest,
> > 1166 ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
> > 1167 tbuf, ctrl->wLength, tmo);
> > 1168 usb_lock_device(dev);
> > 1169 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
> > 1170 }
> > 1171 if (i < 0 && i != -EPIPE) {
> > 1172 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
> > 1173 "failed cmd %s rqt %u rq %u len %u ret %d\n",
> > 1174 current->comm, ctrl->bRequestType, ctrl->bRequest,
> > 1175 ctrl->wLength, i);
> > 1176 }
> > 1177 ret = i;
> > 1178 done:
> > 1179 free_page((unsigned long) tbuf);
> > 1180 usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
> > 1181 sizeof(struct usb_ctrlrequest));
> > 1182 return ret;
> > 1183 }
> > 1184
> >
> > ---
> > 0-DAY CI Kernel Test Service, Intel Corporation
> > https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
>
>
> ---end quoted text---
---end quoted text---
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
2020-08-10 12:14 ` Christoph Hellwig
@ 2020-08-10 13:34 ` Dan Carpenter
-1 siblings, 0 replies; 9+ messages in thread
From: Dan Carpenter @ 2020-08-10 13:34 UTC (permalink / raw)
To: Christoph Hellwig
Cc: kernel test robot, kbuild-all, linux-kernel, Greg Kroah-Hartman
On Mon, Aug 10, 2020 at 02:14:33PM +0200, Christoph Hellwig wrote:
> On Mon, Aug 10, 2020 at 02:12:23PM +0200, Christoph Hellwig wrote:
> > As far as I can tell the warning is valid as we copy a user controlled
> > amount into a fixed sized buffer. But this an old condition not actually
> > created by this commit..
>
> Actually, is is not. do_proc_control checks the legnth, but does it
> using a somewhat pointless local variable, which might have confused
> smatch.
I think what's happening is that this is using PAGE_SIZE = 8096 and
smatch assumes that it's always 4096. It seems obvious in retrospect
that you can't assume page size if 4096 but I'm not sure how to
calculate the actual page size...
Normally I filter all Smatch kbuild bot warnings manually before
forwarding them but this one was sent directly.
regards,
dan carpenter
>
> >
> > On Sat, Aug 08, 2020 at 01:26:39PM +0800, kernel test robot wrote:
> > > tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> > > head: 049eb096da48db0421dd5e358b9b082a1a8a2025
> > > commit: c17536d0abde2fd24afca542e3bb73b45a299633 usb: usbfs: stop using compat_alloc_user_space
> > > date: 2 weeks ago
> > > config: nds32-randconfig-m031-20200808 (attached as .config)
> > > compiler: nds32le-linux-gcc (GCC) 9.3.0
> > >
> > > If you fix the issue, kindly add following tag as appropriate
> > > Reported-by: kernel test robot <lkp@intel.com>
> > >
> > > smatch warnings:
> > > drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
> > >
> > > vim +/tbuf +1155 drivers/usb/core/devio.c
> > >
> > > 1104
> > > 1105 static int do_proc_control(struct usb_dev_state *ps,
> > > 1106 struct usbdevfs_ctrltransfer *ctrl)
> > > 1107 {
> > > 1108 struct usb_device *dev = ps->dev;
> > > 1109 unsigned int tmo;
> > > 1110 unsigned char *tbuf;
> > > 1111 unsigned wLength;
> > > 1112 int i, pipe, ret;
> > > 1113
> > > 1114 ret = check_ctrlrecip(ps, ctrl->bRequestType, ctrl->bRequest,
> > > 1115 ctrl->wIndex);
> > > 1116 if (ret)
> > > 1117 return ret;
> > > 1118 wLength = ctrl->wLength; /* To suppress 64k PAGE_SIZE warning */
> > > 1119 if (wLength > PAGE_SIZE)
> > > 1120 return -EINVAL;
> > > 1121 ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
> > > 1122 sizeof(struct usb_ctrlrequest));
> > > 1123 if (ret)
> > > 1124 return ret;
> > > 1125 tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
> > > 1126 if (!tbuf) {
> > > 1127 ret = -ENOMEM;
> > > 1128 goto done;
> > > 1129 }
> > > 1130 tmo = ctrl->timeout;
> > > 1131 snoop(&dev->dev, "control urb: bRequestType=%02x "
> > > 1132 "bRequest=%02x wValue=%04x "
> > > 1133 "wIndex=%04x wLength=%04x\n",
> > > 1134 ctrl->bRequestType, ctrl->bRequest, ctrl->wValue,
> > > 1135 ctrl->wIndex, ctrl->wLength);
> > > 1136 if (ctrl->bRequestType & 0x80) {
> > > 1137 pipe = usb_rcvctrlpipe(dev, 0);
> > > 1138 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT, NULL, 0);
> > > 1139
> > > 1140 usb_unlock_device(dev);
> > > 1141 i = usb_control_msg(dev, pipe, ctrl->bRequest,
> > > 1142 ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
> > > 1143 tbuf, ctrl->wLength, tmo);
> > > 1144 usb_lock_device(dev);
> > > 1145 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
> > > 1146 tbuf, max(i, 0));
> > > 1147 if ((i > 0) && ctrl->wLength) {
> > > 1148 if (copy_to_user(ctrl->data, tbuf, i)) {
> > > 1149 ret = -EFAULT;
> > > 1150 goto done;
> > > 1151 }
> > > 1152 }
> > > 1153 } else {
> > > 1154 if (ctrl->wLength) {
> > > > 1155 if (copy_from_user(tbuf, ctrl->data, ctrl->wLength)) {
> > > 1156 ret = -EFAULT;
> > > 1157 goto done;
> > > 1158 }
> > > 1159 }
> > > 1160 pipe = usb_sndctrlpipe(dev, 0);
> > > 1161 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT,
> > > 1162 tbuf, ctrl->wLength);
> > > 1163
> > > 1164 usb_unlock_device(dev);
> > > 1165 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl->bRequest,
> > > 1166 ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
> > > 1167 tbuf, ctrl->wLength, tmo);
> > > 1168 usb_lock_device(dev);
> > > 1169 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
> > > 1170 }
> > > 1171 if (i < 0 && i != -EPIPE) {
> > > 1172 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
> > > 1173 "failed cmd %s rqt %u rq %u len %u ret %d\n",
> > > 1174 current->comm, ctrl->bRequestType, ctrl->bRequest,
> > > 1175 ctrl->wLength, i);
> > > 1176 }
> > > 1177 ret = i;
> > > 1178 done:
> > > 1179 free_page((unsigned long) tbuf);
> > > 1180 usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
> > > 1181 sizeof(struct usb_ctrlrequest));
> > > 1182 return ret;
> > > 1183 }
> > > 1184
> > >
> > > ---
> > > 0-DAY CI Kernel Test Service, Intel Corporation
> > > https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
> >
> >
> > ---end quoted text---
> ---end quoted text---
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
@ 2020-08-10 13:34 ` Dan Carpenter
0 siblings, 0 replies; 9+ messages in thread
From: Dan Carpenter @ 2020-08-10 13:34 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 5360 bytes --]
On Mon, Aug 10, 2020 at 02:14:33PM +0200, Christoph Hellwig wrote:
> On Mon, Aug 10, 2020 at 02:12:23PM +0200, Christoph Hellwig wrote:
> > As far as I can tell the warning is valid as we copy a user controlled
> > amount into a fixed sized buffer. But this an old condition not actually
> > created by this commit..
>
> Actually, is is not. do_proc_control checks the legnth, but does it
> using a somewhat pointless local variable, which might have confused
> smatch.
I think what's happening is that this is using PAGE_SIZE = 8096 and
smatch assumes that it's always 4096. It seems obvious in retrospect
that you can't assume page size if 4096 but I'm not sure how to
calculate the actual page size...
Normally I filter all Smatch kbuild bot warnings manually before
forwarding them but this one was sent directly.
regards,
dan carpenter
>
> >
> > On Sat, Aug 08, 2020 at 01:26:39PM +0800, kernel test robot wrote:
> > > tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> > > head: 049eb096da48db0421dd5e358b9b082a1a8a2025
> > > commit: c17536d0abde2fd24afca542e3bb73b45a299633 usb: usbfs: stop using compat_alloc_user_space
> > > date: 2 weeks ago
> > > config: nds32-randconfig-m031-20200808 (attached as .config)
> > > compiler: nds32le-linux-gcc (GCC) 9.3.0
> > >
> > > If you fix the issue, kindly add following tag as appropriate
> > > Reported-by: kernel test robot <lkp@intel.com>
> > >
> > > smatch warnings:
> > > drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
> > >
> > > vim +/tbuf +1155 drivers/usb/core/devio.c
> > >
> > > 1104
> > > 1105 static int do_proc_control(struct usb_dev_state *ps,
> > > 1106 struct usbdevfs_ctrltransfer *ctrl)
> > > 1107 {
> > > 1108 struct usb_device *dev = ps->dev;
> > > 1109 unsigned int tmo;
> > > 1110 unsigned char *tbuf;
> > > 1111 unsigned wLength;
> > > 1112 int i, pipe, ret;
> > > 1113
> > > 1114 ret = check_ctrlrecip(ps, ctrl->bRequestType, ctrl->bRequest,
> > > 1115 ctrl->wIndex);
> > > 1116 if (ret)
> > > 1117 return ret;
> > > 1118 wLength = ctrl->wLength; /* To suppress 64k PAGE_SIZE warning */
> > > 1119 if (wLength > PAGE_SIZE)
> > > 1120 return -EINVAL;
> > > 1121 ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
> > > 1122 sizeof(struct usb_ctrlrequest));
> > > 1123 if (ret)
> > > 1124 return ret;
> > > 1125 tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
> > > 1126 if (!tbuf) {
> > > 1127 ret = -ENOMEM;
> > > 1128 goto done;
> > > 1129 }
> > > 1130 tmo = ctrl->timeout;
> > > 1131 snoop(&dev->dev, "control urb: bRequestType=%02x "
> > > 1132 "bRequest=%02x wValue=%04x "
> > > 1133 "wIndex=%04x wLength=%04x\n",
> > > 1134 ctrl->bRequestType, ctrl->bRequest, ctrl->wValue,
> > > 1135 ctrl->wIndex, ctrl->wLength);
> > > 1136 if (ctrl->bRequestType & 0x80) {
> > > 1137 pipe = usb_rcvctrlpipe(dev, 0);
> > > 1138 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT, NULL, 0);
> > > 1139
> > > 1140 usb_unlock_device(dev);
> > > 1141 i = usb_control_msg(dev, pipe, ctrl->bRequest,
> > > 1142 ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
> > > 1143 tbuf, ctrl->wLength, tmo);
> > > 1144 usb_lock_device(dev);
> > > 1145 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
> > > 1146 tbuf, max(i, 0));
> > > 1147 if ((i > 0) && ctrl->wLength) {
> > > 1148 if (copy_to_user(ctrl->data, tbuf, i)) {
> > > 1149 ret = -EFAULT;
> > > 1150 goto done;
> > > 1151 }
> > > 1152 }
> > > 1153 } else {
> > > 1154 if (ctrl->wLength) {
> > > > 1155 if (copy_from_user(tbuf, ctrl->data, ctrl->wLength)) {
> > > 1156 ret = -EFAULT;
> > > 1157 goto done;
> > > 1158 }
> > > 1159 }
> > > 1160 pipe = usb_sndctrlpipe(dev, 0);
> > > 1161 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT,
> > > 1162 tbuf, ctrl->wLength);
> > > 1163
> > > 1164 usb_unlock_device(dev);
> > > 1165 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl->bRequest,
> > > 1166 ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
> > > 1167 tbuf, ctrl->wLength, tmo);
> > > 1168 usb_lock_device(dev);
> > > 1169 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
> > > 1170 }
> > > 1171 if (i < 0 && i != -EPIPE) {
> > > 1172 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
> > > 1173 "failed cmd %s rqt %u rq %u len %u ret %d\n",
> > > 1174 current->comm, ctrl->bRequestType, ctrl->bRequest,
> > > 1175 ctrl->wLength, i);
> > > 1176 }
> > > 1177 ret = i;
> > > 1178 done:
> > > 1179 free_page((unsigned long) tbuf);
> > > 1180 usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
> > > 1181 sizeof(struct usb_ctrlrequest));
> > > 1182 return ret;
> > > 1183 }
> > > 1184
> > >
> > > ---
> > > 0-DAY CI Kernel Test Service, Intel Corporation
> > > https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
> >
> >
> > ---end quoted text---
> ---end quoted text---
^ permalink raw reply [flat|nested] 9+ messages in thread
* drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
@ 2021-01-24 15:50 kernel test robot
0 siblings, 0 replies; 9+ messages in thread
From: kernel test robot @ 2021-01-24 15:50 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 7954 bytes --]
CC: kbuild-all(a)lists.01.org
CC: linux-kernel(a)vger.kernel.org
TO: Christoph Hellwig <hch@lst.de>
CC: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: e1ae4b0be15891faf46d390e9f3dc9bd71a8cae1
commit: c17536d0abde2fd24afca542e3bb73b45a299633 usb: usbfs: stop using compat_alloc_user_space
date: 6 months ago
:::::: branch date: 20 hours ago
:::::: commit date: 6 months ago
config: arc-randconfig-m031-20210124 (attached as .config)
compiler: arceb-elf-gcc (GCC) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
New smatch warnings:
drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192)
Old smatch warnings:
arch/arc/include/asm/thread_info.h:65 current_thread_info() error: uninitialized symbol 'sp'.
vim +/tbuf +1155 drivers/usb/core/devio.c
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1104
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1105 static int do_proc_control(struct usb_dev_state *ps,
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1106 struct usbdevfs_ctrltransfer *ctrl)
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1107 {
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1108 struct usb_device *dev = ps->dev;
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1109 unsigned int tmo;
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1110 unsigned char *tbuf;
ff66e3ce35241251 Andrew Morton 2008-03-12 1111 unsigned wLength;
4c6e8971cbe01480 Alan Stern 2009-06-29 1112 int i, pipe, ret;
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1113
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1114 ret = check_ctrlrecip(ps, ctrl->bRequestType, ctrl->bRequest,
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1115 ctrl->wIndex);
04e482ffd81437e7 Greg Kroah-Hartman 2008-01-30 1116 if (ret)
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1117 return ret;
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1118 wLength = ctrl->wLength; /* To suppress 64k PAGE_SIZE warning */
ff66e3ce35241251 Andrew Morton 2008-03-12 1119 if (wLength > PAGE_SIZE)
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1120 return -EINVAL;
add1aaeabe6b08ed Alan Stern 2011-11-17 1121 ret = usbfs_increase_memory_usage(PAGE_SIZE + sizeof(struct urb) +
add1aaeabe6b08ed Alan Stern 2011-11-17 1122 sizeof(struct usb_ctrlrequest));
add1aaeabe6b08ed Alan Stern 2011-11-17 1123 if (ret)
add1aaeabe6b08ed Alan Stern 2011-11-17 1124 return ret;
04e482ffd81437e7 Greg Kroah-Hartman 2008-01-30 1125 tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
add1aaeabe6b08ed Alan Stern 2011-11-17 1126 if (!tbuf) {
add1aaeabe6b08ed Alan Stern 2011-11-17 1127 ret = -ENOMEM;
add1aaeabe6b08ed Alan Stern 2011-11-17 1128 goto done;
add1aaeabe6b08ed Alan Stern 2011-11-17 1129 }
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1130 tmo = ctrl->timeout;
0880aef49e40abd1 Chris Frey 2010-01-26 1131 snoop(&dev->dev, "control urb: bRequestType=%02x "
0880aef49e40abd1 Chris Frey 2010-01-26 1132 "bRequest=%02x wValue=%04x "
0880aef49e40abd1 Chris Frey 2010-01-26 1133 "wIndex=%04x wLength=%04x\n",
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1134 ctrl->bRequestType, ctrl->bRequest, ctrl->wValue,
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1135 ctrl->wIndex, ctrl->wLength);
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1136 if (ctrl->bRequestType & 0x80) {
4c6e8971cbe01480 Alan Stern 2009-06-29 1137 pipe = usb_rcvctrlpipe(dev, 0);
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1138 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT, NULL, 0);
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1139
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1140 usb_unlock_device(dev);
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1141 i = usb_control_msg(dev, pipe, ctrl->bRequest,
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1142 ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1143 tbuf, ctrl->wLength, tmo);
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1144 usb_lock_device(dev);
0880aef49e40abd1 Chris Frey 2010-01-26 1145 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
9d02b42614149ebc Michal Sojka 2011-03-15 1146 tbuf, max(i, 0));
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1147 if ((i > 0) && ctrl->wLength) {
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1148 if (copy_to_user(ctrl->data, tbuf, i)) {
52fb743d3aa7ee27 Alan Stern 2011-11-17 1149 ret = -EFAULT;
52fb743d3aa7ee27 Alan Stern 2011-11-17 1150 goto done;
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1151 }
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1152 }
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1153 } else {
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1154 if (ctrl->wLength) {
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 @1155 if (copy_from_user(tbuf, ctrl->data, ctrl->wLength)) {
52fb743d3aa7ee27 Alan Stern 2011-11-17 1156 ret = -EFAULT;
52fb743d3aa7ee27 Alan Stern 2011-11-17 1157 goto done;
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1158 }
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1159 }
4c6e8971cbe01480 Alan Stern 2009-06-29 1160 pipe = usb_sndctrlpipe(dev, 0);
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1161 snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT,
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1162 tbuf, ctrl->wLength);
4c6e8971cbe01480 Alan Stern 2009-06-29 1163
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1164 usb_unlock_device(dev);
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1165 i = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), ctrl->bRequest,
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1166 ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1167 tbuf, ctrl->wLength, tmo);
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1168 usb_lock_device(dev);
0880aef49e40abd1 Chris Frey 2010-01-26 1169 snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1170 }
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1171 if (i < 0 && i != -EPIPE) {
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1172 dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1173 "failed cmd %s rqt %u rq %u len %u ret %d\n",
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1174 current->comm, ctrl->bRequestType, ctrl->bRequest,
c17536d0abde2fd2 Christoph Hellwig 2020-07-22 1175 ctrl->wLength, i);
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1176 }
52fb743d3aa7ee27 Alan Stern 2011-11-17 1177 ret = i;
52fb743d3aa7ee27 Alan Stern 2011-11-17 1178 done:
52fb743d3aa7ee27 Alan Stern 2011-11-17 1179 free_page((unsigned long) tbuf);
add1aaeabe6b08ed Alan Stern 2011-11-17 1180 usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
add1aaeabe6b08ed Alan Stern 2011-11-17 1181 sizeof(struct usb_ctrlrequest));
52fb743d3aa7ee27 Alan Stern 2011-11-17 1182 return ret;
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1183 }
^1da177e4c3f4152 Linus Torvalds 2005-04-16 1184
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 19961 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2021-01-24 15:50 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-08 5:26 drivers/usb/core/devio.c:1155 do_proc_control() error: copy_from_user() 'tbuf' too small (4096 vs 8192) kernel test robot
2020-08-08 5:26 ` kernel test robot
2020-08-10 12:12 ` Christoph Hellwig
2020-08-10 12:12 ` Christoph Hellwig
2020-08-10 12:14 ` Christoph Hellwig
2020-08-10 12:14 ` Christoph Hellwig
2020-08-10 13:34 ` Dan Carpenter
2020-08-10 13:34 ` Dan Carpenter
2021-01-24 15:50 kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.