linux-bluetooth.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: kbuild@lists.01.org, Kiran K <kiran.k@intel.com>,
	linux-bluetooth@vger.kernel.org
Cc: lkp@intel.com, kbuild-all@lists.01.org,
	ravishankar.srivatsa@intel.com, chethan.tumkur.narayan@intel.com,
	luiz.von.dentz@intel.com, Kiran K <kiran.k@intel.com>
Subject: Re: [PATCH v3 08/13] Bluetooth: Implement MSFT avdtp open command
Date: Fri, 19 Nov 2021 17:27:53 +0300	[thread overview]
Message-ID: <202111190204.lssqaO96-lkp@intel.com> (raw)
In-Reply-To: <20211115064914.2345-8-kiran.k@intel.com>

Hi Kiran,

url:    https://github.com/0day-ci/linux/commits/Kiran-K/Bluetooth-Refactor-code-to-read-supported-codecs-in-getsockopt/20211115-144640
base:   https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master
config: i386-randconfig-m021-20211115 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

New smatch warnings:
net/bluetooth/hci_codec.c:388 hci_configure_msft_avdtp_open() warn: is 'cmd + 1' large enough for 'struct hci_media_service_caps'? s32min

Old smatch warnings:
net/bluetooth/hci_codec.c:399 hci_configure_msft_avdtp_open() error: uninitialized symbol 'err'.

vim +388 net/bluetooth/hci_codec.c

d9396dc909768b Kiran K 2021-11-15  359  int hci_configure_msft_avdtp_open(struct hci_dev *hdev, struct l2cap_chan *chan,
d9396dc909768b Kiran K 2021-11-15  360  				  sockptr_t optval, int optlen)
d9396dc909768b Kiran K 2021-11-15  361  {
d9396dc909768b Kiran K 2021-11-15  362  	struct msft_cp_avdtp_open *cmd = NULL;
d9396dc909768b Kiran K 2021-11-15  363  	struct hci_media_service_caps *caps;
d9396dc909768b Kiran K 2021-11-15  364  	int err;
d9396dc909768b Kiran K 2021-11-15  365  
d9396dc909768b Kiran K 2021-11-15  366  	if (!optlen || optlen < sizeof(*caps)) {

The kbuild-bot doesn't use cross function analysis so it doesn't know
how this function is called.  This check doesn't prevent negative values
of "optlen" and the "!optlen" condition is not required.  Of course,
making "optlen" into an unsigned value changes it from a "negatives are
not handled" warning into a "integer overflows are not handled" warning.

One idea would be to just make sure this is called with valid values and
ignore the warning.  It probably should be disabled globally if you
don't have the cross function database.  Another idea would be to
write this as:

	if (optlen < 0 || optlen < sizeof(*caps)) {

Negatives don't really cause a problem though because copy_from_user()
has a check for that added in commit 6d13de1489b6 ("uaccess: disallow >
INT_MAX copy sizes").

regards,
dan carpenter

d9396dc909768b Kiran K 2021-11-15  367  		err = -EINVAL;
d9396dc909768b Kiran K 2021-11-15  368  		goto fail;
d9396dc909768b Kiran K 2021-11-15  369  	}
d9396dc909768b Kiran K 2021-11-15  370  
d9396dc909768b Kiran K 2021-11-15  371  	cmd = kzalloc(sizeof(*cmd) + optlen, GFP_KERNEL);
d9396dc909768b Kiran K 2021-11-15  372  	if (!cmd) {
d9396dc909768b Kiran K 2021-11-15  373  		err = -ENOMEM;
d9396dc909768b Kiran K 2021-11-15  374  		goto fail;
d9396dc909768b Kiran K 2021-11-15  375  	}
d9396dc909768b Kiran K 2021-11-15  376  
d9396dc909768b Kiran K 2021-11-15  377  	cmd->sub_opcode = HCI_MSFT_AVDTP_OPEN;
d9396dc909768b Kiran K 2021-11-15  378  	cmd->handle = __cpu_to_le16(chan->conn->hcon->handle);
d9396dc909768b Kiran K 2021-11-15  379  	cmd->dcid = cpu_to_le16(chan->dcid);
d9396dc909768b Kiran K 2021-11-15  380  	cmd->omtu = cpu_to_le16(chan->omtu);
d9396dc909768b Kiran K 2021-11-15  381  	caps = (void *)(cmd + 1);
d9396dc909768b Kiran K 2021-11-15  382  
d9396dc909768b Kiran K 2021-11-15  383  	if (copy_from_sockptr(caps, optval, optlen)) {
d9396dc909768b Kiran K 2021-11-15  384  		err = -EFAULT;
d9396dc909768b Kiran K 2021-11-15  385  		goto fail;
d9396dc909768b Kiran K 2021-11-15  386  	}
d9396dc909768b Kiran K 2021-11-15  387  
d9396dc909768b Kiran K 2021-11-15 @388  	if (caps->category != 0x07) {

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org


  parent reply	other threads:[~2021-11-19 14:28 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-15  6:49 [PATCH v3 01/13] Bluetooth: Refactor code to read supported codecs in getsockopt Kiran K
2021-11-15  6:49 ` [PATCH v3 02/13] Bluetooth: Support reading of codecs supported over l2cap socket Kiran K
2021-11-15  6:49 ` [PATCH v3 03/13] Bluetooth: btintel: cache offload use case data Kiran K
2021-11-15  6:49 ` [PATCH v3 04/13] Bluetooth: Pass transport type in get_data_path_id Kiran K
2021-11-15  6:49 ` [PATCH v3 05/13] Bluetooth: btintel: Add support to fetch data path id for a2dp offload Kiran K
2021-11-15  6:49 ` [PATCH v3 06/13] Bluetooth: Remove unused member in struct hci_vnd_codec_v2 Kiran K
2021-11-15  6:49 ` [PATCH v3 07/13] Bluetooth: Read Output codec capabilities Kiran K
2021-11-15  6:49 ` [PATCH v3 08/13] Bluetooth: Implement MSFT avdtp open command Kiran K
2021-11-15 21:23   ` Luiz Augusto von Dentz
2021-11-19  8:11     ` K, Kiran
2021-11-19 14:27   ` Dan Carpenter [this message]
2021-11-15  6:49 ` [PATCH v3 09/13] Bluetooth: Handle MSFT avdtp open event Kiran K
2021-11-15  6:49 ` [PATCH v3 10/13] " Kiran K
2021-11-15 17:53   ` kernel test robot
2021-11-15  6:49 ` [PATCH v3 11/13] Bluetooth: Implment MSFT avdtp start command Kiran K
2021-11-15  6:49 ` [PATCH v3 12/13] Bluetooth: Implment MSFT avdtp suspend command Kiran K
2021-11-15  6:49 ` [PATCH v3 13/13] Bluetooth: Implment MSFT avdtp close command Kiran K

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202111190204.lssqaO96-lkp@intel.com \
    --to=dan.carpenter@oracle.com \
    --cc=chethan.tumkur.narayan@intel.com \
    --cc=kbuild-all@lists.01.org \
    --cc=kbuild@lists.01.org \
    --cc=kiran.k@intel.com \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=lkp@intel.com \
    --cc=luiz.von.dentz@intel.com \
    --cc=ravishankar.srivatsa@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).