Use memdup_user() helper instead of open-coding to simplify the code.
Signed-off-by: Geliang Tang <[email protected]>
---
drivers/block/cciss.c | 12 +++---------
1 file changed, 3 insertions(+), 9 deletions(-)
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index cd37550..40ee715 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1596,15 +1596,9 @@ static int cciss_bigpassthru(ctlr_info_t *h, void __user *argp)
return -EINVAL;
if (!capable(CAP_SYS_RAWIO))
return -EPERM;
- ioc = kmalloc(sizeof(*ioc), GFP_KERNEL);
- if (!ioc) {
- status = -ENOMEM;
- goto cleanup1;
- }
- if (copy_from_user(ioc, argp, sizeof(*ioc))) {
- status = -EFAULT;
- goto cleanup1;
- }
+ ioc = memdup_user(argp, sizeof(*ioc));
+ if (IS_ERR(ioc))
+ return PTR_ERR(ioc);
if ((ioc->buf_size < 1) &&
(ioc->Request.Type.Direction != XFER_NONE)) {
status = -EINVAL;
--
2.9.3
Use memdup_user() helper instead of open-coding to simplify the code.
Signed-off-by: Geliang Tang <[email protected]>
---
drivers/block/floppy.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
index 60d4c76..167426c 100644
--- a/drivers/block/floppy.c
+++ b/drivers/block/floppy.c
@@ -3121,16 +3121,13 @@ static int raw_cmd_copyin(int cmd, void __user *param,
*rcmd = NULL;
loop:
- ptr = kmalloc(sizeof(struct floppy_raw_cmd), GFP_KERNEL);
- if (!ptr)
- return -ENOMEM;
+ ptr = memdup_user(param, sizeof(*ptr));
+ if (IS_ERR(ptr))
+ return PTR_ERR(ptr);
*rcmd = ptr;
- ret = copy_from_user(ptr, param, sizeof(*ptr));
ptr->next = NULL;
ptr->buffer_length = 0;
ptr->kernel_data = NULL;
- if (ret)
- return -EFAULT;
param += sizeof(struct floppy_raw_cmd);
if (ptr->cmd_count > 33)
/* the command may now also take up the space
--
2.9.3
Use memdup_user() helper instead of open-coding to simplify the code.
Signed-off-by: Geliang Tang <[email protected]>
---
arch/powerpc/platforms/powernv/opal-prd.c | 13 +++----------
1 file changed, 3 insertions(+), 10 deletions(-)
diff --git a/arch/powerpc/platforms/powernv/opal-prd.c b/arch/powerpc/platforms/powernv/opal-prd.c
index 2d6ee1c..de4dd09 100644
--- a/arch/powerpc/platforms/powernv/opal-prd.c
+++ b/arch/powerpc/platforms/powernv/opal-prd.c
@@ -241,15 +241,9 @@ static ssize_t opal_prd_write(struct file *file, const char __user *buf,
size = be16_to_cpu(hdr.size);
- msg = kmalloc(size, GFP_KERNEL);
- if (!msg)
- return -ENOMEM;
-
- rc = copy_from_user(msg, buf, size);
- if (rc) {
- size = -EFAULT;
- goto out_free;
- }
+ msg = memdup_user(buf, size);
+ if (IS_ERR(msg))
+ return PTR_ERR(msg);
rc = opal_prd_msg(msg);
if (rc) {
@@ -257,7 +251,6 @@ static ssize_t opal_prd_write(struct file *file, const char __user *buf,
size = -EIO;
}
-out_free:
kfree(msg);
return size;
--
2.9.3
Use memdup_user() helper instead of open-coding to simplify the code.
Signed-off-by: Geliang Tang <[email protected]>
---
drivers/block/skd_main.c | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)
diff --git a/drivers/block/skd_main.c b/drivers/block/skd_main.c
index 27833e4..6b3cdd2 100644
--- a/drivers/block/skd_main.c
+++ b/drivers/block/skd_main.c
@@ -1394,22 +1394,16 @@ static int skd_sg_io_get_and_check_args(struct skd_device *skdev,
uint nbytes = sizeof(*iov) * sgp->iovec_count;
size_t iov_data_len;
- iov = kmalloc(nbytes, GFP_KERNEL);
- if (iov == NULL) {
- pr_debug("%s:%s:%d alloc iovec failed %d\n",
+ iov = memdup_user(sgp->dxferp, nbytes);
+ if (IS_ERR(iov)) {
+ pr_debug("%s:%s:%d memdup_user iovec failed %d %p\n",
skdev->name, __func__, __LINE__,
- sgp->iovec_count);
- return -ENOMEM;
+ sgp->iovec_count, sgp->dxferp);
+ return PTR_ERR(iov);
}
sksgio->iov = iov;
sksgio->iovcnt = sgp->iovec_count;
- if (copy_from_user(iov, sgp->dxferp, nbytes)) {
- pr_debug("%s:%s:%d copy_from_user iovec failed %p\n",
- skdev->name, __func__, __LINE__, sgp->dxferp);
- return -EFAULT;
- }
-
/*
* Sum up the vecs, making sure they don't overflow
*/
--
2.9.3
Use memdup_user() helper instead of open-coding to simplify the code.
Signed-off-by: Geliang Tang <[email protected]>
---
arch/powerpc/kernel/nvram_64.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
diff --git a/arch/powerpc/kernel/nvram_64.c b/arch/powerpc/kernel/nvram_64.c
index eae61b0..496d639 100644
--- a/arch/powerpc/kernel/nvram_64.c
+++ b/arch/powerpc/kernel/nvram_64.c
@@ -792,21 +792,17 @@ static ssize_t dev_nvram_write(struct file *file, const char __user *buf,
count = min_t(size_t, count, size - *ppos);
count = min(count, PAGE_SIZE);
- ret = -ENOMEM;
- tmp = kmalloc(count, GFP_KERNEL);
- if (!tmp)
- goto out;
-
- ret = -EFAULT;
- if (copy_from_user(tmp, buf, count))
+ tmp = memdup_user(buf, count);
+ if (IS_ERR(tmp)) {
+ ret = PTR_ERR(tmp);
goto out;
+ }
ret = ppc_md.nvram_write(tmp, count, ppos);
-out:
kfree(tmp);
+out:
return ret;
-
}
static long dev_nvram_ioctl(struct file *file, unsigned int cmd,
--
2.9.3
Use memdup_user() helper instead of open-coding to simplify the code.
Signed-off-by: Geliang Tang <[email protected]>
---
drivers/staging/comedi/comedi_fops.c | 22 +++++++---------------
1 file changed, 7 insertions(+), 15 deletions(-)
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index f191c2a..4797c8f 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -1450,22 +1450,14 @@ static int do_insnlist_ioctl(struct comedi_device *dev,
return -EFAULT;
data = kmalloc_array(MAX_SAMPLES, sizeof(unsigned int), GFP_KERNEL);
- if (!data) {
- ret = -ENOMEM;
- goto error;
- }
-
- insns = kcalloc(insnlist.n_insns, sizeof(*insns), GFP_KERNEL);
- if (!insns) {
- ret = -ENOMEM;
- goto error;
- }
+ if (!data)
+ return -ENOMEM;
- if (copy_from_user(insns, insnlist.insns,
- sizeof(*insns) * insnlist.n_insns)) {
- dev_dbg(dev->class_dev, "copy_from_user failed\n");
- ret = -EFAULT;
- goto error;
+ insns = memdup_user(insnlist.insns, sizeof(*insns) * insnlist.n_insns);
+ if (IS_ERR(insns)) {
+ dev_dbg(dev->class_dev, "memdup_user failed\n");
+ kfree(data);
+ return PTR_ERR(insns);
}
for (i = 0; i < insnlist.n_insns; i++) {
--
2.9.3
Use memdup_user() helper instead of open-coding to simplify the code.
Signed-off-by: Geliang Tang <[email protected]>
---
fs/pstore/platform.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c
index 43b3ca5..903e0fe 100644
--- a/fs/pstore/platform.c
+++ b/fs/pstore/platform.c
@@ -640,19 +640,16 @@ static int pstore_write_user_compat(struct pstore_record *record,
if (record->buf)
return -EINVAL;
- record->buf = kmalloc(record->size, GFP_KERNEL);
- if (!record->buf)
- return -ENOMEM;
-
- if (unlikely(copy_from_user(record->buf, buf, record->size))) {
- ret = -EFAULT;
+ record->buf = memdup_user(buf, record->size);
+ if (unlikely(IS_ERR(record->buf))) {
+ ret = PTR_ERR(record->buf);
goto out;
}
ret = record->psi->write(record);
-out:
kfree(record->buf);
+out:
record->buf = NULL;
return unlikely(ret < 0) ? ret : record->size;
--
2.9.3
Use memdup_user_nul() helper instead of open-coding to simplify the code.
Signed-off-by: Geliang Tang <[email protected]>
---
arch/powerpc/platforms/pseries/reconfig.c | 13 +++----------
1 file changed, 3 insertions(+), 10 deletions(-)
diff --git a/arch/powerpc/platforms/pseries/reconfig.c b/arch/powerpc/platforms/pseries/reconfig.c
index e5bf1e8..431f513 100644
--- a/arch/powerpc/platforms/pseries/reconfig.c
+++ b/arch/powerpc/platforms/pseries/reconfig.c
@@ -367,16 +367,9 @@ static ssize_t ofdt_write(struct file *file, const char __user *buf, size_t coun
char *kbuf;
char *tmp;
- if (!(kbuf = kmalloc(count + 1, GFP_KERNEL))) {
- rv = -ENOMEM;
- goto out;
- }
- if (copy_from_user(kbuf, buf, count)) {
- rv = -EFAULT;
- goto out;
- }
-
- kbuf[count] = '\0';
+ kbuf = memdup_user_nul(buf, count);
+ if (IS_ERR(kbuf))
+ return PTR_ERR(kbuf);
tmp = strchr(kbuf, ' ');
if (!tmp) {
--
2.9.3
On Sat, 2017-04-29 at 09:45 +0800, Geliang Tang wrote:
> Use memdup_user() helper instead of open-coding to simplify the code.
While I doubt this is a problem, this loses
the multiplication overflow check for
sizeof(*insns) * insnlist.n_isns
> diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
[]
> @@ -1450,22 +1450,14 @@ static int do_insnlist_ioctl(struct comedi_device *dev,
> return -EFAULT;
>
> data = kmalloc_array(MAX_SAMPLES, sizeof(unsigned int), GFP_KERNEL);
> - if (!data) {
> - ret = -ENOMEM;
> - goto error;
> - }
> -
> - insns = kcalloc(insnlist.n_insns, sizeof(*insns), GFP_KERNEL);
> - if (!insns) {
> - ret = -ENOMEM;
> - goto error;
> - }
> + if (!data)
> + return -ENOMEM;
>
> - if (copy_from_user(insns, insnlist.insns,
> - sizeof(*insns) * insnlist.n_insns)) {
> - dev_dbg(dev->class_dev, "copy_from_user failed\n");
> - ret = -EFAULT;
> - goto error;
> + insns = memdup_user(insnlist.insns, sizeof(*insns) * insnlist.n_insns);
> + if (IS_ERR(insns)) {
> + dev_dbg(dev->class_dev, "memdup_user failed\n");
> + kfree(data);
> + return PTR_ERR(insns);
> }
>
> for (i = 0; i < insnlist.n_insns; i++) {
On Fri, Apr 28, 2017 at 06:53:32PM -0700, Joe Perches wrote:
> On Sat, 2017-04-29 at 09:45 +0800, Geliang Tang wrote:
> > Use memdup_user() helper instead of open-coding to simplify the code.
>
> While I doubt this is a problem, this loses
> the multiplication overflow check for
> sizeof(*insns) * insnlist.n_isns
Yes it is a problem, we need that check.
thanks,
greg k-h
On Fri, Apr 28, 2017 at 6:45 PM, Geliang Tang <[email protected]> wrote:
> Use memdup_user() helper instead of open-coding to simplify the code.
>
> Signed-off-by: Geliang Tang <[email protected]>
Thanks! Applied for -next.
-Kees
> ---
> fs/pstore/platform.c | 11 ++++-------
> 1 file changed, 4 insertions(+), 7 deletions(-)
>
> diff --git a/fs/pstore/platform.c b/fs/pstore/platform.c
> index 43b3ca5..903e0fe 100644
> --- a/fs/pstore/platform.c
> +++ b/fs/pstore/platform.c
> @@ -640,19 +640,16 @@ static int pstore_write_user_compat(struct pstore_record *record,
> if (record->buf)
> return -EINVAL;
>
> - record->buf = kmalloc(record->size, GFP_KERNEL);
> - if (!record->buf)
> - return -ENOMEM;
> -
> - if (unlikely(copy_from_user(record->buf, buf, record->size))) {
> - ret = -EFAULT;
> + record->buf = memdup_user(buf, record->size);
> + if (unlikely(IS_ERR(record->buf))) {
> + ret = PTR_ERR(record->buf);
> goto out;
> }
>
> ret = record->psi->write(record);
>
> -out:
> kfree(record->buf);
> +out:
> record->buf = NULL;
>
> return unlikely(ret < 0) ? ret : record->size;
> --
> 2.9.3
>
--
Kees Cook
Pixel Security
On Fri, Apr 28, 2017 at 6:45 PM, Geliang Tang <[email protected]> wrote:
> Use memdup_user() helper instead of open-coding to simplify the code.
>
> Signed-off-by: Geliang Tang <[email protected]>
Thanks! Applied for -next.
-Kees
> ---
> arch/powerpc/kernel/nvram_64.c | 14 +++++---------
> 1 file changed, 5 insertions(+), 9 deletions(-)
>
> diff --git a/arch/powerpc/kernel/nvram_64.c b/arch/powerpc/kernel/nvram_64.c
> index eae61b0..496d639 100644
> --- a/arch/powerpc/kernel/nvram_64.c
> +++ b/arch/powerpc/kernel/nvram_64.c
> @@ -792,21 +792,17 @@ static ssize_t dev_nvram_write(struct file *file, const char __user *buf,
> count = min_t(size_t, count, size - *ppos);
> count = min(count, PAGE_SIZE);
>
> - ret = -ENOMEM;
> - tmp = kmalloc(count, GFP_KERNEL);
> - if (!tmp)
> - goto out;
> -
> - ret = -EFAULT;
> - if (copy_from_user(tmp, buf, count))
> + tmp = memdup_user(buf, count);
> + if (IS_ERR(tmp)) {
> + ret = PTR_ERR(tmp);
> goto out;
> + }
>
> ret = ppc_md.nvram_write(tmp, count, ppos);
>
> -out:
> kfree(tmp);
> +out:
> return ret;
> -
> }
>
> static long dev_nvram_ioctl(struct file *file, unsigned int cmd,
> --
> 2.9.3
>
--
Kees Cook
Pixel Security
On Sat, 2017-04-29 at 01:45:14 UTC, Geliang Tang wrote:
> Use memdup_user() helper instead of open-coding to simplify the code.
>
> Signed-off-by: Geliang Tang <[email protected]>
Applied to powerpc next, thanks.
https://git.kernel.org/powerpc/c/5588b29a5cd34aec747202e95f328a
cheers
On Sat, 2017-04-29 at 01:45:15 UTC, Geliang Tang wrote:
> Use memdup_user_nul() helper instead of open-coding to simplify the code.
>
> Signed-off-by: Geliang Tang <[email protected]>
Applied to powerpc next, thanks.
https://git.kernel.org/powerpc/c/3783225130f01ea86fc0ee477a0e72
cheers