Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933107AbbLHLwL (ORCPT <rfc822;w@1wt.eu>);
	Tue, 8 Dec 2015 06:52:11 -0500
Received: from userp1040.oracle.com ([156.151.31.81]:51634 "EHLO
	userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752347AbbLHLwJ (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 8 Dec 2015 06:52:09 -0500
Date: Tue, 8 Dec 2015 14:51:57 +0300
From: Dan Carpenter <dan.carpenter@oracle.com>
To: "Pathak, Rahul (R.)" <rpathak@visteon.com>
Cc: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
        "stern@rowland.harvard.edu" <stern@rowland.harvard.edu>,
        "kborer@gmail.com" <kborer@gmail.com>,
        "chasemetzger15@gmail.com" <chasemetzger15@gmail.com>,
        "linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] usb: Use memdup_user to reuse the code
Message-ID: <20151208115157.GN7289@mwanda>
References: <20151208113851.GA12837@visteon.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20151208113851.GA12837@visteon.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1348
Lines: 40

On Tue, Dec 08, 2015 at 11:38:59AM +0000, Pathak, Rahul (R.) wrote:
> diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
> index 38ae877c..05266f0 100644
> --- a/drivers/usb/core/devio.c
> +++ b/drivers/usb/core/devio.c
> @@ -1395,11 +1395,9 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
>  		number_of_packets = uurb->number_of_packets;
>  		isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) *
>  				   number_of_packets;
> -		isopkt = kmalloc(isofrmlen, GFP_KERNEL);
> -		if (!isopkt)
> -			return -ENOMEM;
> -		if (copy_from_user(isopkt, iso_frame_desc, isofrmlen)) {
> -			ret = -EFAULT;
> +		isopkt = memdup_user(iso_frame_desc, isofrmlen);
> +		if (IS_ERR(isopkt)) {
> +			ret = PTR_ERR(isopkt);
>  			goto error;

This introduces a one err bug.
https://plus.google.com/106378716002406849458/posts/dnanfhQ4mHQ
We can't call kfree(isopkt) when it is an ERR_PTR.

Set it to NULL:

		isopkt = memdup_user(iso_frame_desc, isofrmlen);
		if (IS_ERR(isopkt)) {
			ret = PTR_ERR(isopkt);
			isopkt = NULL;
			goto error;
		}

regards,
dan carpenter

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/