[cifs:for-next 35/38] fs/cifs/smb2ops.c:1152:10-17: WARNING opportunity for memdup_user

[kbuild test robot]

tree:   git://git.samba.org/sfrench/cifs-2.6.git for-next
head:   18fbe0748eeacc27f619fa2010fedd7172a81d34
commit: 957f8728d5e175c8660d36d8d334e5a6f1e7f521 [35/38] cifs: add IOCTL for QUERY_INFO passthrough to userspace


coccinelle warnings: (new ones prefixed by >>)

>> fs/cifs/smb2ops.c:1152:10-17: WARNING opportunity for memdup_user

vim +1152 fs/cifs/smb2ops.c

  1120	
  1121	static int
  1122	smb2_ioctl_query_info(const unsigned int xid,
  1123			      struct cifsFileInfo *file,
  1124			      unsigned long p)
  1125	{
  1126		struct cifs_tcon *tcon = tlink_tcon(file->tlink);
  1127		struct cifs_ses *ses = tcon->ses;
  1128		char __user *arg = (char __user *)p;
  1129		struct smb_query_info qi;
  1130		struct smb_query_info __user *pqi;
  1131		int rc = 0;
  1132		int flags = 0;
  1133		struct smb_rqst rqst;
  1134		struct kvec iov[1];
  1135		struct kvec rsp_iov;
  1136		int resp_buftype;
  1137		struct smb2_query_info_rsp *rsp = NULL;
  1138		void *buffer;
  1139	
  1140		if (copy_from_user(&qi, arg, sizeof(struct smb_query_info)))
  1141			return -EFAULT;
  1142	
  1143		if (qi.output_buffer_length > 1024)
  1144			return -EINVAL;
  1145	
  1146		if (!ses || !(ses->server))
  1147			return -EIO;
  1148	
  1149		if (smb3_encryption_required(tcon))
  1150			flags |= CIFS_TRANSFORM_REQ;
  1151	
> 1152		buffer = kmalloc(qi.output_buffer_length, GFP_KERNEL);
  1153		if (buffer == NULL)
  1154			return -ENOMEM;
  1155	
  1156		if (copy_from_user(buffer, arg + sizeof(struct smb_query_info),
  1157				   qi.output_buffer_length)) {
  1158			kfree(buffer);
  1159			return -EFAULT;
  1160		}
  1161	
  1162		memset(&rqst, 0, sizeof(struct smb_rqst));
  1163		memset(&iov, 0, sizeof(iov));
  1164		rqst.rq_iov = iov;
  1165		rqst.rq_nvec = 1;
  1166	
  1167		rc = SMB2_query_info_init(tcon, &rqst, file->fid.persistent_fid,
  1168					  file->fid.volatile_fid,
  1169					  qi.file_info_class, qi.info_type,
  1170					  qi.additional_information,
  1171					  qi.input_buffer_length,
  1172					  qi.output_buffer_length, buffer);
  1173		kfree(buffer);
  1174		if (rc)
  1175			goto iqinf_exit;
  1176	
  1177		rc = cifs_send_recv(xid, ses, &rqst, &resp_buftype, flags, &rsp_iov);
  1178		rsp = (struct smb2_query_info_rsp *)rsp_iov.iov_base;
  1179		if (rc)
  1180			goto iqinf_exit;
  1181	
  1182		pqi = (struct smb_query_info __user *)arg;
  1183		if (le32_to_cpu(rsp->OutputBufferLength) < qi.input_buffer_length)
  1184			qi.input_buffer_length = le32_to_cpu(rsp->OutputBufferLength);
  1185		if (copy_to_user(&pqi->input_buffer_length, &qi.input_buffer_length,
  1186				 sizeof(qi.input_buffer_length))) {
  1187			rc = -EFAULT;
  1188			goto iqinf_exit;
  1189		}
  1190		if (copy_to_user(pqi + 1, rsp->Buffer, qi.input_buffer_length)) {
  1191			rc = -EFAULT;
  1192			goto iqinf_exit;
  1193		}
  1194	
  1195	 iqinf_exit:
  1196		SMB2_query_info_free(&rqst);
  1197		free_rsp_buf(resp_buftype, rsp);
  1198		return rc;
  1199	}
  1200	

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation