On Fri, Feb 08, 2019 at 01:23:04PM +0000, Srinivas Kandagatla wrote:
> +static int fastrpc_invoke(struct fastrpc_user *fl, char __user *argp)
> +{
> + struct fastrpc_invoke_args *args = NULL;
> + struct fastrpc_invoke inv;
> + u32 nscalars;
> + int err;
> +
> + if (copy_from_user(&inv, argp, sizeof(inv)))
> + return -EFAULT;
> +
> + nscalars = REMOTE_SCALARS_LENGTH(inv.sc);
> +
> + if (nscalars > MAX_REMOTE_SCALARS)
> + return -EINVAL;
> +
> + if (nscalars) {
> + args = kcalloc(nscalars, sizeof(*args), GFP_KERNEL);
> + if (!args)
> + return -ENOMEM;
> +
> + if (copy_from_user(args, (void __user *)(uintptr_t)inv.args,
> + nscalars * sizeof(*args))) {
> + kfree(args);
> + return -EFAULT;
> + }
> +
> + /* Make sure reserved field is set to 0 */
> + if (args->reserved) {
> + kfree(args);
> + return -EINVAL;
Am I wrong in that you are only checking the first reserved field in
this array of args? Don't you have a whole bunch of them here (nscalars
of them)? Don't you need to check them all and not just the first one?
thanks,
greg k-h
