Hello Christoph Hellwig,
The patch a7b75c5a8c41: "net: pass a sockptr_t into ->setsockopt"
from Jul 23, 2020, leads to the following Smatch static checker
warnings:
net/netrom/af_netrom.c:309 nr_setsockopt() warn: not copying enough bytes for '&opt' (8 vs 4 bytes)
net/bluetooth/hci_sock.c:1940 hci_sock_setsockopt() warn: not copying enough bytes for '&opt' (4 vs 2 bytes)
net/bluetooth/l2cap_sock.c:1088 l2cap_sock_setsockopt() warn: not copying enough bytes for '&opt' (4 vs 2 bytes)
net/bluetooth/l2cap_sock.c:1119 l2cap_sock_setsockopt() warn: not copying enough bytes for '&opt' (4 vs 1 bytes)
net/ax25/af_ax25.c:546 ax25_setsockopt() warn: not copying enough bytes for '&opt' (8 vs 4 bytes)
net/netrom/af_netrom.c
296 static int nr_setsockopt(struct socket *sock, int level, int optname,
297 sockptr_t optval, unsigned int optlen)
298 {
299 struct sock *sk = sock->sk;
300 struct nr_sock *nr = nr_sk(sk);
301 unsigned long opt;
^^^^^^^^^^^^^^^^^^
302
303 if (level != SOL_NETROM)
304 return -ENOPROTOOPT;
305
306 if (optlen < sizeof(unsigned int))
307 return -EINVAL;
308
--> 309 if (copy_from_sockptr(&opt, optval, sizeof(unsigned int)))
Originally this was if (get_user(opt, (unsigned int __user *)optval))
which is weird but actually works. Now the last two bytes are
uninitialized.
310 return -EFAULT;
311
312 switch (optname) {
313 case NETROM_T1:
314 if (opt < 1 || opt > ULONG_MAX / HZ)
315 return -EINVAL;
316 nr->t1 = opt * HZ;
317 return 0;
regards,
dan carpenter
