[usb:usb-testing 21/67] drivers/usb/class/usbtmc.c:1275 usbtmc_ioctl_request() warn: possible memory leak of 'buffer'

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
head:   ae8a2ca8a2215c7e31e6d874f7303801bb15fbbc
commit: 658f24f4523e41cda6a389c38b763f4c0cad6fbc [21/67] usb: usbtmc: Add ioctl for generic requests on control

smatch warnings:
drivers/usb/class/usbtmc.c:1275 usbtmc_ioctl_request() warn: possible memory leak of 'buffer'
drivers/usb/class/usbtmc.c:1278 usbtmc_ioctl_request() warn: overwrite may leak 'buffer'

# https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git/commit/?id=658f24f4523e41cda6a389c38b763f4c0cad6fbc
git remote add usb https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
git remote update usb
git checkout 658f24f4523e41cda6a389c38b763f4c0cad6fbc
vim +/buffer +1275 drivers/usb/class/usbtmc.c

5b775f67 Greg Kroah-Hartman 2008-08-26  1256  
658f24f4 Guido Kiener       2018-09-12  1257  static int usbtmc_ioctl_request(struct usbtmc_device_data *data,
658f24f4 Guido Kiener       2018-09-12  1258  				void __user *arg)
658f24f4 Guido Kiener       2018-09-12  1259  {
658f24f4 Guido Kiener       2018-09-12  1260  	struct device *dev = &data->intf->dev;
658f24f4 Guido Kiener       2018-09-12  1261  	struct usbtmc_ctrlrequest request;
658f24f4 Guido Kiener       2018-09-12  1262  	u8 *buffer = NULL;
658f24f4 Guido Kiener       2018-09-12  1263  	int rv;
658f24f4 Guido Kiener       2018-09-12  1264  	unsigned long res;
658f24f4 Guido Kiener       2018-09-12  1265  
658f24f4 Guido Kiener       2018-09-12  1266  	res = copy_from_user(&request, arg, sizeof(struct usbtmc_ctrlrequest));
658f24f4 Guido Kiener       2018-09-12  1267  	if (res)
658f24f4 Guido Kiener       2018-09-12  1268  		return -EFAULT;
658f24f4 Guido Kiener       2018-09-12  1269  
658f24f4 Guido Kiener       2018-09-12  1270  	buffer = kmalloc(request.req.wLength, GFP_KERNEL);
                                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
658f24f4 Guido Kiener       2018-09-12  1271  	if (!buffer)
658f24f4 Guido Kiener       2018-09-12  1272  		return -ENOMEM;
658f24f4 Guido Kiener       2018-09-12  1273  
658f24f4 Guido Kiener       2018-09-12  1274  	if (request.req.wLength > USBTMC_BUFSIZE)
658f24f4 Guido Kiener       2018-09-12 @1275  		return -EMSGSIZE;
                                                        ^^^^^^^^^^^^^^^^^
658f24f4 Guido Kiener       2018-09-12  1276  
658f24f4 Guido Kiener       2018-09-12  1277  	if (request.req.wLength) {
658f24f4 Guido Kiener       2018-09-12 @1278  		buffer = kmalloc(request.req.wLength, GFP_KERNEL);
                                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
658f24f4 Guido Kiener       2018-09-12  1279  		if (!buffer)
658f24f4 Guido Kiener       2018-09-12  1280  			return -ENOMEM;
658f24f4 Guido Kiener       2018-09-12  1281  
658f24f4 Guido Kiener       2018-09-12  1282  		if ((request.req.bRequestType & USB_DIR_IN) == 0) {
658f24f4 Guido Kiener       2018-09-12  1283  			/* Send control data to device */
658f24f4 Guido Kiener       2018-09-12  1284  			res = copy_from_user(buffer, request.data,
658f24f4 Guido Kiener       2018-09-12  1285  					     request.req.wLength);
658f24f4 Guido Kiener       2018-09-12  1286  			if (res) {
658f24f4 Guido Kiener       2018-09-12  1287  				rv = -EFAULT;
658f24f4 Guido Kiener       2018-09-12  1288  				goto exit;
658f24f4 Guido Kiener       2018-09-12  1289  			}
658f24f4 Guido Kiener       2018-09-12  1290  		}
658f24f4 Guido Kiener       2018-09-12  1291  	}
658f24f4 Guido Kiener       2018-09-12  1292  
658f24f4 Guido Kiener       2018-09-12  1293  	rv = usb_control_msg(data->usb_dev,
658f24f4 Guido Kiener       2018-09-12  1294  			usb_rcvctrlpipe(data->usb_dev, 0),
658f24f4 Guido Kiener       2018-09-12  1295  			request.req.bRequest,
658f24f4 Guido Kiener       2018-09-12  1296  			request.req.bRequestType,
658f24f4 Guido Kiener       2018-09-12  1297  			request.req.wValue,
658f24f4 Guido Kiener       2018-09-12  1298  			request.req.wIndex,
658f24f4 Guido Kiener       2018-09-12  1299  			buffer, request.req.wLength, USB_CTRL_GET_TIMEOUT);
658f24f4 Guido Kiener       2018-09-12  1300  
658f24f4 Guido Kiener       2018-09-12  1301  	if (rv < 0) {
658f24f4 Guido Kiener       2018-09-12  1302  		dev_err(dev, "%s failed %d\n", __func__, rv);
658f24f4 Guido Kiener       2018-09-12  1303  		goto exit;
658f24f4 Guido Kiener       2018-09-12  1304  	}
658f24f4 Guido Kiener       2018-09-12  1305  
658f24f4 Guido Kiener       2018-09-12  1306  	if (rv && (request.req.bRequestType & USB_DIR_IN)) {
658f24f4 Guido Kiener       2018-09-12  1307  		/* Read control data from device */
658f24f4 Guido Kiener       2018-09-12  1308  		res = copy_to_user(request.data, buffer, rv);
658f24f4 Guido Kiener       2018-09-12  1309  		if (res)
658f24f4 Guido Kiener       2018-09-12  1310  			rv = -EFAULT;
658f24f4 Guido Kiener       2018-09-12  1311  	}
658f24f4 Guido Kiener       2018-09-12  1312  
658f24f4 Guido Kiener       2018-09-12  1313   exit:
658f24f4 Guido Kiener       2018-09-12  1314  	kfree(buffer);
658f24f4 Guido Kiener       2018-09-12  1315  	return rv;
658f24f4 Guido Kiener       2018-09-12  1316  }
658f24f4 Guido Kiener       2018-09-12  1317  

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation
[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux