From 5702222c9a7af4a207066d54aa95cfe31f34f2f8 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas Date: Fri, 2 Oct 2015 11:12:53 -0700 Subject: Input: joydev - use memdup_user() to duplicate memory from user-space The memdup_user() helper function can be used to duplicate a memory region from user-space to kernel-space. There is no need to open code the same logic using kmalloc() and copy_from_user() instead. This was found with make coccicheck that reported the following warning: drivers/input/joydev.c:447:10-17: WARNING opportunity for memdup_user drivers/input/joydev.c:483:10-17: WARNING opportunity for memdup_user Signed-off-by: Javier Martinez Canillas Signed-off-by: Dmitry Torokhov --- drivers/input/joydev.c | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) (limited to 'drivers/input/joydev.c') diff --git a/drivers/input/joydev.c b/drivers/input/joydev.c index 6cb5a3e5f9a1..e3dcd4abae18 100644 --- a/drivers/input/joydev.c +++ b/drivers/input/joydev.c @@ -444,12 +444,9 @@ static int joydev_handle_JSIOCSAXMAP(struct joydev *joydev, len = min(len, sizeof(joydev->abspam)); /* Validate the map. */ - abspam = kmalloc(len, GFP_KERNEL); - if (!abspam) - return -ENOMEM; - - if (copy_from_user(abspam, argp, len)) { - retval = -EFAULT; + abspam = memdup_user(argp, len); + if (IS_ERR(abspam)) { + retval = PTR_ERR(abspam); goto out; } @@ -480,12 +477,9 @@ static int joydev_handle_JSIOCSBTNMAP(struct joydev *joydev, len = min(len, sizeof(joydev->keypam)); /* Validate the map. */ - keypam = kmalloc(len, GFP_KERNEL); - if (!keypam) - return -ENOMEM; - - if (copy_from_user(keypam, argp, len)) { - retval = -EFAULT; + keypam = memdup_user(argp, len); + if (IS_ERR(keypam)) { + retval = PTR_ERR(keypam); goto out; } -- cgit v1.2.3 From 5b21e3c740b770fb2548a5a8ea66e544d114d0a8 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas Date: Tue, 6 Oct 2015 15:23:36 -0700 Subject: Input: joydev - fix possible ERR_PTR() dereferencing Commit 5702222c9a7a ("Input: joydev - use memdup_user() to duplicate memory from user-space") changed the kmalloc() and copy_from_user() with a single call to memdup_user() but wrongly used the same error path than the old code in which the buffer allocated by kmalloc() was freed if copy_from_user() failed. This is of course wrong since if memdup_user() fails, no memory was allocated and the error in the error-valued pointer should be returned. Fixes: 5702222c9a7a ("Input: joydev - use memdup_user() to duplicate memory from user-space") Reported-by: Dan Carpenter Signed-off-by: Javier Martinez Canillas Signed-off-by: Dmitry Torokhov --- drivers/input/joydev.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'drivers/input/joydev.c') diff --git a/drivers/input/joydev.c b/drivers/input/joydev.c index e3dcd4abae18..5d11fea3c8ec 100644 --- a/drivers/input/joydev.c +++ b/drivers/input/joydev.c @@ -445,10 +445,8 @@ static int joydev_handle_JSIOCSAXMAP(struct joydev *joydev, /* Validate the map. */ abspam = memdup_user(argp, len); - if (IS_ERR(abspam)) { - retval = PTR_ERR(abspam); - goto out; - } + if (IS_ERR(abspam)) + return PTR_ERR(abspam); for (i = 0; i < joydev->nabs; i++) { if (abspam[i] > ABS_MAX) { @@ -478,10 +476,8 @@ static int joydev_handle_JSIOCSBTNMAP(struct joydev *joydev, /* Validate the map. */ keypam = memdup_user(argp, len); - if (IS_ERR(keypam)) { - retval = PTR_ERR(keypam); - goto out; - } + if (IS_ERR(keypam)) + return PTR_ERR(keypam); for (i = 0; i < joydev->nkey; i++) { if (keypam[i] > KEY_MAX || keypam[i] < BTN_MISC) { -- cgit v1.2.3