releases/3.16.61/usbip-stub_rx-fix-static-checker-warning-on-unnecessary-checks.patch - pub/scm/linux/kernel/git/bwh/linux-stable-queue - Git at Google

 From: Shuah Khan <shuahkh@osg.samsung.com>
 Date: Fri, 15 Dec 2017 10:05:15 -0700
 Subject: usbip: stub_rx: fix static checker warning on unnecessary checks

 commit 10c90120930628e8b959bf58d4a0aaef3ae5d945 upstream.

 Fix the following static checker warnings:

 The patch c6688ef9f297: "usbip: fix stub_rx: harden CMD_SUBMIT path
 to handle malicious input" from Dec 7, 2017, leads to the following
 static checker warning:

     drivers/usb/usbip/stub_rx.c:346 get_pipe()
     warn: impossible condition
 '(pdu->u.cmd_submit.transfer_buffer_length > ((~0 >> 1))) =>
 (s32min-s32max > s32max)'
     drivers/usb/usbip/stub_rx.c:486 stub_recv_cmd_submit()
     warn: always true condition
 '(pdu->u.cmd_submit.transfer_buffer_length <= ((~0 >> 1))) =>
 (s32min-s32max <= s32max)'

 Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
 Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
 ---
  drivers/staging/usbip/stub_rx.c | 11 +----------
  1 file changed, 1 insertion(+), 10 deletions(-)

 --- a/drivers/staging/usbip/stub_rx.c
 +++ b/drivers/staging/usbip/stub_rx.c
 @@ -353,14 +353,6 @@ static int get_pipe(struct stub_device *

  	epd = &ep->desc;

 -	/* validate transfer_buffer_length */
 -	if (pdu->u.cmd_submit.transfer_buffer_length > INT_MAX) {
 -		dev_err(&sdev->udev->dev,
 -			"CMD_SUBMIT: -EMSGSIZE transfer_buffer_length %d\n",
 -			pdu->u.cmd_submit.transfer_buffer_length);
 -		return -1;
 -	}
 -
  	if (usb_endpoint_xfer_control(epd)) {
  		if (dir == USBIP_DIR_OUT)
  			return usb_sndctrlpipe(udev, epnum);
 @@ -494,8 +486,7 @@ static void stub_recv_cmd_submit(struct
  	}

  	/* allocate urb transfer buffer, if needed */
 -	if (pdu->u.cmd_submit.transfer_buffer_length > 0 &&
 -	    pdu->u.cmd_submit.transfer_buffer_length <= INT_MAX) {
 +	if (pdu->u.cmd_submit.transfer_buffer_length > 0) {
  		priv->urb->transfer_buffer =
  			kzalloc(pdu->u.cmd_submit.transfer_buffer_length,
  				GFP_KERNEL);
	From: Shuah Khan <shuahkh@osg.samsung.com>
	Date: Fri, 15 Dec 2017 10:05:15 -0700
	Subject: usbip: stub_rx: fix static checker warning on unnecessary checks

	commit 10c90120930628e8b959bf58d4a0aaef3ae5d945 upstream.

	Fix the following static checker warnings:

	The patch c6688ef9f297: "usbip: fix stub_rx: harden CMD_SUBMIT path
	to handle malicious input" from Dec 7, 2017, leads to the following
	static checker warning:

	drivers/usb/usbip/stub_rx.c:346 get_pipe()
	warn: impossible condition
	'(pdu->u.cmd_submit.transfer_buffer_length > ((~0 >> 1))) =>
	(s32min-s32max > s32max)'
	drivers/usb/usbip/stub_rx.c:486 stub_recv_cmd_submit()
	warn: always true condition
	'(pdu->u.cmd_submit.transfer_buffer_length <= ((~0 >> 1))) =>
	(s32min-s32max <= s32max)'

	Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
	Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	---
	drivers/staging/usbip/stub_rx.c \| 11 +----------
	1 file changed, 1 insertion(+), 10 deletions(-)

	--- a/drivers/staging/usbip/stub_rx.c
	+++ b/drivers/staging/usbip/stub_rx.c
	@@ -353,14 +353,6 @@ static int get_pipe(struct stub_device *

	epd = &ep->desc;

	- /* validate transfer_buffer_length */
	- if (pdu->u.cmd_submit.transfer_buffer_length > INT_MAX) {
	- dev_err(&sdev->udev->dev,
	- "CMD_SUBMIT: -EMSGSIZE transfer_buffer_length %d\n",
	- pdu->u.cmd_submit.transfer_buffer_length);
	- return -1;
	- }
	-
	if (usb_endpoint_xfer_control(epd)) {
	if (dir == USBIP_DIR_OUT)
	return usb_sndctrlpipe(udev, epnum);
	@@ -494,8 +486,7 @@ static void stub_recv_cmd_submit(struct
	}

	/* allocate urb transfer buffer, if needed */
	- if (pdu->u.cmd_submit.transfer_buffer_length > 0 &&
	- pdu->u.cmd_submit.transfer_buffer_length <= INT_MAX) {
	+ if (pdu->u.cmd_submit.transfer_buffer_length > 0) {
	priv->urb->transfer_buffer =
	kzalloc(pdu->u.cmd_submit.transfer_buffer_length,
	GFP_KERNEL);