From: rtjohnso@eecs.berkeley.edu (Robert T. Johnson)
To: Greg KH <greg@kroah.com>
Cc: linux-kernel@vger.kernel.org, Jean Delvare <khali@linux-fr.org>,
Marcelo Tosatti <marcelo@conectiva.com.br>,
sensors@Stimpy.netroedge.com, vsu@altlinux.ru
Subject: [PATCH 2.4] i2c-dev user/kernel bug and mem leak
Date: Thu, 19 May 2005 06:24:15 +0000 [thread overview]
Message-ID: <1062033440.16799.22.camel@dooby.cs.berkeley.edu> (raw)
In-Reply-To: <20030815211329.GB4920@kroah.com>
On Fri, 2003-08-15 at 14:13, Greg KH wrote:
> Hm, I had already applied your patch, so this one doesn't apply. Care
> to re-do it against 2.6.0-test4 whenever that comes out?
Here's the patch against 2.6.0-test4. Just to remind everyone, this
patch doesn't fix any bugs (they're already fixed in 2.6.0-test3), it
just makes the code pass our static analysis tool, cqual, without
generating a warning. Since finding and fixing these bugs is so tricky,
it seems worthwhile to have code which can be automatically verified to
be bug-free (at least w.r.t. user/kernel pointers). That's what this
patch is about. Let me know if you have any questions or comments.
Thanks for everyone's help.
Best,
Rob
P.S. cqual is on its way -- we're working on documentation and
integrating it into the kernel build process.
--- drivers/i2c/i2c-dev.c.orig Wed Aug 27 18:04:31 2003
+++ drivers/i2c/i2c-dev.c Wed Aug 27 17:51:23 2003
@@ -181,7 +181,7 @@
struct i2c_smbus_ioctl_data data_arg;
union i2c_smbus_data temp;
struct i2c_msg *rdwr_pa;
- u8 **data_ptrs;
+ struct i2c_msg *tmp_pa;
int i,datasize,res;
unsigned long funcs;
@@ -226,40 +226,44 @@
if (rdwr_arg.nmsgs > 42)
return -EINVAL;
- rdwr_pa = (struct i2c_msg *)
+ tmp_pa = (struct i2c_msg *)
kmalloc(rdwr_arg.nmsgs * sizeof(struct i2c_msg),
GFP_KERNEL);
- if (rdwr_pa = NULL) return -ENOMEM;
+ if (tmp_pa = NULL) return -ENOMEM;
- if (copy_from_user(rdwr_pa, rdwr_arg.msgs,
+ if (copy_from_user(tmp_pa, rdwr_arg.msgs,
rdwr_arg.nmsgs * sizeof(struct i2c_msg))) {
- kfree(rdwr_pa);
+ kfree(tmp_pa);
return -EFAULT;
}
- data_ptrs = (u8 **) kmalloc(rdwr_arg.nmsgs * sizeof(u8 *),
- GFP_KERNEL);
- if (data_ptrs = NULL) {
- kfree(rdwr_pa);
+ rdwr_pa = (struct i2c_msg *)
+ kmalloc(rdwr_arg.nmsgs * sizeof(struct i2c_msg),
+ GFP_KERNEL);
+
+ if (rdwr_pa = NULL) {
+ kfree(tmp_pa);
return -ENOMEM;
}
res = 0;
for( i=0; i<rdwr_arg.nmsgs; i++ ) {
+ rdwr_pa[i].addr = tmp_pa[i].addr;
+ rdwr_pa[i].flags = tmp_pa[i].flags;
+ rdwr_pa[i].len = tmp_pa[i].len;
/* Limit the size of the message to a sane amount */
if (rdwr_pa[i].len > 8192) {
res = -EINVAL;
break;
}
- data_ptrs[i] = rdwr_pa[i].buf;
rdwr_pa[i].buf = kmalloc(rdwr_pa[i].len, GFP_KERNEL);
if(rdwr_pa[i].buf = NULL) {
res = -ENOMEM;
break;
}
if(copy_from_user(rdwr_pa[i].buf,
- data_ptrs[i],
+ tmp_pa[i].buf,
rdwr_pa[i].len)) {
++i; /* Needs to be kfreed too */
res = -EFAULT;
@@ -270,8 +274,8 @@
int j;
for (j = 0; j < i; ++j)
kfree(rdwr_pa[j].buf);
- kfree(data_ptrs);
kfree(rdwr_pa);
+ kfree(tmp_pa);
return res;
}
@@ -281,7 +285,7 @@
while(i-- > 0) {
if( res>=0 && (rdwr_pa[i].flags & I2C_M_RD)) {
if(copy_to_user(
- data_ptrs[i],
+ tmp_pa[i].buf,
rdwr_pa[i].buf,
rdwr_pa[i].len)) {
res = -EFAULT;
@@ -289,8 +293,8 @@
}
kfree(rdwr_pa[i].buf);
}
- kfree(data_ptrs);
kfree(rdwr_pa);
+ kfree(tmp_pa);
return res;
case I2C_SMBUS:
WARNING: multiple messages have this Message-ID (diff)
From: "Robert T. Johnson" <rtjohnso@eecs.berkeley.edu>
To: Greg KH <greg@kroah.com>
Cc: linux-kernel@vger.kernel.org, Jean Delvare <khali@linux-fr.org>,
Marcelo Tosatti <marcelo@conectiva.com.br>,
sensors@Stimpy.netroedge.com, vsu@altlinux.ru
Subject: Re: [PATCH 2.4] i2c-dev user/kernel bug and mem leak
Date: 27 Aug 2003 18:17:19 -0700 [thread overview]
Message-ID: <1062033440.16799.22.camel@dooby.cs.berkeley.edu> (raw)
In-Reply-To: <20030815211329.GB4920@kroah.com>
On Fri, 2003-08-15 at 14:13, Greg KH wrote:
> Hm, I had already applied your patch, so this one doesn't apply. Care
> to re-do it against 2.6.0-test4 whenever that comes out?
Here's the patch against 2.6.0-test4. Just to remind everyone, this
patch doesn't fix any bugs (they're already fixed in 2.6.0-test3), it
just makes the code pass our static analysis tool, cqual, without
generating a warning. Since finding and fixing these bugs is so tricky,
it seems worthwhile to have code which can be automatically verified to
be bug-free (at least w.r.t. user/kernel pointers). That's what this
patch is about. Let me know if you have any questions or comments.
Thanks for everyone's help.
Best,
Rob
P.S. cqual is on its way -- we're working on documentation and
integrating it into the kernel build process.
--- drivers/i2c/i2c-dev.c.orig Wed Aug 27 18:04:31 2003
+++ drivers/i2c/i2c-dev.c Wed Aug 27 17:51:23 2003
@@ -181,7 +181,7 @@
struct i2c_smbus_ioctl_data data_arg;
union i2c_smbus_data temp;
struct i2c_msg *rdwr_pa;
- u8 **data_ptrs;
+ struct i2c_msg *tmp_pa;
int i,datasize,res;
unsigned long funcs;
@@ -226,40 +226,44 @@
if (rdwr_arg.nmsgs > 42)
return -EINVAL;
- rdwr_pa = (struct i2c_msg *)
+ tmp_pa = (struct i2c_msg *)
kmalloc(rdwr_arg.nmsgs * sizeof(struct i2c_msg),
GFP_KERNEL);
- if (rdwr_pa == NULL) return -ENOMEM;
+ if (tmp_pa == NULL) return -ENOMEM;
- if (copy_from_user(rdwr_pa, rdwr_arg.msgs,
+ if (copy_from_user(tmp_pa, rdwr_arg.msgs,
rdwr_arg.nmsgs * sizeof(struct i2c_msg))) {
- kfree(rdwr_pa);
+ kfree(tmp_pa);
return -EFAULT;
}
- data_ptrs = (u8 **) kmalloc(rdwr_arg.nmsgs * sizeof(u8 *),
- GFP_KERNEL);
- if (data_ptrs == NULL) {
- kfree(rdwr_pa);
+ rdwr_pa = (struct i2c_msg *)
+ kmalloc(rdwr_arg.nmsgs * sizeof(struct i2c_msg),
+ GFP_KERNEL);
+
+ if (rdwr_pa == NULL) {
+ kfree(tmp_pa);
return -ENOMEM;
}
res = 0;
for( i=0; i<rdwr_arg.nmsgs; i++ ) {
+ rdwr_pa[i].addr = tmp_pa[i].addr;
+ rdwr_pa[i].flags = tmp_pa[i].flags;
+ rdwr_pa[i].len = tmp_pa[i].len;
/* Limit the size of the message to a sane amount */
if (rdwr_pa[i].len > 8192) {
res = -EINVAL;
break;
}
- data_ptrs[i] = rdwr_pa[i].buf;
rdwr_pa[i].buf = kmalloc(rdwr_pa[i].len, GFP_KERNEL);
if(rdwr_pa[i].buf == NULL) {
res = -ENOMEM;
break;
}
if(copy_from_user(rdwr_pa[i].buf,
- data_ptrs[i],
+ tmp_pa[i].buf,
rdwr_pa[i].len)) {
++i; /* Needs to be kfreed too */
res = -EFAULT;
@@ -270,8 +274,8 @@
int j;
for (j = 0; j < i; ++j)
kfree(rdwr_pa[j].buf);
- kfree(data_ptrs);
kfree(rdwr_pa);
+ kfree(tmp_pa);
return res;
}
@@ -281,7 +285,7 @@
while(i-- > 0) {
if( res>=0 && (rdwr_pa[i].flags & I2C_M_RD)) {
if(copy_to_user(
- data_ptrs[i],
+ tmp_pa[i].buf,
rdwr_pa[i].buf,
rdwr_pa[i].len)) {
res = -EFAULT;
@@ -289,8 +293,8 @@
}
kfree(rdwr_pa[i].buf);
}
- kfree(data_ptrs);
kfree(rdwr_pa);
+ kfree(tmp_pa);
return res;
case I2C_SMBUS:
next prev parent reply other threads:[~2005-05-19 6:24 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-03 17:23 PATCH: 2.4.22-pre7 drivers/i2c/i2c-dev.c user/kernel bug and mem leak Jean Delvare
2005-05-19 6:24 ` PATCH: 2.4.22-pre7 drivers/i2c/i2c-dev.c user/kernel bug and Jean Delvare
2003-08-04 15:32 ` PATCH: 2.4.22-pre7 drivers/i2c/i2c-dev.c user/kernel bug and mem leak Sergey Vlasov
2005-05-19 6:24 ` PATCH: 2.4.22-pre7 drivers/i2c/i2c-dev.c user/kernel bug and Sergey Vlasov
2003-08-05 8:32 ` PATCH: 2.4.22-pre7 drivers/i2c/i2c-dev.c user/kernel bug and mem leak Jean Delvare
2005-05-19 6:24 ` PATCH: 2.4.22-pre7 drivers/i2c/i2c-dev.c user/kernel bug and Jean Delvare
2003-08-05 14:10 ` PATCH: 2.4.22-pre7 drivers/i2c/i2c-dev.c user/kernel bug and mem leak Sergey Vlasov
2005-05-19 6:24 ` PATCH: 2.4.22-pre7 drivers/i2c/i2c-dev.c user/kernel bug and Sergey Vlasov
2003-08-05 21:07 ` PATCH: 2.4.22-pre7 drivers/i2c/i2c-dev.c user/kernel bug and mem leak Greg KH
2005-05-19 6:24 ` PATCH: 2.4.22-pre7 drivers/i2c/i2c-dev.c user/kernel bug and mem Greg KH
2003-08-06 8:07 ` [PATCH 2.4] i2c-dev user/kernel bug and mem leak Jean Delvare
2005-05-19 6:24 ` Jean Delvare
2005-05-19 6:24 ` Robert T. Johnson
2005-05-19 6:24 ` Jean Delvare
2005-05-19 6:24 ` Greg KH
2005-05-19 6:24 ` Greg KH
2003-08-15 2:01 ` Robert T. Johnson
2005-05-19 6:24 ` Robert T. Johnson
2003-08-15 21:13 ` Greg KH
2005-05-19 6:24 ` Greg KH
2003-08-15 22:17 ` Robert T. Johnson
2005-05-19 6:24 ` Robert T. Johnson
2003-08-15 23:51 ` Greg KH
2005-05-19 6:24 ` Greg KH
2003-08-18 0:54 ` Robert T. Johnson
2005-05-19 6:24 ` Robert T. Johnson
2003-08-18 21:05 ` Greg KH
2005-05-19 6:24 ` Greg KH
2003-09-10 23:02 ` CQual 0.99 Released: user/kernel pointer bug finding tool Robert T. Johnson
2003-08-28 1:17 ` Robert T. Johnson [this message]
2005-05-19 6:24 ` [PATCH 2.4] i2c-dev user/kernel bug and mem leak Robert T. Johnson
2003-08-29 16:21 ` Jean Delvare
2005-05-19 6:24 ` Jean Delvare
2003-08-29 17:30 ` Robert T. Johnson
2005-05-19 6:24 ` Robert T. Johnson
2005-05-19 6:24 ` Jean Delvare
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1062033440.16799.22.camel@dooby.cs.berkeley.edu \
--to=rtjohnso@eecs.berkeley.edu \
--cc=greg@kroah.com \
--cc=khali@linux-fr.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo@conectiva.com.br \
--cc=sensors@Stimpy.netroedge.com \
--cc=vsu@altlinux.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.