From: greg@kroah.com (Greg KH)
To: viro@parcelfarce.linux.theplanet.co.uk, sensors@stimpy.netroedge.com
Cc: "Robert T. Johnson" <rtjohnso@eecs.berkeley.edu>,
Linux Kernel <linux-kernel@vger.kernel.org>
Subject: Finding user/kernel pointer bugs [no html]
Date: Thu, 19 May 2005 06:25:01 +0000 [thread overview]
Message-ID: <20040610191004.GA1661@kroah.com> (raw)
In-Reply-To: <20040610165821.GB32577@kroah.com>
On Thu, Jun 10, 2004 at 09:58:21AM -0700, Greg KH wrote:
> On Thu, Jun 10, 2004 at 05:49:03AM +0100, viro@parcelfarce.linux.theplanet.co.uk wrote:
> > > bugs in drivers/usb/core/devio.c:proc_control() even though that
> > > function has been annotated (this is not the first time cqual has found
> > > bugs in code audited by sparse). I didn't write any annotations in any
> >
> > sparse gives warnings on lines 272, 293, 561, 581, 976, 979, 982, 989, 992.
>
> Ick, sorry, I haven't run sparse on the usb tree in a while, I'll do
> that today and fix it all up.
And to be complete, here's a patch to clean up the warnings in the
drivers/i2c tree. I've also applied it to my trees.
thanks,
greg k-h
# I2C: sparse cleanups for drivers/i2c/*
#
# Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
diff -Nru a/drivers/i2c/chips/it87.c b/drivers/i2c/chips/it87.c
--- a/drivers/i2c/chips/it87.c Thu Jun 10 12:09:08 2004
+++ b/drivers/i2c/chips/it87.c Thu Jun 10 12:09:08 2004
@@ -170,8 +170,11 @@
static int DIV_TO_REG(int val)
{
int answer = 0;
- while ((val >>= 1))
+ val >>= 1;
+ while (val) {
answer++;
+ val >>= 1;
+ }
return answer;
}
#define DIV_FROM_REG(val) (1 << (val))
diff -Nru a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
--- a/drivers/i2c/i2c-dev.c Thu Jun 10 12:09:08 2004
+++ b/drivers/i2c/i2c-dev.c Thu Jun 10 12:09:08 2004
@@ -181,7 +181,7 @@
struct i2c_smbus_ioctl_data data_arg;
union i2c_smbus_data temp;
struct i2c_msg *rdwr_pa;
- u8 **data_ptrs;
+ u8 __user **data_ptrs;
int i,datasize,res;
unsigned long funcs;
@@ -238,8 +238,7 @@
return -EFAULT;
}
- data_ptrs = (u8 **) kmalloc(rdwr_arg.nmsgs * sizeof(u8 *),
- GFP_KERNEL);
+ data_ptrs = kmalloc(rdwr_arg.nmsgs * sizeof(u8 __user *), GFP_KERNEL);
if (data_ptrs = NULL) {
kfree(rdwr_pa);
return -ENOMEM;
@@ -252,7 +251,7 @@
res = -EINVAL;
break;
}
- data_ptrs[i] = rdwr_pa[i].buf;
+ data_ptrs[i] = (u8 __user *)rdwr_pa[i].buf;
rdwr_pa[i].buf = kmalloc(rdwr_pa[i].len, GFP_KERNEL);
if(rdwr_pa[i].buf = NULL) {
res = -ENOMEM;
WARNING: multiple messages have this Message-ID (diff)
From: Greg KH <greg@kroah.com>
To: viro@parcelfarce.linux.theplanet.co.uk, sensors@stimpy.netroedge.com
Cc: "Robert T. Johnson" <rtjohnso@eecs.berkeley.edu>,
Linux Kernel <linux-kernel@vger.kernel.org>
Subject: Re: Finding user/kernel pointer bugs [no html]
Date: Thu, 10 Jun 2004 12:10:04 -0700 [thread overview]
Message-ID: <20040610191004.GA1661@kroah.com> (raw)
In-Reply-To: <20040610165821.GB32577@kroah.com>
On Thu, Jun 10, 2004 at 09:58:21AM -0700, Greg KH wrote:
> On Thu, Jun 10, 2004 at 05:49:03AM +0100, viro@parcelfarce.linux.theplanet.co.uk wrote:
> > > bugs in drivers/usb/core/devio.c:proc_control() even though that
> > > function has been annotated (this is not the first time cqual has found
> > > bugs in code audited by sparse). I didn't write any annotations in any
> >
> > sparse gives warnings on lines 272, 293, 561, 581, 976, 979, 982, 989, 992.
>
> Ick, sorry, I haven't run sparse on the usb tree in a while, I'll do
> that today and fix it all up.
And to be complete, here's a patch to clean up the warnings in the
drivers/i2c tree. I've also applied it to my trees.
thanks,
greg k-h
# I2C: sparse cleanups for drivers/i2c/*
#
# Signed-off-by: Greg Kroah-Hartman <greg@kroah.com>
diff -Nru a/drivers/i2c/chips/it87.c b/drivers/i2c/chips/it87.c
--- a/drivers/i2c/chips/it87.c Thu Jun 10 12:09:08 2004
+++ b/drivers/i2c/chips/it87.c Thu Jun 10 12:09:08 2004
@@ -170,8 +170,11 @@
static int DIV_TO_REG(int val)
{
int answer = 0;
- while ((val >>= 1))
+ val >>= 1;
+ while (val) {
answer++;
+ val >>= 1;
+ }
return answer;
}
#define DIV_FROM_REG(val) (1 << (val))
diff -Nru a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
--- a/drivers/i2c/i2c-dev.c Thu Jun 10 12:09:08 2004
+++ b/drivers/i2c/i2c-dev.c Thu Jun 10 12:09:08 2004
@@ -181,7 +181,7 @@
struct i2c_smbus_ioctl_data data_arg;
union i2c_smbus_data temp;
struct i2c_msg *rdwr_pa;
- u8 **data_ptrs;
+ u8 __user **data_ptrs;
int i,datasize,res;
unsigned long funcs;
@@ -238,8 +238,7 @@
return -EFAULT;
}
- data_ptrs = (u8 **) kmalloc(rdwr_arg.nmsgs * sizeof(u8 *),
- GFP_KERNEL);
+ data_ptrs = kmalloc(rdwr_arg.nmsgs * sizeof(u8 __user *), GFP_KERNEL);
if (data_ptrs == NULL) {
kfree(rdwr_pa);
return -ENOMEM;
@@ -252,7 +251,7 @@
res = -EINVAL;
break;
}
- data_ptrs[i] = rdwr_pa[i].buf;
+ data_ptrs[i] = (u8 __user *)rdwr_pa[i].buf;
rdwr_pa[i].buf = kmalloc(rdwr_pa[i].len, GFP_KERNEL);
if(rdwr_pa[i].buf == NULL) {
res = -ENOMEM;
next prev parent reply other threads:[~2005-05-19 6:25 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-10 3:31 Finding user/kernel pointer bugs [no html] Robert T. Johnson
2004-06-10 4:10 ` Linus Torvalds
2004-06-10 4:48 ` Robert T. Johnson
2004-06-10 14:46 ` Linus Torvalds
2004-06-10 16:57 ` viro
2004-06-10 15:07 ` Timothy Miller
2004-06-10 15:04 ` Linus Torvalds
2004-06-10 15:26 ` Timothy Miller
2004-06-10 4:49 ` viro
2004-06-10 5:20 ` Robert T. Johnson
2004-06-10 16:58 ` Greg KH
2004-06-10 17:27 ` David Brownell
2004-06-10 17:35 ` Greg KH
2004-06-10 17:54 ` Thomas Sailer
2004-06-10 18:34 ` Greg KH
2004-06-10 18:45 ` viro
2004-06-10 18:54 ` Greg KH
2004-06-10 19:10 ` Greg KH [this message]
2005-05-19 6:25 ` Greg KH
2004-06-10 19:14 ` viro
2005-05-19 6:25 ` viro
2004-06-10 19:32 ` Greg KH
2005-05-19 6:25 ` Greg KH
2004-06-10 19:38 ` viro
2005-05-19 6:25 ` viro
2004-06-10 20:28 ` Sam Ravnborg
2005-05-19 6:25 ` Sam Ravnborg
2004-06-10 20:48 ` Randy.Dunlap
2005-05-19 6:25 ` Randy.Dunlap
2004-06-11 17:21 ` Jean Delvare
2005-05-19 6:25 ` Jean Delvare
2004-06-11 17:59 ` Greg KH
2005-05-19 6:25 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040610191004.GA1661@kroah.com \
--to=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rtjohnso@eecs.berkeley.edu \
--cc=sensors@stimpy.netroedge.com \
--cc=viro@parcelfarce.linux.theplanet.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.