From: Dan Carpenter <dan.carpenter@oracle.com>
To: masa-korg@dsn.okisemi.com
Cc: Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-kernel@vger.kernel.org,
Tomoya MORINAGA <tomoya.rohm@gmail.com>
Subject: re: add Packet hub driver for Topcliff Platform controller hub
Date: Mon, 7 Jan 2013 12:02:10 +0300 [thread overview]
Message-ID: <20130107090210.GA20716@elgon.mountain> (raw)
Hi Masayuki Ohtak,
The patch cf4ece53460c: "add Packet hub driver for Topcliff Platform
controller hub" from Sep 1, 2010, leads to the following warning:
drivers/misc/pch_phub.c:596 pch_phub_bin_write()
error: buffer overflow 'buf' 4096 <= 15359
Sorry my question is about an old patch. Smatch complains because we
only pass a PAGE_SIZE buffer to sysfs files so the test for
"if (count > PCH_PHUB_OROM_SIZE) {" makes it think we are overflowing.
In fact, count is never more than 4096 so there is no overflow, but I
also think that it means only the first 4096 bytes of the firmware gets
updated.
drivers/misc/pch_phub.c
560 static ssize_t pch_phub_bin_write(struct file *filp, struct kobject *kobj,
561 struct bin_attribute *attr,
562 char *buf, loff_t off, size_t count)
563 {
564 int err;
565 unsigned int addr_offset;
566 int ret;
567 ssize_t rom_size;
568 struct pch_phub_reg *chip =
569 dev_get_drvdata(container_of(kobj, struct device, kobj));
570
571 ret = mutex_lock_interruptible(&pch_phub_mutex);
572 if (ret)
573 return -ERESTARTSYS;
574
575 if (off > PCH_PHUB_OROM_SIZE) {
576 addr_offset = 0;
577 goto return_ok;
578 }
579 if (count > PCH_PHUB_OROM_SIZE) {
^^^^^^^^^^^^^^^^^^
This is 15359.
580 addr_offset = 0;
581 goto return_ok;
582 }
583
584 chip->pch_phub_extrom_base_address = pci_map_rom(chip->pdev, &rom_size);
585 if (!chip->pch_phub_extrom_base_address) {
586 err = -ENOMEM;
587 goto exrom_map_err;
588 }
589
590 for (addr_offset = 0; addr_offset < count; addr_offset++) {
591 if (PCH_PHUB_OROM_SIZE < off + addr_offset)
592 goto return_ok;
593
594 ret = pch_phub_write_serial_rom(chip,
595 chip->pch_opt_rom_start_address + addr_offset + off,
596 buf[addr_offset]);
^^^^^^^^^^^^^^^^
Smatch complains because "buf" is only 4096 bytes.
regards,
dan carpenter
next reply other threads:[~2013-01-07 9:02 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-07 9:02 Dan Carpenter [this message]
2013-01-08 10:30 ` add Packet hub driver for Topcliff Platform controller hub Tomoya MORINAGA
2013-01-08 11:38 ` Dan Carpenter
2013-01-08 10:49 ` Arnd Bergmann
2013-01-08 11:48 ` Dan Carpenter
2013-01-08 11:56 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130107090210.GA20716@elgon.mountain \
--to=dan.carpenter@oracle.com \
--cc=arnd@arndb.de \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=masa-korg@dsn.okisemi.com \
--cc=tomoya.rohm@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.