From: Dan Carpenter <dan.carpenter@oracle.com>
To: Riley Andrews <riandrews@android.com>
Cc: linux-kernel@vger.kernel.org,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Arve Hjønnevåg" <arve@android.com>,
devel@driverdev.osuosl.org
Subject: Re: [PATCH 13/13] android: binder: add function for processing work nodes in binder_thread_read
Date: Fri, 29 May 2015 14:56:16 +0300 [thread overview]
Message-ID: <20150529115616.GK28762@mwanda> (raw)
In-Reply-To: <1432854511-33320-14-git-send-email-riandrews@android.com>
On Thu, May 28, 2015 at 04:08:31PM -0700, Riley Andrews wrote:
> -done:
> +static int binder_thread_read(struct binder_proc *proc,
> + struct binder_thread *thread,
> + binder_uintptr_t binder_buffer, size_t size,
> + binder_size_t *consumed, int non_block)
> +{
> + void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
> + void __user *ptr = buffer + *consumed;
> + void __user *end = buffer + size;
> + bool wait_for_proc_work;
> +
> + int ret = 0;
> +
> + if (*consumed == 0) {
> + if (put_user(BR_NOOP, (uint32_t __user *)ptr))
> + return -EFAULT;
> + ptr += sizeof(uint32_t);
> + }
> +
> + do {
> + if (thread->return_error != BR_OK) {
> + ret = binder_handle_thread_error(thread, &ptr, end);
> + if (ret < 0)
> + return ret;
> + break;
> + }
> + if (!thread->transaction_stack && list_empty(&thread->todo))
> + wait_for_proc_work = true;
> + else
> + wait_for_proc_work = false;
> +
> + ret = binder_wait_for_work(thread, non_block,
> + wait_for_proc_work);
> + if (ret)
> + return ret;
> +
> + ret = binder_thread_read_do_work(thread, wait_for_proc_work,
> + buffer, end, &ptr);
> + if (ret)
> + return ret;
> + } while ((ptr - buffer == 4) &&
> + !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN) &&
> + ((end - ptr) >= sizeof(struct binder_transaction_data) + 4));
"end" and "buffer" don't change so we could move check:
((end - ptr) >= sizeof(struct binder_transaction_data) + 4)
to the start of the function. I may have missed something because I'm
not terribly familiar with this code.
I don't really like the way this condition is written because if "ptr"
were greater than "end" it would be true. This seems like something
that might happen. Pass in bwr.read_size = 1. When we do the first
ptr += sizeof(uint32_t); then "end" is less than "ptr".
This condition was there in the original code as well so it's not
something the patch introduced but it worries me every time I look at
it, even if it turns out that it's not a problem.
Please write it like:
(ptr + sizeof(struct binder_transaction_data) + 4 <= end)
or whatever so that we don't have to think about negative numbers.
regards,
dan carpenter
prev parent reply other threads:[~2015-05-29 11:56 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-28 23:08 [PATCH 0/13] Binder driver refactor and minor bug fixes Riley Andrews
2015-05-28 23:08 ` [PATCH 01/13] drivers: android: correct the size of struct binder_uintptr_t for BC_DEAD_BINDER_DONE Riley Andrews
2015-05-29 9:23 ` Dan Carpenter
2015-05-28 23:08 ` [PATCH 02/13] android: binder: fix duplicate error return Riley Andrews
2015-05-28 23:08 ` [PATCH 03/13] android: binder: refactor binder_thread_write Riley Andrews
2015-05-29 10:06 ` Dan Carpenter
2015-05-28 23:08 ` [PATCH 04/13] android: binder: refactor binder_transact handle translation Riley Andrews
2015-05-28 23:08 ` [PATCH 05/13] android: binder: refactor binder_transact transaction buffer loop Riley Andrews
2015-05-29 10:25 ` Dan Carpenter
2015-05-28 23:08 ` [PATCH 06/13] android: binder: add function to find target binder node Riley Andrews
2015-05-28 23:08 ` [PATCH 07/13] android: binder: add functions for manipulating transaction stack Riley Andrews
2015-05-28 23:08 ` [PATCH 08/13] android: binder: add function for logging failed transactions Riley Andrews
2015-05-28 23:08 ` [PATCH 09/13] android: binder: add function for finding prior thread in transaction stack Riley Andrews
2015-05-28 23:08 ` [PATCH 10/13] android: binder: refactor binder_thread_read loop Riley Andrews
2015-05-28 23:08 ` [PATCH 11/13] android: binder: add function to handle waiting for binder_thread_read Riley Andrews
2015-05-28 23:08 ` [PATCH 12/13] android: binder: add function to pass thread errors to userspace Riley Andrews
2015-05-28 23:08 ` [PATCH 13/13] android: binder: add function for processing work nodes in binder_thread_read Riley Andrews
2015-05-29 11:56 ` Dan Carpenter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150529115616.GK28762@mwanda \
--to=dan.carpenter@oracle.com \
--cc=arve@android.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=riandrews@android.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.