All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: viresh.kumar@linaro.org
Cc: linux-pm@vger.kernel.org
Subject: re: thermal: cpu_cooling: Use cpufreq_dev->freq_table for finding level/freq
Date: Wed, 10 Jun 2015 18:02:12 +0300	[thread overview]
Message-ID: <20150610150211.GA30208@mwanda> (raw)

Hello Viresh Kumar,

The patch 4843c4a19049: "thermal: cpu_cooling: Use
cpufreq_dev->freq_table for finding level/freq" from Dec 4, 2014,
leads to the following static checker warning:

	drivers/thermal/cpu_cooling.c:163 get_level()
	warn: potential off by one 'cpufreq_dev->freq_table[]' limit 'cpufreq_dev->max_level'

drivers/thermal/cpu_cooling.c
   157  static unsigned long get_level(struct cpufreq_cooling_device *cpufreq_dev,
   158                                 unsigned int freq)
   159  {
   160          unsigned long level;
   161  
   162          for (level = 0; level <= cpufreq_dev->max_level; level++) {
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   163                  if (freq == cpufreq_dev->freq_table[level])
                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Reading beyond the end of the array.

   164                          return level;
   165  
   166                  if (freq > cpufreq_dev->freq_table[level])
   167                          break;
   168          }
   169  
   170          return THERMAL_CSTATE_INVALID;
   171  }

The truth is that I have lots of checks that I can't publish, like for
example, if you use something with the word "size" or "max" as an index.
Obviously, it looks like <= should probably be < but just because it
looks wrong doesn't mean it is wrong.  I searched for ->max_level and
read the documentation:

  * @max_level: maximum cooling level. One less than total number of valid
  *     cpufreq frequencies.

The documentation is very clear that this loop is correct.  It also
turns out that it used consistently almost throughout.  But when I see
these unusual limits, I know it is often difficult to be 100%
consistent so I kept looking.  It turns out there is off by one mistake
when we allocate the buffer.

        cpufreq_dev->freq_table = kmalloc(sizeof(*cpufreq_dev->freq_table) *
                                          cpufreq_dev->max_level, GFP_KERNEL);

It should be allocating:

	sizeof(*cpufreq_dev->freq_table) * (cpufreq_dev->max_level + 1)

We could just change the allocation, but really this kind of unusual
limit is just going to cause more headaches in the future...

regards,
dan carpenter

             reply	other threads:[~2015-06-10 15:02 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-06-10 15:02 Dan Carpenter [this message]
2015-06-11  3:05 ` thermal: cpu_cooling: Use cpufreq_dev->freq_table for finding level/freq Viresh Kumar
2015-06-11  7:14   ` Dan Carpenter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150610150211.GA30208@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=linux-pm@vger.kernel.org \
    --cc=viresh.kumar@linaro.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.