[patch] cxgb4: memory corruption in debugfs

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Hariprasad S <hariprasad@chelsio.com>
Cc: netdev@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] cxgb4: memory corruption in debugfs
Date: Tue, 18 Aug 2015 09:31:44 +0000	[thread overview]
Message-ID: <20150818093144.GG3965@mwanda> (raw)

You can't use kstrtoul() with an int or it causes memory corruption.
Also j should be unsigned or we have underflow bugs.

I considered changing "j" to unsigned long but everything fits in a u32.

Fixes: 8e3d04fd7d70 ('cxgb4: Add MPS tracing support')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
index 1732e29..0a87a32 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
@@ -1289,13 +1289,14 @@ static unsigned int xdigit2int(unsigned char c)
 static ssize_t mps_trc_write(struct file *file, const char __user *buf,
 			     size_t count, loff_t *pos)
 {
-	int i, j, enable, ret;
+	int i, enable, ret;
 	u32 *data, *mask;
 	struct trace_params tp;
 	const struct inode *ino;
 	unsigned int trcidx;
 	char *s, *p, *word, *end;
 	struct adapter *adap;
+	u32 j;
 
 	ino = file_inode(file);
 	trcidx = (uintptr_t)ino->i_private & 3;
@@ -1340,7 +1341,7 @@ static ssize_t mps_trc_write(struct file *file, const char __user *buf,
 
 		if (!strncmp(word, "qid=", 4)) {
 			end = (char *)word + 4;
-			ret = kstrtoul(end, 10, (unsigned long *)&j);
+			ret = kstrtouint(end, 10, &j);
 			if (ret)
 				goto out;
 			if (!adap->trace_rss) {
@@ -1369,7 +1370,7 @@ static ssize_t mps_trc_write(struct file *file, const char __user *buf,
 		}
 		if (!strncmp(word, "snaplen=", 8)) {
 			end = (char *)word + 8;
-			ret = kstrtoul(end, 10, (unsigned long *)&j);
+			ret = kstrtouint(end, 10, &j);
 			if (ret || j > 9600) {
 inval:				count = -EINVAL;
 				goto out;
@@ -1379,7 +1380,7 @@ inval:				count = -EINVAL;
 		}
 		if (!strncmp(word, "minlen=", 7)) {
 			end = (char *)word + 7;
-			ret = kstrtoul(end, 10, (unsigned long *)&j);
+			ret = kstrtouint(end, 10, &j);
 			if (ret || j > TFMINPKTSIZE_M)
 				goto inval;
 			tp.min_len = j;
@@ -1453,7 +1454,7 @@ inval:				count = -EINVAL;
 		}
 		if (*word = '@') {
 			end = (char *)word + 1;
-			ret = kstrtoul(end, 10, (unsigned long *)&j);
+			ret = kstrtouint(end, 10, &j);
 			if (*end && *end != '\n')
 				goto inval;
 			if (j & 7)          /* doesn't start at multiple of 8 */

WARNING: multiple messages have this Message-ID (diff)

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Hariprasad S <hariprasad@chelsio.com>
Cc: netdev@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [patch] cxgb4: memory corruption in debugfs
Date: Tue, 18 Aug 2015 12:31:44 +0300	[thread overview]
Message-ID: <20150818093144.GG3965@mwanda> (raw)

You can't use kstrtoul() with an int or it causes memory corruption.
Also j should be unsigned or we have underflow bugs.

I considered changing "j" to unsigned long but everything fits in a u32.

Fixes: 8e3d04fd7d70 ('cxgb4: Add MPS tracing support')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
index 1732e29..0a87a32 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_debugfs.c
@@ -1289,13 +1289,14 @@ static unsigned int xdigit2int(unsigned char c)
 static ssize_t mps_trc_write(struct file *file, const char __user *buf,
 			     size_t count, loff_t *pos)
 {
-	int i, j, enable, ret;
+	int i, enable, ret;
 	u32 *data, *mask;
 	struct trace_params tp;
 	const struct inode *ino;
 	unsigned int trcidx;
 	char *s, *p, *word, *end;
 	struct adapter *adap;
+	u32 j;
 
 	ino = file_inode(file);
 	trcidx = (uintptr_t)ino->i_private & 3;
@@ -1340,7 +1341,7 @@ static ssize_t mps_trc_write(struct file *file, const char __user *buf,
 
 		if (!strncmp(word, "qid=", 4)) {
 			end = (char *)word + 4;
-			ret = kstrtoul(end, 10, (unsigned long *)&j);
+			ret = kstrtouint(end, 10, &j);
 			if (ret)
 				goto out;
 			if (!adap->trace_rss) {
@@ -1369,7 +1370,7 @@ static ssize_t mps_trc_write(struct file *file, const char __user *buf,
 		}
 		if (!strncmp(word, "snaplen=", 8)) {
 			end = (char *)word + 8;
-			ret = kstrtoul(end, 10, (unsigned long *)&j);
+			ret = kstrtouint(end, 10, &j);
 			if (ret || j > 9600) {
 inval:				count = -EINVAL;
 				goto out;
@@ -1379,7 +1380,7 @@ inval:				count = -EINVAL;
 		}
 		if (!strncmp(word, "minlen=", 7)) {
 			end = (char *)word + 7;
-			ret = kstrtoul(end, 10, (unsigned long *)&j);
+			ret = kstrtouint(end, 10, &j);
 			if (ret || j > TFMINPKTSIZE_M)
 				goto inval;
 			tp.min_len = j;
@@ -1453,7 +1454,7 @@ inval:				count = -EINVAL;
 		}
 		if (*word == '@') {
 			end = (char *)word + 1;
-			ret = kstrtoul(end, 10, (unsigned long *)&j);
+			ret = kstrtouint(end, 10, &j);
 			if (*end && *end != '\n')
 				goto inval;
 			if (j & 7)          /* doesn't start at multiple of 8 */

next             reply	other threads:[~2015-08-18  9:31 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-08-18  9:31 Dan Carpenter [this message]
2015-08-18  9:31 ` [patch] cxgb4: memory corruption in debugfs Dan Carpenter
2015-08-18 10:28 ` Tetsuo Handa
2015-08-18 10:28   ` Tetsuo Handa
2015-08-18 10:38   ` Dan Carpenter
2015-08-18 10:38     ` Dan Carpenter
2015-08-19  2:07 ` David Miller
2015-08-19  2:07   ` David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:1732e29 dfblob:0a87a32 dfblob:1732e29 dfblob:0a87a32 )
 OR (
bs:"[patch] cxgb4: memory corruption in debugfs" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150818093144.GG3965@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=hariprasad@chelsio.com \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.