From: Dan Carpenter <dan.carpenter@oracle.com>
To: Riley Andrews <riandrews@android.com>
Cc: linux-kernel@vger.kernel.org,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Arve Hjønnevåg" <arve@android.com>,
devel@driverdev.osuosl.org
Subject: Re: [PATCH 13/13] android: binder: add function for processing work nodes in binder_thread_read
Date: Fri, 29 May 2015 14:56:16 +0300 [thread overview]
Message-ID: <20150529115616.GK28762@mwanda> (raw)
In-Reply-To: <1432854511-33320-14-git-send-email-riandrews@android.com>
On Thu, May 28, 2015 at 04:08:31PM -0700, Riley Andrews wrote:
> -done:
> +static int binder_thread_read(struct binder_proc *proc,
> + struct binder_thread *thread,
> + binder_uintptr_t binder_buffer, size_t size,
> + binder_size_t *consumed, int non_block)
> +{
> + void __user *buffer = (void __user *)(uintptr_t)binder_buffer;
> + void __user *ptr = buffer + *consumed;
> + void __user *end = buffer + size;
> + bool wait_for_proc_work;
> +
> + int ret = 0;
> +
> + if (*consumed == 0) {
> + if (put_user(BR_NOOP, (uint32_t __user *)ptr))
> + return -EFAULT;
> + ptr += sizeof(uint32_t);
> + }
> +
> + do {
> + if (thread->return_error != BR_OK) {
> + ret = binder_handle_thread_error(thread, &ptr, end);
> + if (ret < 0)
> + return ret;
> + break;
> + }
> + if (!thread->transaction_stack && list_empty(&thread->todo))
> + wait_for_proc_work = true;
> + else
> + wait_for_proc_work = false;
> +
> + ret = binder_wait_for_work(thread, non_block,
> + wait_for_proc_work);
> + if (ret)
> + return ret;
> +
> + ret = binder_thread_read_do_work(thread, wait_for_proc_work,
> + buffer, end, &ptr);
> + if (ret)
> + return ret;
> + } while ((ptr - buffer == 4) &&
> + !(thread->looper & BINDER_LOOPER_STATE_NEED_RETURN) &&
> + ((end - ptr) >= sizeof(struct binder_transaction_data) + 4));
"end" and "buffer" don't change so we could move check:
((end - ptr) >= sizeof(struct binder_transaction_data) + 4)
to the start of the function. I may have missed something because I'm
not terribly familiar with this code.
I don't really like the way this condition is written because if "ptr"
were greater than "end" it would be true. This seems like something
that might happen. Pass in bwr.read_size = 1. When we do the first
ptr += sizeof(uint32_t); then "end" is less than "ptr".
This condition was there in the original code as well so it's not
something the patch introduced but it worries me every time I look at
it, even if it turns out that it's not a problem.
Please write it like:
(ptr + sizeof(struct binder_transaction_data) + 4 <= end)
or whatever so that we don't have to think about negative numbers.
regards,
dan carpenter
prev parent reply other threads:[~2015-05-29 11:56 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-28 23:08 [PATCH 0/13] Binder driver refactor and minor bug fixes Riley Andrews
2015-05-28 23:08 ` [PATCH 01/13] drivers: android: correct the size of struct binder_uintptr_t for BC_DEAD_BINDER_DONE Riley Andrews
2015-05-29 9:23 ` Dan Carpenter
2015-05-28 23:08 ` [PATCH 02/13] android: binder: fix duplicate error return Riley Andrews
2015-05-28 23:08 ` [PATCH 03/13] android: binder: refactor binder_thread_write Riley Andrews
2015-05-29 10:06 ` Dan Carpenter
2015-05-28 23:08 ` [PATCH 04/13] android: binder: refactor binder_transact handle translation Riley Andrews
2015-05-28 23:08 ` [PATCH 05/13] android: binder: refactor binder_transact transaction buffer loop Riley Andrews
2015-05-29 10:25 ` Dan Carpenter
2015-05-28 23:08 ` [PATCH 06/13] android: binder: add function to find target binder node Riley Andrews
2015-05-28 23:08 ` [PATCH 07/13] android: binder: add functions for manipulating transaction stack Riley Andrews
2015-05-28 23:08 ` [PATCH 08/13] android: binder: add function for logging failed transactions Riley Andrews
2015-05-28 23:08 ` [PATCH 09/13] android: binder: add function for finding prior thread in transaction stack Riley Andrews
2015-05-28 23:08 ` [PATCH 10/13] android: binder: refactor binder_thread_read loop Riley Andrews
2015-05-28 23:08 ` [PATCH 11/13] android: binder: add function to handle waiting for binder_thread_read Riley Andrews
2015-05-28 23:08 ` [PATCH 12/13] android: binder: add function to pass thread errors to userspace Riley Andrews
2015-05-28 23:08 ` [PATCH 13/13] android: binder: add function for processing work nodes in binder_thread_read Riley Andrews
2015-05-29 11:56 ` Dan Carpenter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150529115616.GK28762@mwanda \
--to=dan.carpenter@oracle.com \
--cc=arve@android.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=riandrews@android.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox