From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dan Carpenter <dan.carpenter@oracle.com>
Subject: Re: [net-next 07/14] ixgbe: eliminate Smatch warnings in
 ixgbe_debugfs.c
Date: Fri, 26 Oct 2012 15:41:22 +0300
Message-ID: <20121026124122.GJ20754@mwanda>
References: <1351252702-16532-1-git-send-email-jeffrey.t.kirsher@intel.com>
 <1351252702-16532-8-git-send-email-jeffrey.t.kirsher@intel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: davem@davemloft.net,
	"joshua.a.hay@intel.com" <joshua.a.hay@intel.com>,
	netdev@vger.kernel.org, gospo@redhat.com, sassmann@redhat.com
To: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Return-path: <netdev-owner@vger.kernel.org>
Received: from rcsinet15.oracle.com ([148.87.113.117]:27701 "EHLO
	rcsinet15.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1758630Ab2JZMlo (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 26 Oct 2012 08:41:44 -0400
Content-Disposition: inline
In-Reply-To: <1351252702-16532-8-git-send-email-jeffrey.t.kirsher@intel.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

On Fri, Oct 26, 2012 at 04:58:15AM -0700, Jeff Kirsher wrote:
> From: "joshua.a.hay@intel.com" <joshua.a.hay@intel.com>
> 
> This patch replaces calls to copy_to_user, copy_from_user, and the associated
> logic, with calls to simple_read_from_buffer and simple_write_to_buffer
> respectively.  This was done to eliminate warnings generated by the Smatch
> static analysis tool.

There were some bugs, it wasn't just about silencing warnings.

> +	buf = kasprintf(GFP_KERNEL, "%s: %s\n",
> +			adapter->netdev->name,
> +			ixgbe_dbg_reg_ops_buf);
> +	if (!buf)
> +		return -ENOMEM;
> +
> +	if (count < strlen(buf))
>  		return -ENOSPC;

You need a kfree(buf) here.

> -	ixgbe_dbg_reg_ops_buf[count] = '\0';
> +	len = simple_write_to_buffer(ixgbe_dbg_reg_ops_buf,
> +				     sizeof(ixgbe_dbg_reg_ops_buf),

This should be "sizeof(ixgbe_dbg_reg_ops_buf) - 1" to leave space
for the NUL terminator.

> +				     ppos,
> +				     buffer,
> +				     count);
> +	ixgbe_dbg_reg_ops_buf[len] = '\0';

simple_write_to_buffer() returns negative error codes so this could
corrupt memory.


> +	buf = kasprintf(GFP_KERNEL, "%s: %s\n",
> +			adapter->netdev->name,
> +			ixgbe_dbg_netdev_ops_buf);
> +	if (!buf)
> +		return -ENOMEM;
>  
> -	*ppos = len;
> +	if (count < strlen(buf))
> +		return -ENOSPC;

Missing kfree().

> -	ixgbe_dbg_netdev_ops_buf[count] = '\0';
> +	len = simple_write_to_buffer(ixgbe_dbg_netdev_ops_buf,
> +				     sizeof(ixgbe_dbg_netdev_ops_buf),
> +				     ppos,
> +				     buffer,
> +				     count);
> +	ixgbe_dbg_netdev_ops_buf[len] = '\0';

Same issues as before.

regards,
dan carpenter