* Re: [PATCH] sb1000: prevent a potential NULL pointer dereference in sb1000_dev_ioctl() [not found] <200707290002.42722.jesper.juhl@gmail.com> @ 2007-07-29 4:37 ` Domen Puncer 2007-07-29 6:04 ` Satyam Sharma 0 siblings, 1 reply; 6+ messages in thread From: Domen Puncer @ 2007-07-29 4:37 UTC (permalink / raw) To: Jesper Juhl Cc: Linux Kernel Mailing List, netdev, Steven Hirsch, David S. Miller, Franco Venturi On 29/07/07 00:02 +0200, Jesper Juhl wrote: > Hi, > > Here's a small patch, prompted by a find by the Coverity checker, > that removes a potential NULL pointer dereference from > drivers/net/sb1000.c::sb1000_dev_ioctl(). > The checker spotted that we do a NULL test of 'dev', yet we > dereference the pointer prior to that check. > This patch simply moves the dereference after the NULL test. But... it can't be called without a valid 'dev', no? A quick 'grep do_ioctl net/' confirms that all calls are in the form of 'dev->do_ioctl(dev, ...'. Domen > @@ -991,11 +991,13 @@ static int sb1000_dev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) > short PID[4]; > int ioaddr[2], status, frequency; > unsigned int stats[5]; > - struct sb1000_private *lp = netdev_priv(dev); > + struct sb1000_private *lp; > > if (!(dev && dev->flags & IFF_UP)) > return -ENODEV; > > + lp = netdev_priv(dev); > + > ioaddr[0] = dev->base_addr; > /* mem_start holds the second I/O address */ > ioaddr[1] = dev->mem_start; > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] sb1000: prevent a potential NULL pointer dereference in sb1000_dev_ioctl() 2007-07-29 4:37 ` [PATCH] sb1000: prevent a potential NULL pointer dereference in sb1000_dev_ioctl() Domen Puncer @ 2007-07-29 6:04 ` Satyam Sharma 2007-07-29 18:34 ` Satyam Sharma 0 siblings, 1 reply; 6+ messages in thread From: Satyam Sharma @ 2007-07-29 6:04 UTC (permalink / raw) To: Domen Puncer Cc: Jesper Juhl, Linux Kernel Mailing List, netdev, Steven Hirsch, David S. Miller, Franco Venturi On Sun, 29 Jul 2007, Domen Puncer wrote: > On 29/07/07 00:02 +0200, Jesper Juhl wrote: > > Hi, > > > > Here's a small patch, prompted by a find by the Coverity checker, > > that removes a potential NULL pointer dereference from > > drivers/net/sb1000.c::sb1000_dev_ioctl(). > > The checker spotted that we do a NULL test of 'dev', yet we > > dereference the pointer prior to that check. > > This patch simply moves the dereference after the NULL test. > > But... it can't be called without a valid 'dev', no? > A quick 'grep do_ioctl net/' confirms that all calls are in > the form of 'dev->do_ioctl(dev, ...'. Yup, I think so too ... > > @@ -991,11 +991,13 @@ static int sb1000_dev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) > > short PID[4]; > > int ioaddr[2], status, frequency; > > unsigned int stats[5]; > > - struct sb1000_private *lp = netdev_priv(dev); > > + struct sb1000_private *lp; > > > > if (!(dev && dev->flags & IFF_UP)) > > return -ENODEV; I think we could get rid of the !dev check itself. Actually, the IFF_UP check /also/ looks suspect to me for two reasons: (1) I remember Stephen Hemminger once telling me dev->flags is legacy and unsafe, and one of the netif_xxx() functions be used instead, and, (2) I wonder if we really require the interface to be up and *running* when we do this ioctl. Satyam ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] sb1000: prevent a potential NULL pointer dereference in sb1000_dev_ioctl() 2007-07-29 6:04 ` Satyam Sharma @ 2007-07-29 18:34 ` Satyam Sharma 2007-07-29 18:48 ` Michael Buesch 0 siblings, 1 reply; 6+ messages in thread From: Satyam Sharma @ 2007-07-29 18:34 UTC (permalink / raw) To: Domen Puncer Cc: Jesper Juhl, Linux Kernel Mailing List, netdev, Steven Hirsch, David S. Miller > On Sun, 29 Jul 2007, Domen Puncer wrote: > > > On 29/07/07 00:02 +0200, Jesper Juhl wrote: > > > Hi, > > > > > > Here's a small patch, prompted by a find by the Coverity checker, > > > that removes a potential NULL pointer dereference from > > > drivers/net/sb1000.c::sb1000_dev_ioctl(). > > > The checker spotted that we do a NULL test of 'dev', yet we > > > dereference the pointer prior to that check. > > > This patch simply moves the dereference after the NULL test. > > > > But... it can't be called without a valid 'dev', no? > > A quick 'grep do_ioctl net/' confirms that all calls are in > > the form of 'dev->do_ioctl(dev, ...'. > > Yup, I think so too ... > > > > > @@ -991,11 +991,13 @@ static int sb1000_dev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) > > > short PID[4]; > > > int ioaddr[2], status, frequency; > > > unsigned int stats[5]; > > > - struct sb1000_private *lp = netdev_priv(dev); > > > + struct sb1000_private *lp; > > > > > > if (!(dev && dev->flags & IFF_UP)) > > > return -ENODEV; > > I think we could get rid of the !dev check itself. Actually, the IFF_UP > check /also/ looks suspect to me for two reasons: (1) I remember Stephen > Hemminger once telling me dev->flags is legacy and unsafe, and one of > the netif_xxx() functions be used instead, and, (2) I wonder if we really > require the interface to be up and *running* when we do this ioctl. Updated patch below. [PATCH] sb1000: Remove bogus checks In net_device->do_ioctl() of the sb1000 driver (sb1000_dev_ioctl): (1) !dev condition is always false -- this function cannot be called with NULL net_device. (2) !(dev->flags & IFF_UP) is bogus because the functions of this ioctl can (and should) be allowed even when the interface is not up and running. So let's remove these checks. Signed-off-by: Satyam Sharma <satyam@infradead.org> Cc: Jesper Juhl <jesper.juhl@gmail.com> Cc: Domen Puncer <domen@coderock.org> --- drivers/net/sb1000.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) diff --git a/drivers/net/sb1000.c b/drivers/net/sb1000.c index 1de3eec..f60fe98 100644 --- a/drivers/net/sb1000.c +++ b/drivers/net/sb1000.c @@ -993,9 +993,6 @@ static int sb1000_dev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) unsigned int stats[5]; struct sb1000_private *lp = netdev_priv(dev); - if (!(dev && dev->flags & IFF_UP)) - return -ENODEV; - ioaddr[0] = dev->base_addr; /* mem_start holds the second I/O address */ ioaddr[1] = dev->mem_start; ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] sb1000: prevent a potential NULL pointer dereference in sb1000_dev_ioctl() 2007-07-29 18:34 ` Satyam Sharma @ 2007-07-29 18:48 ` Michael Buesch 2007-07-29 19:09 ` Satyam Sharma 0 siblings, 1 reply; 6+ messages in thread From: Michael Buesch @ 2007-07-29 18:48 UTC (permalink / raw) To: Satyam Sharma Cc: Domen Puncer, Jesper Juhl, Linux Kernel Mailing List, netdev, Steven Hirsch, David S. Miller On Sunday 29 July 2007 20:34:46 Satyam Sharma wrote: > (2) !(dev->flags & IFF_UP) is bogus because the functions of this ioctl > can (and should) be allowed even when the interface is not up and running. Are you _sure_? This function does poke with the device hardware. It might return crap or even machinecheck when not initialized. Hardware is probably powered down, if not IFF_UP. (I don't know if that's the case here, though). > drivers/net/sb1000.c | 3 --- > 1 files changed, 0 insertions(+), 3 deletions(-) > > diff --git a/drivers/net/sb1000.c b/drivers/net/sb1000.c > index 1de3eec..f60fe98 100644 > --- a/drivers/net/sb1000.c > +++ b/drivers/net/sb1000.c > @@ -993,9 +993,6 @@ static int sb1000_dev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) > unsigned int stats[5]; > struct sb1000_private *lp = netdev_priv(dev); > > - if (!(dev && dev->flags & IFF_UP)) > - return -ENODEV; > - -- Greetings Michael. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] sb1000: prevent a potential NULL pointer dereference in sb1000_dev_ioctl() 2007-07-29 18:48 ` Michael Buesch @ 2007-07-29 19:09 ` Satyam Sharma 2007-07-29 20:49 ` Michael Buesch 0 siblings, 1 reply; 6+ messages in thread From: Satyam Sharma @ 2007-07-29 19:09 UTC (permalink / raw) To: Michael Buesch Cc: Domen Puncer, Jesper Juhl, Linux Kernel Mailing List, netdev, Steven Hirsch, David S. Miller, Stephen Hemminger Hi Michael, On Sun, 29 Jul 2007, Michael Buesch wrote: > On Sunday 29 July 2007 20:34:46 Satyam Sharma wrote: > > (2) !(dev->flags & IFF_UP) is bogus because the functions of this ioctl > > can (and should) be allowed even when the interface is not up and running. > > Are you _sure_? This function does poke with the device hardware. > It might return crap or even machinecheck when not initialized. > Hardware is probably powered down, if not IFF_UP. (I don't know if that's > the case here, though). IFF_UP checks if the _interface_ is up -- the hardware / card could still be powered up, but the interface down (ifconfing eth0 down or ip link set eth0 down). Probably what we want here is netif_device_present()? -- I think that should return true only when the *device* itself is up (as in powered) but the interface itself could be down ... Let's wait for comments from the netdev people Cc:'ed here, in that case. > > drivers/net/sb1000.c | 3 --- > > 1 files changed, 0 insertions(+), 3 deletions(-) > > > > diff --git a/drivers/net/sb1000.c b/drivers/net/sb1000.c > > index 1de3eec..f60fe98 100644 > > --- a/drivers/net/sb1000.c > > +++ b/drivers/net/sb1000.c > > @@ -993,9 +993,6 @@ static int sb1000_dev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) > > unsigned int stats[5]; > > struct sb1000_private *lp = netdev_priv(dev); > > > > - if (!(dev && dev->flags & IFF_UP)) > > - return -ENODEV; > > - Satyam ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] sb1000: prevent a potential NULL pointer dereference in sb1000_dev_ioctl() 2007-07-29 19:09 ` Satyam Sharma @ 2007-07-29 20:49 ` Michael Buesch 0 siblings, 0 replies; 6+ messages in thread From: Michael Buesch @ 2007-07-29 20:49 UTC (permalink / raw) To: Satyam Sharma Cc: Domen Puncer, Jesper Juhl, Linux Kernel Mailing List, netdev, Steven Hirsch, David S. Miller, Stephen Hemminger On Sunday 29 July 2007 21:09, Satyam Sharma wrote: > Hi Michael, > > > On Sun, 29 Jul 2007, Michael Buesch wrote: > > > On Sunday 29 July 2007 20:34:46 Satyam Sharma wrote: > > > (2) !(dev->flags & IFF_UP) is bogus because the functions of this ioctl > > > can (and should) be allowed even when the interface is not up and running. > > > > Are you _sure_? This function does poke with the device hardware. > > It might return crap or even machinecheck when not initialized. > > Hardware is probably powered down, if not IFF_UP. (I don't know if that's > > the case here, though). > > IFF_UP checks if the _interface_ is up -- the hardware / card could still > be powered up, but the interface down (ifconfing eth0 down or ip link set > eth0 down). Well, that is device/driver dependent and I don't know what's the case for this driver. It's encouraged to shutdown hardware completely (except the WOL parts) when the interface is down. Dunno if this driver does it. But _if_ it does it, it could cause problems to poke with the hardware while down. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2007-07-29 20:49 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <200707290002.42722.jesper.juhl@gmail.com>
2007-07-29 4:37 ` [PATCH] sb1000: prevent a potential NULL pointer dereference in sb1000_dev_ioctl() Domen Puncer
2007-07-29 6:04 ` Satyam Sharma
2007-07-29 18:34 ` Satyam Sharma
2007-07-29 18:48 ` Michael Buesch
2007-07-29 19:09 ` Satyam Sharma
2007-07-29 20:49 ` Michael Buesch
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).