Re: Finding user/kernel pointer bugs [no html]

From: Greg KH
Date: Thu Jun 10 2004 - 14:12:59 EST

Next message: Leon Woestenberg: "Re: Insults in the kernel-sources"
Previous message: Måns Rullgård: "Re: Insults in the kernel-sources"
In reply to: Greg KH: "Re: Finding user/kernel pointer bugs [no html]"
Next in thread: viro: "Re: Finding user/kernel pointer bugs [no html]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jun 10, 2004 at 09:58:21AM -0700, Greg KH wrote:
> On Thu, Jun 10, 2004 at 05:49:03AM +0100, viro@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx wrote:
> > > bugs in drivers/usb/core/devio.c:proc_control() even though that
> > > function has been annotated (this is not the first time cqual has found
> > > bugs in code audited by sparse). I didn't write any annotations in any
> >
> > sparse gives warnings on lines 272, 293, 561, 581, 976, 979, 982, 989, 992.
>
> Ick, sorry, I haven't run sparse on the usb tree in a while, I'll do
> that today and fix it all up.

And to be complete, here's a patch to clean up the warnings in the
drivers/i2c tree. I've also applied it to my trees.

thanks,

greg k-h

# I2C: sparse cleanups for drivers/i2c/*
#
# Signed-off-by: Greg Kroah-Hartman <greg@xxxxxxxxx>

diff -Nru a/drivers/i2c/chips/it87.c b/drivers/i2c/chips/it87.c
--- a/drivers/i2c/chips/it87.c Thu Jun 10 12:09:08 2004
+++ b/drivers/i2c/chips/it87.c Thu Jun 10 12:09:08 2004
@@ -170,8 +170,11 @@
static int DIV_TO_REG(int val)
{
int answer = 0;
- while ((val >>= 1))
+ val >>= 1;
+ while (val) {
answer++;
+ val >>= 1;
+ }
return answer;
}
#define DIV_FROM_REG(val) (1 << (val))
diff -Nru a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
--- a/drivers/i2c/i2c-dev.c Thu Jun 10 12:09:08 2004
+++ b/drivers/i2c/i2c-dev.c Thu Jun 10 12:09:08 2004
@@ -181,7 +181,7 @@
struct i2c_smbus_ioctl_data data_arg;
union i2c_smbus_data temp;
struct i2c_msg *rdwr_pa;
- u8 **data_ptrs;
+ u8 __user **data_ptrs;
int i,datasize,res;
unsigned long funcs;

@@ -238,8 +238,7 @@
return -EFAULT;
}

- data_ptrs = (u8 **) kmalloc(rdwr_arg.nmsgs * sizeof(u8 *),
- GFP_KERNEL);
+ data_ptrs = kmalloc(rdwr_arg.nmsgs * sizeof(u8 __user *), GFP_KERNEL);
if (data_ptrs == NULL) {
kfree(rdwr_pa);
return -ENOMEM;
@@ -252,7 +251,7 @@
res = -EINVAL;
break;
}
- data_ptrs[i] = rdwr_pa[i].buf;
+ data_ptrs[i] = (u8 __user *)rdwr_pa[i].buf;
rdwr_pa[i].buf = kmalloc(rdwr_pa[i].len, GFP_KERNEL);
if(rdwr_pa[i].buf == NULL) {
res = -ENOMEM;
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Leon Woestenberg: "Re: Insults in the kernel-sources"
Previous message: Måns Rullgård: "Re: Insults in the kernel-sources"
In reply to: Greg KH: "Re: Finding user/kernel pointer bugs [no html]"
Next in thread: viro: "Re: Finding user/kernel pointer bugs [no html]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]