Re: add Packet hub driver for Topcliff Platform controller hub

Tomoya MORINAGA Tue, 08 Jan 2013 02:30:53 -0800

Hi Dan,

On Mon, Jan 7, 2013 at 6:02 PM, Dan Carpenter <dan.carpen...@oracle.com> wrote:
> The patch cf4ece53460c: "add Packet hub driver for Topcliff Platform
> controller hub" from Sep 1, 2010, leads to the following warning:
> drivers/misc/pch_phub.c:596 pch_phub_bin_write()
>          error: buffer overflow 'buf' 4096 <= 15359
>
> Sorry my question is about an old patch.  Smatch complains because we
> only pass a PAGE_SIZE buffer to sysfs files so the test for
> "if (count > PCH_PHUB_OROM_SIZE) {" makes it think we are overflowing.
> In fact, count is never more than 4096 so there is no overflow, but I
> also think that it means only the first 4096 bytes of the firmware gets
> updated.
>
> drivers/misc/pch_phub.c
>    560  static ssize_t pch_phub_bin_write(struct file *filp, struct kobject 
> *kobj,
>    561                                    struct bin_attribute *attr,
>    562                                    char *buf, loff_t off, size_t count)
>    563  {
>    564          int err;
>    565          unsigned int addr_offset;
>    566          int ret;
>    567          ssize_t rom_size;
>    568          struct pch_phub_reg *chip =
>    569                  dev_get_drvdata(container_of(kobj, struct device, 
> kobj));
>    570
>    571          ret = mutex_lock_interruptible(&pch_phub_mutex);
>    572          if (ret)
>    573                  return -ERESTARTSYS;
>    574
>    575          if (off > PCH_PHUB_OROM_SIZE) {
>    576                  addr_offset = 0;
>    577                  goto return_ok;
>    578          }
>    579          if (count > PCH_PHUB_OROM_SIZE) {
>                             ^^^^^^^^^^^^^^^^^^
> This is 15359.
>
>    580                  addr_offset = 0;
>    581                  goto return_ok;
>    582          }
>    583
>    584          chip->pch_phub_extrom_base_address = pci_map_rom(chip->pdev, 
> &rom_size);
>    585          if (!chip->pch_phub_extrom_base_address) {
>    586                  err = -ENOMEM;
>    587                  goto exrom_map_err;
>    588          }
>    589
>    590          for (addr_offset = 0; addr_offset < count; addr_offset++) {
>    591                  if (PCH_PHUB_OROM_SIZE < off + addr_offset)
>    592                          goto return_ok;
>    593
>    594                  ret = pch_phub_write_serial_rom(chip,
>    595                              chip->pch_opt_rom_start_address + 
> addr_offset + off,
>    596                              buf[addr_offset]);
>                                     ^^^^^^^^^^^^^^^^
> Smatch complains because "buf" is only 4096 bytes.
>


I can understand your saying.

You mean just delete the following condition ?

579          if (count > PCH_PHUB_OROM_SIZE) {

Thanks.

-- 
ROHM Co., Ltd.
tomoya
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Re: add Packet hub driver for Topcliff Platform controller hub

Reply via email to