Re: [PATCH V2] pinctrl: mvebu: prevent walking off the end of group array
On Wed, 2013-03-13 at 17:48 +, Jason Cooper wrote: > From: David Woodhouse > > While investigating (ab)use of krealloc, David found this bug. It's > unlikely to occur, but now we detect the condition and error out > appropriately. > > Signed-off-by: David Woodhouse > Signed-off-by: Jason Cooper > --- > Changes from v1: > - correct typo (s/ nt / int /) I should've caught before sending. > > David, please double check that this is as you intended. I had to hand-jam it > in due to some peculiarities on my side. Looks fine; thanks. -- David WoodhouseOpen Source Technology Centre david.woodho...@intel.com Intel Corporation smime.p7s Description: S/MIME cryptographic signature
Re: [PATCH V2] pinctrl: mvebu: prevent walking off the end of group array
On Wed, 2013-03-13 at 17:48 +, Jason Cooper wrote: From: David Woodhouse dw...@infradead.org While investigating (ab)use of krealloc, David found this bug. It's unlikely to occur, but now we detect the condition and error out appropriately. Signed-off-by: David Woodhouse david.woodho...@intel.com Signed-off-by: Jason Cooper ja...@lakedaemon.net --- Changes from v1: - correct typo (s/ nt / int /) I should've caught before sending. David, please double check that this is as you intended. I had to hand-jam it in due to some peculiarities on my side. Looks fine; thanks. -- David WoodhouseOpen Source Technology Centre david.woodho...@intel.com Intel Corporation smime.p7s Description: S/MIME cryptographic signature
[PATCH V2] pinctrl: mvebu: prevent walking off the end of group array
From: David Woodhouse
While investigating (ab)use of krealloc, David found this bug. It's
unlikely to occur, but now we detect the condition and error out
appropriately.
Signed-off-by: David Woodhouse
Signed-off-by: Jason Cooper
---
Changes from v1:
- correct typo (s/ nt / int /) I should've caught before sending.
David, please double check that this is as you intended. I had to hand-jam it
in due to some peculiarities on my side.
drivers/pinctrl/mvebu/pinctrl-mvebu.c | 27 ---
1 file changed, 16 insertions(+), 11 deletions(-)
diff --git a/drivers/pinctrl/mvebu/pinctrl-mvebu.c
b/drivers/pinctrl/mvebu/pinctrl-mvebu.c
index c689c04..5db5fad 100644
--- a/drivers/pinctrl/mvebu/pinctrl-mvebu.c
+++ b/drivers/pinctrl/mvebu/pinctrl-mvebu.c
@@ -478,16 +478,21 @@ static struct pinctrl_ops mvebu_pinctrl_ops = {
.dt_free_map = mvebu_pinctrl_dt_free_map,
};
-static int _add_function(struct mvebu_pinctrl_function *funcs, const char
*name)
+static int _add_function(struct mvebu_pinctrl_function *funcs, int nr_funcs,
+ const char *name)
{
- while (funcs->num_groups) {
+ while (nr_funcs && funcs->num_groups) {
/* function already there */
if (strcmp(funcs->name, name) == 0) {
funcs->num_groups++;
return -EEXIST;
}
funcs++;
+ nr_funcs--;
}
+ if (!nr_funcs)
+ return -EOVERFLOW;
+
funcs->name = name;
funcs->num_groups = 1;
return 0;
@@ -501,7 +506,7 @@ static int mvebu_pinctrl_build_functions(struct
platform_device *pdev,
int n, s;
/* we allocate functions for number of pins and hope
-* there are less unique functions than pins available */
+* there are fewer unique functions than pins available */
funcs = devm_kzalloc(>dev, pctl->desc.npins *
sizeof(struct mvebu_pinctrl_function), GFP_KERNEL);
if (!funcs)
@@ -510,26 +515,26 @@ static int mvebu_pinctrl_build_functions(struct
platform_device *pdev,
for (n = 0; n < pctl->num_groups; n++) {
struct mvebu_pinctrl_group *grp = >groups[n];
for (s = 0; s < grp->num_settings; s++) {
+ int ret;
+
/* skip unsupported settings on this variant */
if (pctl->variant &&
!(pctl->variant & grp->settings[s].variant))
continue;
/* check for unique functions and count groups */
- if (_add_function(funcs, grp->settings[s].name))
+ ret = _add_function(funcs, pctl->desc.npins,
+ grp->settings[s].name);
+ if (ret == -EOVERFLOW)
+ dev_err(>dev,
+ "More functions than pins(%d)\n",
+ pctl->desc.npins);
continue;
num++;
}
}
- /* with the number of unique functions and it's groups known,
- reallocate functions and assign group names */
- funcs = krealloc(funcs, num * sizeof(struct mvebu_pinctrl_function),
-GFP_KERNEL);
- if (!funcs)
- return -ENOMEM;
-
pctl->num_functions = num;
pctl->functions = funcs;
--
1.8.1.5
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH V2] pinctrl: mvebu: prevent walking off the end of group array
From: David Woodhouse dw...@infradead.org
While investigating (ab)use of krealloc, David found this bug. It's
unlikely to occur, but now we detect the condition and error out
appropriately.
Signed-off-by: David Woodhouse david.woodho...@intel.com
Signed-off-by: Jason Cooper ja...@lakedaemon.net
---
Changes from v1:
- correct typo (s/ nt / int /) I should've caught before sending.
David, please double check that this is as you intended. I had to hand-jam it
in due to some peculiarities on my side.
drivers/pinctrl/mvebu/pinctrl-mvebu.c | 27 ---
1 file changed, 16 insertions(+), 11 deletions(-)
diff --git a/drivers/pinctrl/mvebu/pinctrl-mvebu.c
b/drivers/pinctrl/mvebu/pinctrl-mvebu.c
index c689c04..5db5fad 100644
--- a/drivers/pinctrl/mvebu/pinctrl-mvebu.c
+++ b/drivers/pinctrl/mvebu/pinctrl-mvebu.c
@@ -478,16 +478,21 @@ static struct pinctrl_ops mvebu_pinctrl_ops = {
.dt_free_map = mvebu_pinctrl_dt_free_map,
};
-static int _add_function(struct mvebu_pinctrl_function *funcs, const char
*name)
+static int _add_function(struct mvebu_pinctrl_function *funcs, int nr_funcs,
+ const char *name)
{
- while (funcs-num_groups) {
+ while (nr_funcs funcs-num_groups) {
/* function already there */
if (strcmp(funcs-name, name) == 0) {
funcs-num_groups++;
return -EEXIST;
}
funcs++;
+ nr_funcs--;
}
+ if (!nr_funcs)
+ return -EOVERFLOW;
+
funcs-name = name;
funcs-num_groups = 1;
return 0;
@@ -501,7 +506,7 @@ static int mvebu_pinctrl_build_functions(struct
platform_device *pdev,
int n, s;
/* we allocate functions for number of pins and hope
-* there are less unique functions than pins available */
+* there are fewer unique functions than pins available */
funcs = devm_kzalloc(pdev-dev, pctl-desc.npins *
sizeof(struct mvebu_pinctrl_function), GFP_KERNEL);
if (!funcs)
@@ -510,26 +515,26 @@ static int mvebu_pinctrl_build_functions(struct
platform_device *pdev,
for (n = 0; n pctl-num_groups; n++) {
struct mvebu_pinctrl_group *grp = pctl-groups[n];
for (s = 0; s grp-num_settings; s++) {
+ int ret;
+
/* skip unsupported settings on this variant */
if (pctl-variant
!(pctl-variant grp-settings[s].variant))
continue;
/* check for unique functions and count groups */
- if (_add_function(funcs, grp-settings[s].name))
+ ret = _add_function(funcs, pctl-desc.npins,
+ grp-settings[s].name);
+ if (ret == -EOVERFLOW)
+ dev_err(pdev-dev,
+ More functions than pins(%d)\n,
+ pctl-desc.npins);
continue;
num++;
}
}
- /* with the number of unique functions and it's groups known,
- reallocate functions and assign group names */
- funcs = krealloc(funcs, num * sizeof(struct mvebu_pinctrl_function),
-GFP_KERNEL);
- if (!funcs)
- return -ENOMEM;
-
pctl-num_functions = num;
pctl-functions = funcs;
--
1.8.1.5
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
