On Sun, Nov 4, 2018 at 8:05 PM Sudeep Dutt wrote:
>
> On Thu, 2018-10-18 at 14:46 -0500, Wenwen Wang wrote:
> > In _scif_prog_signal(), a DMA pool is allocated if the MIC Coprocessor is
> > not X100, i.e., the boolean variable 'x100' is false. This DMA pool will be
> >
On Mon, Oct 29, 2018 at 4:32 PM Alex Williamson
wrote:
>
> On Mon, 29 Oct 2018 13:56:54 -0500
> Wenwen Wang wrote:
>
> > Hello,
> >
> > Could you please apply this patch? Thanks!
>
> I'd like to see testing and/or review from David or Alexey since I also
>
On Mon, Oct 29, 2018 at 4:32 PM Alex Williamson
wrote:
>
> On Mon, 29 Oct 2018 13:56:54 -0500
> Wenwen Wang wrote:
>
> > Hello,
> >
> > Could you please apply this patch? Thanks!
>
> I'd like to see testing and/or review from David or Alexey since I also
>
Hello,
Could you please apply this patch? Thanks!
Wenwen
On Wed, Oct 17, 2018 at 2:18 PM Wenwen Wang wrote:
>
> In vfio_spapr_iommu_eeh_ioctl(), if the ioctl command is VFIO_EEH_PE_OP,
> the user-space buffer 'arg' is copied to the kernel object 'op' and the
> 'argsz' and 'flags' f
Hello,
Could you please apply this patch? Thanks!
Wenwen
On Wed, Oct 17, 2018 at 2:18 PM Wenwen Wang wrote:
>
> In vfio_spapr_iommu_eeh_ioctl(), if the ioctl command is VFIO_EEH_PE_OP,
> the user-space buffer 'arg' is copied to the kernel object 'op' and the
> 'argsz' and 'flags' f
Hello,
Can anyone confirm this bug? Thanks!
Wenwen
On Fri, Oct 19, 2018 at 9:12 AM Wenwen Wang wrote:
>
> In dvb_audio_write(), the first byte of the user-space buffer 'buf' is
> firstly copied and checked to see whether this is a TS packet, which always
> starts with 0x47 for syn
Hello,
Can anyone confirm this bug? Thanks!
Wenwen
On Fri, Oct 19, 2018 at 9:12 AM Wenwen Wang wrote:
>
> In dvb_audio_write(), the first byte of the user-space buffer 'buf' is
> firstly copied and checked to see whether this is a TS packet, which always
> starts with 0x47 for syn
Hello,
Can anyone confirm this bug? Thanks!
Wenwen
On Fri, Oct 19, 2018 at 8:47 AM Wenwen Wang wrote:
>
> In msc_data_sz(), the 'valid_dw' field of the msc block descriptor 'bdesc'
> is firstly checked to see whether the descriptor has a valid data width. If
> yes, i.e., 'bde
Hello,
Can anyone confirm this bug? Thanks!
Wenwen
On Fri, Oct 19, 2018 at 8:47 AM Wenwen Wang wrote:
>
> In msc_data_sz(), the 'valid_dw' field of the msc block descriptor 'bdesc'
> is firstly checked to see whether the descriptor has a valid data width. If
> yes, i.e., 'bde
On Mon, Oct 22, 2018 at 3:04 AM Mika Westerberg
wrote:
>
> Hi,
>
> On Sat, Oct 20, 2018 at 12:55:51PM -0500, Wenwen Wang wrote:
> > In tb_ctl_rx_callback(), the checksum of the received control packet is
> > calculated on 'pkg->buffer' through tb_crc() and saved t
On Mon, Oct 22, 2018 at 3:04 AM Mika Westerberg
wrote:
>
> Hi,
>
> On Sat, Oct 20, 2018 at 12:55:51PM -0500, Wenwen Wang wrote:
> > In tb_ctl_rx_callback(), the checksum of the received control packet is
> > calculated on 'pkg->buffer' through tb_crc() and saved t
On Sat, Oct 20, 2018 at 6:41 PM Steve Wise wrote:
>
> Hey Wenwen,
>
> > Subject: [PATCH] iw_cxgb4: fix a missing-check bug
> >
> > In c4iw_flush_hw_cq, the next CQE is acquired through t4_next_hw_cqe(). In
> > t4_next_hw_cqe(), the CQE, i.e., 'cq->queue[cq->cidx]', is checked to see
> > whether
On Sat, Oct 20, 2018 at 6:41 PM Steve Wise wrote:
>
> Hey Wenwen,
>
> > Subject: [PATCH] iw_cxgb4: fix a missing-check bug
> >
> > In c4iw_flush_hw_cq, the next CQE is acquired through t4_next_hw_cqe(). In
> > t4_next_hw_cqe(), the CQE, i.e., 'cq->queue[cq->cidx]', is checked to see
> > whether
riable if
it is verified to be a valid CQE in t4_next_hw_cqe(). Also, the local
variable will be used for the copy in create_read_req_ceq().
Signed-off-by: Wenwen Wang
---
drivers/infiniband/hw/cxgb4/cq.c | 8 +---
drivers/infiniband/hw/cxgb4/t4.h | 4 ++--
2 files changed, 7 insertions(+), 5 del
riable if
it is verified to be a valid CQE in t4_next_hw_cqe(). Also, the local
variable will be used for the copy in create_read_req_ceq().
Signed-off-by: Wenwen Wang
---
drivers/infiniband/hw/cxgb4/cq.c | 8 +---
drivers/infiniband/hw/cxgb4/t4.h | 4 ++--
2 files changed, 7 insertions(+), 5 del
supply uncompleted frame, which can cause undefined
behavior of the kernel and introduce potential security risk.
This patch firstly copies the flag into a local variable 'desc_flags' and
then performs the check and copy using 'desc_flags'. Through this way, the
above issue can be avoided.
Signed-off-by:
supply uncompleted frame, which can cause undefined
behavior of the kernel and introduce potential security risk.
This patch firstly copies the flag into a local variable 'desc_flags' and
then performs the check and copy using 'desc_flags'. Through this way, the
above issue can be avoided.
Signed-off-by:
rforms the check and copy using 'desc_flags'. Through this way, the
above issue can be avoided.
Signed-off-by: Wenwen Wang
---
drivers/thunderbolt/nhi.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/thunderbolt/nhi.c b/drivers/thunderbolt/nhi.c
index 5cd6bdf..2
rforms the check and copy using 'desc_flags'. Through this way, the
above issue can be avoided.
Signed-off-by: Wenwen Wang
---
drivers/thunderbolt/nhi.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/thunderbolt/nhi.c b/drivers/thunderbolt/nhi.c
index 5cd6bdf..2
o rewrites the header in 'req->response + offset' using the
copied header to avoid a potential inconsistency issue.
Signed-off-by: Wenwen Wang
---
drivers/thunderbolt/icm.c | 11 +++
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/thunderbolt/icm.c b/drivers
o rewrites the header in 'req->response + offset' using the
copied header to avoid a potential inconsistency issue.
Signed-off-by: Wenwen Wang
---
drivers/thunderbolt/icm.c | 11 +++
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/thunderbolt/icm.c b/drivers
icious data, which can
cause undefined behavior of the kernel and introduce potential security
risk.
This patch allocates a new buffer 'buf' to hold the data in 'pkg->buffer'.
By performing the checking and copying on 'buf', rather than 'pkg->buffer',
the above issue can be avoided.
Si
icious data, which can
cause undefined behavior of the kernel and introduce potential security
risk.
This patch allocates a new buffer 'buf' to hold the data in 'pkg->buffer'.
By performing the checking and copying on 'buf', rather than 'pkg->buffer',
the above issue can be avoided.
Si
On Thu, Oct 18, 2018 at 4:13 AM Mika Westerberg
wrote:
>
> Hi Wenwen,
>
> On Wed, Oct 17, 2018 at 09:00:29AM -0500, Wenwen Wang wrote:
> > In tb_cfg_copy(), the header of the received control package, which is in
> > the buffer 'pkg->buffer', is firstly parsed thr
On Thu, Oct 18, 2018 at 4:13 AM Mika Westerberg
wrote:
>
> Hi Wenwen,
>
> On Wed, Oct 17, 2018 at 09:00:29AM -0500, Wenwen Wang wrote:
> > In tb_cfg_copy(), the header of the received control package, which is in
> > the buffer 'pkg->buffer', is firstly parsed thr
check after the second read to make sure the
descriptor type is CHAMELEON_DTYPE_GENERAL. Otherwise, an error code EINVAL
will be returned.
Signed-off-by: Wenwen Wang
---
drivers/mcb/mcb-parse.c | 4
1 file changed, 4 insertions(+)
diff --git a/drivers/mcb/mcb-parse.c b/drivers/mcb/mcb-parse.c
check after the second read to make sure the
descriptor type is CHAMELEON_DTYPE_GENERAL. Otherwise, an error code EINVAL
will be returned.
Signed-off-by: Wenwen Wang
---
drivers/mcb/mcb-parse.c | 4
1 file changed, 4 insertions(+)
diff --git a/drivers/mcb/mcb-parse.c b/drivers/mcb/mcb-parse.c
check and the calculation on the local variable to avoid the
above issue.
Signed-off-by: Wenwen Wang
---
drivers/hwtracing/intel_th/msu.h | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/hwtracing/intel_th/msu.h b/drivers/hwtracing/intel_th/msu.h
index 9cc8ace..b7d846e
check and the calculation on the local variable to avoid the
above issue.
Signed-off-by: Wenwen Wang
---
drivers/hwtracing/intel_th/msu.h | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/hwtracing/intel_th/msu.h b/drivers/hwtracing/intel_th/msu.h
index 9cc8ace..b7d846e
riable 'cb_arg' is allocated in _scif_prog_signal() to pass the
arguments. 'cb_arg' will be freed after dma_pool_free() in
scif_prog_signal_cb().
Signed-off-by: Wenwen Wang
---
drivers/misc/mic/scif/scif_fence.c | 17 +
drivers/misc/mic/scif/scif_rma.h | 14 ++
2 files c
riable 'cb_arg' is allocated in _scif_prog_signal() to pass the
arguments. 'cb_arg' will be freed after dma_pool_free() in
scif_prog_signal_cb().
Signed-off-by: Wenwen Wang
---
drivers/misc/mic/scif/scif_fence.c | 17 +
drivers/misc/mic/scif/scif_rma.h | 14 ++
2 files c
the value acquired in the first copy. Through this way, the above issue can
be avoided.
Signed-off-by: Wenwen Wang
---
drivers/firmware/google/coreboot_table.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/firmware/google/coreboot_table.c
b/drivers/firmware/google/coreboot_table.c
inde
the value acquired in the first copy. Through this way, the above issue can
be avoided.
Signed-off-by: Wenwen Wang
---
drivers/firmware/google/coreboot_table.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/firmware/google/coreboot_table.c
b/drivers/firmware/google/coreboot_table.c
inde
-off-by: Wenwen Wang
---
drivers/vfio/vfio_spapr_eeh.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/vfio/vfio_spapr_eeh.c b/drivers/vfio/vfio_spapr_eeh.c
index 38edeb4..66634c6 100644
--- a/drivers/vfio/vfio_spapr_eeh.c
+++ b/drivers/vfio/vfio_spapr_eeh.c
-off-by: Wenwen Wang
---
drivers/vfio/vfio_spapr_eeh.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/vfio/vfio_spapr_eeh.c b/drivers/vfio/vfio_spapr_eeh.c
index 38edeb4..66634c6 100644
--- a/drivers/vfio/vfio_spapr_eeh.c
+++ b/drivers/vfio/vfio_spapr_eeh.c
On Wed, Oct 17, 2018 at 2:05 PM Alex Williamson
wrote:
>
> On Wed, 17 Oct 2018 12:58:26 -0500
> Wenwen Wang wrote:
>
> > On Wed, Oct 17, 2018 at 10:45 AM Alex Williamson
> > wrote:
> > >
> > > On Wed, 17 Oct 20
On Wed, Oct 17, 2018 at 2:05 PM Alex Williamson
wrote:
>
> On Wed, 17 Oct 2018 12:58:26 -0500
> Wenwen Wang wrote:
>
> > On Wed, Oct 17, 2018 at 10:45 AM Alex Williamson
> > wrote:
> > >
> > > On Wed, 17 Oct 20
This patch adds a 4-byte reserved field in the structure
vfio_eeh_pe_op to make sure that the u64 fields in the structure
vfio_eeh_pe_err are 8-byte aligned.
Signed-off-by: Wenwen Wang
---
include/uapi/linux/vfio.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/uapi/linux/vfio.h b
This patch adds a 4-byte reserved field in the structure
vfio_eeh_pe_op to make sure that the u64 fields in the structure
vfio_eeh_pe_err are 8-byte aligned.
Signed-off-by: Wenwen Wang
---
include/uapi/linux/vfio.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/uapi/linux/vfio.h b
On Wed, Oct 17, 2018 at 10:45 AM Alex Williamson
wrote:
>
> On Wed, 17 Oct 2018 09:32:04 -0500
> Wenwen Wang wrote:
>
> > In vfio_spapr_iommu_eeh_ioctl(), if the ioctl command is VFIO_EEH_PE_OP,
> > the user-space buffer 'arg' is copied to the kernel object 'op' and th
On Wed, Oct 17, 2018 at 10:45 AM Alex Williamson
wrote:
>
> On Wed, 17 Oct 2018 09:32:04 -0500
> Wenwen Wang wrote:
>
> > In vfio_spapr_iommu_eeh_ioctl(), if the ioctl command is VFIO_EEH_PE_OP,
> > the user-space buffer 'arg' is copied to the kernel object 'op' and th
.
This patch also adds a 4-byte reserved field in the structure
vfio_eeh_pe_op to make sure that the u64 fields in the structure
vfio_eeh_pe_err are 8-byte aligned.
Signed-off-by: Wenwen Wang
---
drivers/vfio/vfio_spapr_eeh.c | 9 ++---
include/uapi/linux/vfio.h | 1 +
2 files changed, 7
.
This patch also adds a 4-byte reserved field in the structure
vfio_eeh_pe_op to make sure that the u64 fields in the structure
vfio_eeh_pe_err are 8-byte aligned.
Signed-off-by: Wenwen Wang
---
drivers/vfio/vfio_spapr_eeh.c | 9 ++---
include/uapi/linux/vfio.h | 1 +
2 files changed, 7
On Mon, Oct 8, 2018 at 1:47 PM Alex Williamson
wrote:
>
> On Mon, 8 Oct 2018 13:06:20 -0500
> Wenwen Wang wrote:
>
> > In vfio_spapr_iommu_eeh_ioctl(), if the ioctl command is VFIO_EEH_PE_OP,
> > the user-space buffer 'arg' is copied to the kernel object 'op' and th
On Mon, Oct 8, 2018 at 1:47 PM Alex Williamson
wrote:
>
> On Mon, 8 Oct 2018 13:06:20 -0500
> Wenwen Wang wrote:
>
> > In vfio_spapr_iommu_eeh_ioctl(), if the ioctl command is VFIO_EEH_PE_OP,
> > the user-space buffer 'arg' is copied to the kernel object 'op' and th
cpy(). This way, the above issue can be avoided.
Signed-off-by: Wenwen Wang
---
drivers/thunderbolt/ctl.c | 39 ++-
1 file changed, 22 insertions(+), 17 deletions(-)
diff --git a/drivers/thunderbolt/ctl.c b/drivers/thunderbolt/ctl.c
index 37a7f4c..ae4cd61 10064
cpy(). This way, the above issue can be avoided.
Signed-off-by: Wenwen Wang
---
drivers/thunderbolt/ctl.c | 39 ++-
1 file changed, 22 insertions(+), 17 deletions(-)
diff --git a/drivers/thunderbolt/ctl.c b/drivers/thunderbolt/ctl.c
index 37a7f4c..ae4cd61 10064
able 'src' (with
necessary calculation) to free up the DMA pool.
Signed-off-by: Wenwen Wang
---
drivers/misc/mic/scif/scif_fence.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/mic/scif/scif_fence.c
b/drivers/misc/mic/scif/scif_fence.c
index cac3bcc..7bb92
able 'src' (with
necessary calculation) to free up the DMA pool.
Signed-off-by: Wenwen Wang
---
drivers/misc/mic/scif/scif_fence.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/mic/scif/scif_fence.c
b/drivers/misc/mic/scif/scif_fence.c
index cac3bcc..7bb92
chip->in_sdin_init' is not zero, this check will
be meaningless and the execution should continue, instead of returning the
error code EIO.
This patch avoids the above issue by moving the check on the parameter
'codec' to the else branch of the if statement that checks
'chip->in_sdin_init'.
Si
chip->in_sdin_init' is not zero, this check will
be meaningless and the execution should continue, instead of returning the
error code EIO.
This patch avoids the above issue by moving the check on the parameter
'codec' to the else branch of the if statement that checks
'chip->in_sdin_init'.
Si
.
Signed-off-by: Wenwen Wang
---
drivers/vfio/vfio_spapr_eeh.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/vfio/vfio_spapr_eeh.c b/drivers/vfio/vfio_spapr_eeh.c
index 38edeb4..66634c6 100644
--- a/drivers/vfio/vfio_spapr_eeh.c
+++ b/drivers/vfio/vfio_spapr_eeh.c
.
Signed-off-by: Wenwen Wang
---
drivers/vfio/vfio_spapr_eeh.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/vfio/vfio_spapr_eeh.c b/drivers/vfio/vfio_spapr_eeh.c
index 38edeb4..66634c6 100644
--- a/drivers/vfio/vfio_spapr_eeh.c
+++ b/drivers/vfio/vfio_spapr_eeh.c
On Mon, Oct 8, 2018 at 11:43 AM Alex Williamson
wrote:
>
> Hi,
>
> On Sun, 7 Oct 2018 09:44:25 -0500
> Wenwen Wang wrote:
>
> > In vfio_spapr_iommu_eeh_ioctl(), if the ioctl command is VFIO_EEH_PE_OP,
> > the user-space buffer 'arg' is copied to the kernel
On Mon, Oct 8, 2018 at 11:43 AM Alex Williamson
wrote:
>
> Hi,
>
> On Sun, 7 Oct 2018 09:44:25 -0500
> Wenwen Wang wrote:
>
> > In vfio_spapr_iommu_eeh_ioctl(), if the ioctl command is VFIO_EEH_PE_OP,
> > the user-space buffer 'arg' is copied to the kernel
. That is, the second copy has a redundant part. Therefore, for both
performance and security reasons, the redundant part of the second copy
should be removed.
This patch removes such a part in the second copy. It only copies the 'err'
information from the buffer 'arg'.
Signed-off-by: Wenwen Wang
---
drivers
. That is, the second copy has a redundant part. Therefore, for both
performance and security reasons, the redundant part of the second copy
should be removed.
This patch removes such a part in the second copy. It only copies the 'err'
information from the buffer 'arg'.
Signed-off-by: Wenwen Wang
---
drivers
will be
returned after the buffer 'ureq' is freed.
Signed-off-by: Wenwen Wang
---
drivers/s390/net/qeth_core_main.c | 4
1 file changed, 4 insertions(+)
diff --git a/drivers/s390/net/qeth_core_main.c
b/drivers/s390/net/qeth_core_main.c
index de82824..6199743 100644
--- a/drivers/s390/net
will be
returned after the buffer 'ureq' is freed.
Signed-off-by: Wenwen Wang
---
drivers/s390/net/qeth_core_main.c | 4
1 file changed, 4 insertions(+)
diff --git a/drivers/s390/net/qeth_core_main.c
b/drivers/s390/net/qeth_core_main.c
index de82824..6199743 100644
--- a/drivers/s390/net
-by: Wenwen Wang
---
drivers/media/platform/davinci/isif.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/platform/davinci/isif.c
b/drivers/media/platform/davinci/isif.c
index f924e76..340f821 100644
--- a/drivers/media/platform/davinci/isif.c
+++ b/drivers
-by: Wenwen Wang
---
drivers/media/platform/davinci/isif.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/platform/davinci/isif.c
b/drivers/media/platform/davinci/isif.c
index f924e76..340f821 100644
--- a/drivers/media/platform/davinci/isif.c
+++ b/drivers
On Wed, Oct 3, 2018 at 2:57 AM Alexander Shishkin
wrote:
>
> Wenwen Wang writes:
>
> > In stm_char_policy_set_ioctl(), the 'size' field of the struct
> > 'stp_polic_id' is firstly copied from the user space and then checked,
> > because the length of the 'id'
On Wed, Oct 3, 2018 at 2:57 AM Alexander Shishkin
wrote:
>
> Wenwen Wang writes:
>
> > In stm_char_policy_set_ioctl(), the 'size' field of the struct
> > 'stp_polic_id' is firstly copied from the user space and then checked,
> > because the length of the 'id'
on the 'size' field and inject malicious data.
This patch removes the re-copying of the 'size' field in the second copy to
avoid the above issue.
Signed-off-by: Wenwen Wang
---
drivers/hwtracing/stm/core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hwtracing/stm/core.c
on the 'size' field and inject malicious data.
This patch removes the re-copying of the 'size' field in the second copy to
avoid the above issue.
Signed-off-by: Wenwen Wang
---
drivers/hwtracing/stm/core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/hwtracing/stm/core.c
inconsistent data.
This patch reuses the data copied in
diva_xdi_open_adapter() and passes it to diva_xdi_write(). This way, the
above issues can be avoided.
Signed-off-by: Wenwen Wang <wang6...@umn.edu>
---
drivers/isdn/hardware/eicon/diva.c | 22 +++---
drivers/isdn/hardware
inconsistent data.
This patch reuses the data copied in
diva_xdi_open_adapter() and passes it to diva_xdi_write(). This way, the
above issues can be avoided.
Signed-off-by: Wenwen Wang
---
drivers/isdn/hardware/eicon/diva.c | 22 +++---
drivers/isdn/hardware/eicon/diva.h | 5
On Sun, May 20, 2018 at 5:37 PM, David Miller <da...@davemloft.net> wrote:
> From: Wenwen Wang <wang6...@umn.edu>
> Date: Fri, 18 May 2018 16:33:47 -0500
>
>> In divasmain.c, the function divas_write() firstly invokes the function
>> diva_xdi_open_adapter()
On Sun, May 20, 2018 at 5:37 PM, David Miller wrote:
> From: Wenwen Wang
> Date: Fri, 18 May 2018 16:33:47 -0500
>
>> In divasmain.c, the function divas_write() firstly invokes the function
>> diva_xdi_open_adapter() to open the adapter that matches with the adapt
On Mon, May 7, 2018 at 12:13 AM, Douglas Gilbert <dgilb...@interlog.com> wrote:
> On 2018-05-05 11:21 PM, Wenwen Wang wrote:
>>
>> In sg_write(), the opcode of the command is firstly copied from the
>> userspace pointer 'buf' and saved to the kernel variable 'opcod
On Mon, May 7, 2018 at 12:13 AM, Douglas Gilbert wrote:
> On 2018-05-05 11:21 PM, Wenwen Wang wrote:
>>
>> In sg_write(), the opcode of the command is firstly copied from the
>> userspace pointer 'buf' and saved to the kernel variable 'opcode', using
>> the __ge
inconsistent data.
This patch reuses the data copied in
diva_xdi_open_adapter() and passes it to diva_xdi_write(). This way, the
above issues can be avoided.
Signed-off-by: Wenwen Wang <wang6...@umn.edu>
---
drivers/isdn/hardware/eicon/diva.c | 20 +---
drivers/isdn/hardware
inconsistent data.
This patch reuses the data copied in
diva_xdi_open_adapter() and passes it to diva_xdi_write(). This way, the
above issues can be avoided.
Signed-off-by: Wenwen Wang
---
drivers/isdn/hardware/eicon/diva.c | 20 +---
drivers/isdn/hardware/eicon/diva.h | 5
as to ensure these
checks will not be bypassed.
Signed-off-by: Wenwen Wang <wang6...@umn.edu>
---
drivers/crypto/chelsio/chtls/chtls_main.c | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/crypto/chelsio/chtls/chtls_main.c
b/drivers/crypto/chelsio/chtls/chtls_
as to ensure these
checks will not be bypassed.
Signed-off-by: Wenwen Wang
---
drivers/crypto/chelsio/chtls/chtls_main.c | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/crypto/chelsio/chtls/chtls_main.c
b/drivers/crypto/chelsio/chtls/chtls_main.c
index 007c45c
Thanks for your suggestion, David! I will revise the patch and resubmit it.
Wenwen
On Fri, May 11, 2018 at 2:50 PM, David Miller <da...@davemloft.net> wrote:
> From: Wenwen Wang <wang6...@umn.edu>
> Date: Sat, 5 May 2018 14:32:46 -0500
>
>> To avoid such issues, th
Thanks for your suggestion, David! I will revise the patch and resubmit it.
Wenwen
On Fri, May 11, 2018 at 2:50 PM, David Miller wrote:
> From: Wenwen Wang
> Date: Sat, 5 May 2018 14:32:46 -0500
>
>> To avoid such issues, this patch adds a check after the second copy in
18 at 3:31 PM, Peter Rosin <p...@axentia.se> wrote:
> On 2018-05-10 13:17, Wolfram Sang wrote:
>> On Sat, May 05, 2018 at 07:57:10AM -0500, Wenwen Wang wrote:
>>> In i2c_smbus_xfer_emulated(), there are two buffers: msgbuf0 and msgbuf1,
>>> which are used to save a s
18 at 3:31 PM, Peter Rosin wrote:
> On 2018-05-10 13:17, Wolfram Sang wrote:
>> On Sat, May 05, 2018 at 07:57:10AM -0500, Wenwen Wang wrote:
>>> In i2c_smbus_xfer_emulated(), there are two buffers: msgbuf0 and msgbuf1,
>>> which are used to save a series of messages, as
Hello
Could you please review this patch? We need a confirmation because we
are working on an approaching deadline.
Thanks!
Wenwen
On Sat, May 5, 2018 at 2:32 PM, Wenwen Wang <wang6...@umn.edu> wrote:
> In divasmain.c, the function divas_write() firstly invokes the
Hello
Could you please review this patch? We need a confirmation because we
are working on an approaching deadline.
Thanks!
Wenwen
On Sat, May 5, 2018 at 2:32 PM, Wenwen Wang wrote:
> In divasmain.c, the function divas_write() firstly invokes the function
> diva_xdi_open_adapter() t
Hello
Could you please review this patch? We need a confirmation because we
are working on an approaching deadline.
Thanks!
Wenwen
On Sat, May 5, 2018 at 1:31 AM, Wenwen Wang <wang6...@umn.edu> wrote:
> In _ctl_ioctl_main(), 'ioctl_header' is first copied from the userspace
>
Hello
Could you please review this patch? We need a confirmation because we
are working on an approaching deadline.
Thanks!
Wenwen
On Sat, May 5, 2018 at 1:31 AM, Wenwen Wang wrote:
> In _ctl_ioctl_main(), 'ioctl_header' is first copied from the userspace
> pointe
the verifications on the ioctl
argument.
This commit fixes this by using the already checked copy of the header
to fill the header part of the allocated buffer and only copying the
remainder of the data from userspace.
Signed-off-by: Wenwen Wang <wang6...@umn.edu>
---
drivers/virt/vbo
the verifications on the ioctl
argument.
This commit fixes this by using the already checked copy of the header
to fill the header part of the allocated buffer and only copying the
remainder of the data from userspace.
Signed-off-by: Wenwen Wang
---
drivers/virt/vboxguest/vboxguest_linux.c | 4
On Tue, May 8, 2018 at 7:16 AM, Dan Carpenter <dan.carpen...@oracle.com> wrote:
> On Wed, May 02, 2018 at 05:38:49PM -0500, Wenwen Wang wrote:
>> At the end of atomisp_subdev_set_selection(), the function
>> atomisp_subdev_get_rect() is invoked to get the pointe
On Tue, May 8, 2018 at 7:16 AM, Dan Carpenter wrote:
> On Wed, May 02, 2018 at 05:38:49PM -0500, Wenwen Wang wrote:
>> At the end of atomisp_subdev_set_selection(), the function
>> atomisp_subdev_get_rect() is invoked to get the pointer to v4l2_rect. Since
>> this funct
On Tue, May 8, 2018 at 6:46 AM, Hans de Goede <hdego...@redhat.com> wrote:
> Hi Wenwen,
>
> On 06-05-18 05:30, Wenwen Wang wrote:
>>
>> In vbg_misc_device_ioctl(), the header of the ioctl argument is copied
>> from
>> the userspace pointer 'a
On Tue, May 8, 2018 at 6:46 AM, Hans de Goede wrote:
> Hi Wenwen,
>
> On 06-05-18 05:30, Wenwen Wang wrote:
>>
>> In vbg_misc_device_ioctl(), the header of the ioctl argument is copied
>> from
>> the userspace pointer 'arg' and saved to the kernel object 'hdr'
) in tw_chrdev_open() to avoid
the above issues.
Signed-off-by: Wenwen Wang <wang6...@umn.edu>
---
drivers/scsi/3w-.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/scsi/3w-.c b/drivers/scsi/3w-.c
index 33261b6..f6179e3 100644
--- a/drivers/scsi/3w-.c
+++ b/drivers/scsi/3w-
) in tw_chrdev_open() to avoid
the above issues.
Signed-off-by: Wenwen Wang
---
drivers/scsi/3w-.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/scsi/3w-.c b/drivers/scsi/3w-.c
index 33261b6..f6179e3 100644
--- a/drivers/scsi/3w-.c
+++ b/drivers/scsi/3w-.c
@@ -1033,6 +1033,9
-off-by: Wenwen Wang <wang6...@umn.edu>
---
drivers/scsi/3w-9xxx.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c
index b42c9c4..99ba4a7 100644
--- a/drivers/scsi/3w-9xxx.c
+++ b/drivers/scsi/3w-9xxx.c
@@ -882,6 +882,11 @@ stat
-off-by: Wenwen Wang
---
drivers/scsi/3w-9xxx.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c
index b42c9c4..99ba4a7 100644
--- a/drivers/scsi/3w-9xxx.c
+++ b/drivers/scsi/3w-9xxx.c
@@ -882,6 +882,11 @@ static int twa_chrdev_open(struct inode
if it is not same as the original one in the
first copy.
Signed-off-by: Wenwen Wang <wang6...@umn.edu>
---
drivers/scsi/3w-sas.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/drivers/scsi/3w-sas.c b/drivers/scsi/3w-sas.c
index cf9f2a0..ea41969 100644
--- a/drivers/scsi/3w-sas.c
if it is not same as the original one in the
first copy.
Signed-off-by: Wenwen Wang
---
drivers/scsi/3w-sas.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/drivers/scsi/3w-sas.c b/drivers/scsi/3w-sas.c
index cf9f2a0..ea41969 100644
--- a/drivers/scsi/3w-sas.c
+++ b/drivers/scsi/3w-sas.c
copy. An error
code -EINVAL will be returned if it is not same as the original one in the
first copy.
Signed-off-by: Wenwen Wang <wang6...@umn.edu>
---
drivers/scsi/3w-.c | 4
1 file changed, 4 insertions(+)
diff --git a/drivers/scsi/3w-.c b/drivers/scsi/3w-.c
index 3
copy. An error
code -EINVAL will be returned if it is not same as the original one in the
first copy.
Signed-off-by: Wenwen Wang
---
drivers/scsi/3w-.c | 4
1 file changed, 4 insertions(+)
diff --git a/drivers/scsi/3w-.c b/drivers/scsi/3w-.c
index 33261b6..ef79194 100644
if it is not same as the original one in the
first copy.
Signed-off-by: Wenwen Wang <wang6...@umn.edu>
---
drivers/scsi/3w-9xxx.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c
index b42c9c4..8bc43db 100644
--- a/drivers/scsi/3w-
if it is not same as the original one in the
first copy.
Signed-off-by: Wenwen Wang
---
drivers/scsi/3w-9xxx.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c
index b42c9c4..8bc43db 100644
--- a/drivers/scsi/3w-9xxx.c
+++ b/drivers/scsi/3w
y
between the data obtained in the two copies. In case an inconsistency is
detected, an error code -EINVAL will be returned.
Signed-off-by: Wenwen Wang <wang6...@umn.edu>
---
drivers/virt/vboxguest/vboxguest_linux.c | 11 ++-
1 file changed, 6 insertions(+), 5 deletions(-)
diff
101 - 200 of 277 matches
Mail list logo