[bug report] staging: add bcm2708 vchiq driver
Stefan Wahren
stefan.wahren at i2se.com
Tue Nov 15 11:42:54 PST 2016
Hi Dan,
> Dan Carpenter <dan.carpenter at oracle.com> hat am 15. November 2016 um 14:15
> geschrieben:
>
>
> Hello popcornmix,
>
> The patch 71bad7f08641: "staging: add bcm2708 vchiq driver" from Jul
> 2, 2013, leads to the following static checker warning:
>
> drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c:1597
> dump_phys_mem()
> error: using offset into zero size array 'pages[]'
>
> drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
> 1537 static void
> 1538 dump_phys_mem(void *virt_addr, uint32_t num_bytes)
> 1539 {
> 1540 int rc;
> 1541 uint8_t *end_virt_addr = virt_addr + num_bytes;
> 1542 int num_pages;
> 1543 int offset;
> 1544 int end_offset;
> 1545 int page_idx;
> 1546 int prev_idx;
> 1547 struct page *page;
> 1548 struct page **pages;
> 1549 uint8_t *kmapped_virt_ptr;
> 1550
> 1551 /* Align virtAddr and endVirtAddr to 16 byte boundaries. */
> 1552
> 1553 virt_addr = (void *)((unsigned long)virt_addr & ~0x0fuL);
> 1554 end_virt_addr = (void *)(((unsigned long)end_virt_addr + 15uL)
> &
> 1555 ~0x0fuL);
> 1556
> 1557 offset = (int)(long)virt_addr & (PAGE_SIZE - 1);
> 1558 end_offset = (int)(long)end_virt_addr & (PAGE_SIZE - 1);
> 1559
> 1560 num_pages = (offset + num_bytes + PAGE_SIZE - 1) / PAGE_SIZE;
> 1561
> 1562 pages = kmalloc(sizeof(struct page *) * num_pages,
> GFP_KERNEL);
>
> The problem that the static checker is complaining about is that
> num_pages * sizeof(void *) can overflow to zero leading to an Oops
> later.
>
> But really shouldn't we just get rid of this whole function? Why are
> we dumping memory?? I understand that the RPI doesn't have an MMU so we
> perhaps don't care too much about security but still...
we touched this topic here [1]
[1] -
http://lists.infradead.org/pipermail/linux-rpi-kernel/2016-November/004746.html
More information about the linux-rpi-kernel
mailing list