2014-01-04 11:23:27

by Johan Hovold

[permalink] [raw]
Subject: Re: [usb:usb-next 50/92] drivers/usb/serial/pl2303.c:149 pl2303_vendor_read() error: doing dma on the stack (buf)

On Sat, Jan 04, 2014 at 05:28:35AM +0800, kbuild test robot wrote:
> tree: git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-next
> head: bd6383c81d5f33e01688a87c50a8d3a878aa43d5
> commit: 362eb02603be7bb835c47f2cf585954a5080449d [50/92] USB: pl2303: add error handling to vendor read and write functions
>
> New smatch warnings:
> drivers/usb/serial/pl2303.c:149 pl2303_vendor_read() error: doing dma on the stack (buf)
>
> Old smatch warnings:
> drivers/usb/serial/pl2303.c:673 pl2303_ioctl() warn: check that 'ser' doesn't leak information (struct has a hole after 'iomem_reg_shift')
>
> vim +149 drivers/usb/serial/pl2303.c
>
> 8bf769eb Johan Hovold 2012-10-15 133 };
> 8bf769eb Johan Hovold 2012-10-15 134
> ^1da177e Linus Torvalds 2005-04-16 135 struct pl2303_private {
> ^1da177e Linus Torvalds 2005-04-16 136 spinlock_t lock;
> ^1da177e Linus Torvalds 2005-04-16 137 u8 line_control;
> ^1da177e Linus Torvalds 2005-04-16 138 u8 line_status;
> 623c8263 Johan Hovold 2013-12-29 139
> 623c8263 Johan Hovold 2013-12-29 140 u8 line_settings[7];
> ^1da177e Linus Torvalds 2005-04-16 141 };
> ^1da177e Linus Torvalds 2005-04-16 142
> 362eb026 Johan Hovold 2013-12-29 143 static int pl2303_vendor_read(struct usb_serial *serial, u16 value,
> 362eb026 Johan Hovold 2013-12-29 144 unsigned char buf[1])

This is a false positive. A pointer passed as an array is still just a
pointer (and in this case the buffer it points to is not on the stack).

Looks like smatch needs to be updated.

Thanks,
Johan

> eb44da0b Sarah Sharp 2007-12-14 145 {
> 362eb026 Johan Hovold 2013-12-29 146 struct device *dev = &serial->interface->dev;
> ccfe8188 Johan Hovold 2013-12-29 147 int res;
> ccfe8188 Johan Hovold 2013-12-29 148
> ccfe8188 Johan Hovold 2013-12-29 @149 res = usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0),
> eb44da0b Sarah Sharp 2007-12-14 150 VENDOR_READ_REQUEST, VENDOR_READ_REQUEST_TYPE,
> 362eb026 Johan Hovold 2013-12-29 151 value, 0, buf, 1, 100);
> 362eb026 Johan Hovold 2013-12-29 152 if (res != 1) {
> 362eb026 Johan Hovold 2013-12-29 153 dev_err(dev, "%s - failed to read [%04x]: %d\n", __func__,
> 362eb026 Johan Hovold 2013-12-29 154 value, res);
> 362eb026 Johan Hovold 2013-12-29 155 if (res >= 0)
> 362eb026 Johan Hovold 2013-12-29 156 res = -EIO;
> 362eb026 Johan Hovold 2013-12-29 157
>
> :::::: The code at line 149 was first introduced by commit
> :::::: ccfe8188a321f4039a7e52c8336bb4ff3ca35139 USB: pl2303: clean up driver somewhat
>
> :::::: TO: Johan Hovold <[email protected]>
> :::::: CC: Greg Kroah-Hartman <[email protected]>
>
> ---
> 0-DAY kernel build testing backend Open Source Technology Center
> http://lists.01.org/mailman/listinfo/kbuild Intel Corporation


2014-01-04 17:32:39

by Dan Carpenter

[permalink] [raw]
Subject: Re: [usb:usb-next 50/92] drivers/usb/serial/pl2303.c:149 pl2303_vendor_read() error: doing dma on the stack (buf)

On Sat, Jan 04, 2014 at 12:23:41PM +0100, Johan Hovold wrote:
> On Sat, Jan 04, 2014 at 05:28:35AM +0800, kbuild test robot wrote:
> > tree: git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-next
> > head: bd6383c81d5f33e01688a87c50a8d3a878aa43d5
> > commit: 362eb02603be7bb835c47f2cf585954a5080449d [50/92] USB: pl2303: add error handling to vendor read and write functions
> >
> > New smatch warnings:
> > drivers/usb/serial/pl2303.c:149 pl2303_vendor_read() error: doing dma on the stack (buf)
> >
> > Old smatch warnings:
> > drivers/usb/serial/pl2303.c:673 pl2303_ioctl() warn: check that 'ser' doesn't leak information (struct has a hole after 'iomem_reg_shift')
> >
> > vim +149 drivers/usb/serial/pl2303.c
> >
> > 8bf769eb Johan Hovold 2012-10-15 133 };
> > 8bf769eb Johan Hovold 2012-10-15 134
> > ^1da177e Linus Torvalds 2005-04-16 135 struct pl2303_private {
> > ^1da177e Linus Torvalds 2005-04-16 136 spinlock_t lock;
> > ^1da177e Linus Torvalds 2005-04-16 137 u8 line_control;
> > ^1da177e Linus Torvalds 2005-04-16 138 u8 line_status;
> > 623c8263 Johan Hovold 2013-12-29 139
> > 623c8263 Johan Hovold 2013-12-29 140 u8 line_settings[7];
> > ^1da177e Linus Torvalds 2005-04-16 141 };
> > ^1da177e Linus Torvalds 2005-04-16 142
> > 362eb026 Johan Hovold 2013-12-29 143 static int pl2303_vendor_read(struct usb_serial *serial, u16 value,
> > 362eb026 Johan Hovold 2013-12-29 144 unsigned char buf[1])
>
> This is a false positive. A pointer passed as an array is still just a
> pointer (and in this case the buffer it points to is not on the stack).
>
> Looks like smatch needs to be updated.
>

Thanks. I have written a fix for this and will push next week.

regards,
dan carpenter