Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1760329AbbEEQLe (ORCPT ); Tue, 5 May 2015 12:11:34 -0400 Received: from bhuna.collabora.co.uk ([93.93.135.160]:34824 "EHLO bhuna.collabora.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2993484AbbEEP5X (ORCPT ); Tue, 5 May 2015 11:57:23 -0400 Message-ID: <5548E85E.6040103@collabora.co.uk> Date: Tue, 05 May 2015 17:57:18 +0200 From: Javier Martinez Canillas User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.2.0 MIME-Version: 1.0 To: Gwendal Grignou CC: Olof Johansson , Lee Jones , Doug Anderson , Bill Richardson , Simon Glass , Stephen Barber , Filipe Brandenburger , Todd Broch , linux-samsung-soc@vger.kernel.org, Linux Kernel Subject: Re: [RESEND PATCH 4/8] mfd: cros_ec: Use a zero-length array for command data References: <1428336906-14906-1-git-send-email-javier.martinez@collabora.co.uk> <1428336906-14906-5-git-send-email-javier.martinez@collabora.co.uk> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2068 Lines: 72 Hello Gwendal, On 04/24/2015 10:29 PM, Gwendal Grignou wrote: > On Mon, Apr 6, 2015 at 9:15 AM, Javier Martinez Canillas > wrote: [snip] >> >> @@ -110,17 +115,25 @@ static ssize_t ec_device_read(struct file *filp, char __user *buffer, >> static long ec_device_ioctl_xcmd(struct cros_ec_device *ec, void __user *arg) >> { >> long ret; >> - struct cros_ec_command s_cmd = { }; >> + int len; >> + struct cros_ec_command *u_cmd = arg; >> + struct cros_ec_command *s_cmd; >> + >> + len = max(u_cmd->outsize, u_cmd->insize); > It does not work, u_cmd is not accessible yet. You should do: > struct cros_ec_command u_cmd; > if (copy_from_user(&u_cmd, arg, sizeof(u_cmd))) > return -EFAULT; > len = max(u_cmd.outsize, u_cmd.insize); > > Right, I'll change that. >> + >> + s_cmd = kzalloc(sizeof(*s_cmd) + len, GFP_KERNEL); >> + if (!s_cmd) >> + return -ENOMEM; >> >> - if (copy_from_user(&s_cmd, arg, sizeof(s_cmd))) >> + if (copy_from_user(s_cmd, arg, sizeof(*s_cmd) + len)) > sizeof(*s_cmd) + u_cmd.outsize is good enough. Ok. >> return -EFAULT; >> >> - ret = cros_ec_cmd_xfer(ec, &s_cmd); >> + ret = cros_ec_cmd_xfer(ec, s_cmd); >> /* Only copy data to userland if data was received. */ >> if (ret < 0) >> return ret; >> >> - if (copy_to_user(arg, &s_cmd, sizeof(s_cmd))) >> + if (copy_to_user(arg, s_cmd, sizeof(*s_cmd) + len)) > sizeof(*s_cmd) + min(ret, u_cmd.insize) is safer Sure. >> return -EFAULT; >> >> return 0; > I missed this one earlier. Tools expect the number of byte read, so it should be > return ret; > Ok, I'll change that as well. Thanks a lot for your feedback! Best regards, Javier -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/