Hello
This patch series was begun by my finding that memcpy_[to|from]_msg have
a parameter len which is an int but used as size_t in whole functions.
Without blindly changing the parameter to size_t, I have tried to see if
anywhere in linux source code, someone give a negative argument with
the following (unfinished) coccinnelle patch.
virtual report
@@
type T;
signed T i;
@@
(
memcpy_from_msg
|
memcpy_to_msg
)
(...,
- i)
+ (size_t)i)
With that I found many place where int variable is used to store unsigned values
and which could be set as size_t since there are used againt size_t
and/or given to functions that wait for size_t.
It permit also to found a bug in net/llc/af_llc.c where a size_t variable
stored error codes.
Regards
Hi Corentin,
> len is used in operation/function that wait for unsigned value.
> Furthermore the only one call of sco_send_frame give a size_t as argument.
> So the parameter need to be set as size_t.
>
> Signed-off-by: LABBE Corentin <[email protected]>
> ---
> net/bluetooth/sco.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
I am not taking this patch until you also fix the kbuild test robot reported issue with format print modifier for size_t.
Regards
Marcel
Hi LABBE,
[auto build test WARNING on net/master -- if it's inappropriate base, please suggest rules for selecting the more suitable base]
url: https://github.com/0day-ci/linux/commits/LABBE-Corentin/net-change-len-parameter-type-for-memcpy_-to-from-_msg/20151023-201642
config: x86_64-allyesconfig (attached as .config)
reproduce:
# save the attached .config to linux build tree
make ARCH=x86_64
All warnings (new ones prefixed by >>):
In file included from include/linux/kernel.h:13:0,
from include/linux/list.h:8,
from include/linux/module.h:9,
from net/bluetooth/sco.c:27:
net/bluetooth/sco.c: In function 'sco_send_frame':
>> net/bluetooth/sco.c:281:9: warning: format '%d' expects argument of type 'int', but argument 4 has type 'size_t {aka long unsigned int}' [-Wformat=]
BT_DBG("sk %p len %d", sk, len);
^
include/linux/printk.h:236:21: note: in definition of macro 'pr_fmt'
#define pr_fmt(fmt) fmt
^
include/linux/printk.h:283:2: note: in expansion of macro 'dynamic_pr_debug'
dynamic_pr_debug(fmt, ##__VA_ARGS__)
^
include/net/bluetooth/bluetooth.h:129:26: note: in expansion of macro 'pr_debug'
#define BT_DBG(fmt, ...) pr_debug(fmt "\n", ##__VA_ARGS__)
^
net/bluetooth/sco.c:281:2: note: in expansion of macro 'BT_DBG'
BT_DBG("sk %p len %d", sk, len);
^
vim +281 net/bluetooth/sco.c
^1da177e Linus Torvalds 2005-04-16 265 done:
09fd0de5 Gustavo Padovan 2011-06-17 266 hci_dev_unlock(hdev);
^1da177e Linus Torvalds 2005-04-16 267 hci_dev_put(hdev);
^1da177e Linus Torvalds 2005-04-16 268 return err;
^1da177e Linus Torvalds 2005-04-16 269 }
^1da177e Linus Torvalds 2005-04-16 270
722dd7cd LABBE Corentin 2015-10-23 271 static int sco_send_frame(struct sock *sk, struct msghdr *msg, size_t len)
^1da177e Linus Torvalds 2005-04-16 272 {
^1da177e Linus Torvalds 2005-04-16 273 struct sco_conn *conn = sco_pi(sk)->conn;
^1da177e Linus Torvalds 2005-04-16 274 struct sk_buff *skb;
088ce088 Mikel Astiz 2012-04-11 275 int err;
^1da177e Linus Torvalds 2005-04-16 276
^1da177e Linus Torvalds 2005-04-16 277 /* Check outgoing MTU */
^1da177e Linus Torvalds 2005-04-16 278 if (len > conn->mtu)
^1da177e Linus Torvalds 2005-04-16 279 return -EINVAL;
^1da177e Linus Torvalds 2005-04-16 280
^1da177e Linus Torvalds 2005-04-16 @281 BT_DBG("sk %p len %d", sk, len);
^1da177e Linus Torvalds 2005-04-16 282
088ce088 Mikel Astiz 2012-04-11 283 skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
b9dbdbc1 Gustavo Padovan 2010-05-01 284 if (!skb)
^1da177e Linus Torvalds 2005-04-16 285 return err;
^1da177e Linus Torvalds 2005-04-16 286
6ce8e9ce Al Viro 2014-04-06 287 if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
b9dbdbc1 Gustavo Padovan 2010-05-01 288 kfree_skb(skb);
b9dbdbc1 Gustavo Padovan 2010-05-01 289 return -EFAULT;
:::::: The code at line 281 was first introduced by commit
:::::: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Linux-2.6.12-rc2
:::::: TO: Linus Torvalds <[email protected]>
:::::: CC: Linus Torvalds <[email protected]>
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
Hi LABBE,
[auto build test WARNING on net/master -- if it's inappropriate base, please suggest rules for selecting the more suitable base]
url: https://github.com/0day-ci/linux/commits/LABBE-Corentin/net-change-len-parameter-type-for-memcpy_-to-from-_msg/20151023-201642
config: tile-allyesconfig (attached as .config)
reproduce:
wget https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
make.cross ARCH=tile
All warnings (new ones prefixed by >>):
net/bluetooth/sco.c: In function 'sco_send_frame':
>> net/bluetooth/sco.c:281:2: warning: format '%d' expects argument of type 'int', but argument 4 has type 'size_t' [-Wformat]
vim +281 net/bluetooth/sco.c
^1da177e Linus Torvalds 2005-04-16 265 done:
09fd0de5 Gustavo Padovan 2011-06-17 266 hci_dev_unlock(hdev);
^1da177e Linus Torvalds 2005-04-16 267 hci_dev_put(hdev);
^1da177e Linus Torvalds 2005-04-16 268 return err;
^1da177e Linus Torvalds 2005-04-16 269 }
^1da177e Linus Torvalds 2005-04-16 270
722dd7cd LABBE Corentin 2015-10-23 271 static int sco_send_frame(struct sock *sk, struct msghdr *msg, size_t len)
^1da177e Linus Torvalds 2005-04-16 272 {
^1da177e Linus Torvalds 2005-04-16 273 struct sco_conn *conn = sco_pi(sk)->conn;
^1da177e Linus Torvalds 2005-04-16 274 struct sk_buff *skb;
088ce088 Mikel Astiz 2012-04-11 275 int err;
^1da177e Linus Torvalds 2005-04-16 276
^1da177e Linus Torvalds 2005-04-16 277 /* Check outgoing MTU */
^1da177e Linus Torvalds 2005-04-16 278 if (len > conn->mtu)
^1da177e Linus Torvalds 2005-04-16 279 return -EINVAL;
^1da177e Linus Torvalds 2005-04-16 280
^1da177e Linus Torvalds 2005-04-16 @281 BT_DBG("sk %p len %d", sk, len);
^1da177e Linus Torvalds 2005-04-16 282
088ce088 Mikel Astiz 2012-04-11 283 skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
b9dbdbc1 Gustavo Padovan 2010-05-01 284 if (!skb)
^1da177e Linus Torvalds 2005-04-16 285 return err;
^1da177e Linus Torvalds 2005-04-16 286
6ce8e9ce Al Viro 2014-04-06 287 if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
b9dbdbc1 Gustavo Padovan 2010-05-01 288 kfree_skb(skb);
b9dbdbc1 Gustavo Padovan 2010-05-01 289 return -EFAULT;
:::::: The code at line 281 was first introduced by commit
:::::: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Linux-2.6.12-rc2
:::::: TO: Linus Torvalds <[email protected]>
:::::: CC: Linus Torvalds <[email protected]>
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
Hi LABBE,
[auto build test WARNING on net/master -- if it's inappropriate base, please suggest rules for selecting the more suitable base]
url: https://github.com/0day-ci/linux/commits/LABBE-Corentin/net-change-len-parameter-type-for-memcpy_-to-from-_msg/20151023-201642
config: sparc64-allyesconfig (attached as .config)
reproduce:
wget https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
make.cross ARCH=sparc64
All warnings (new ones prefixed by >>):
In file included from include/linux/printk.h:277:0,
from include/linux/kernel.h:13,
from include/linux/list.h:8,
from include/linux/module.h:9,
from net/bluetooth/sco.c:27:
net/bluetooth/sco.c: In function 'sco_send_frame':
include/linux/dynamic_debug.h:64:16: warning: format '%d' expects argument of type 'int', but argument 4 has type 'size_t' [-Wformat=]
static struct _ddebug __aligned(8) \
^
include/linux/dynamic_debug.h:76:2: note: in expansion of macro 'DEFINE_DYNAMIC_DEBUG_METADATA'
DEFINE_DYNAMIC_DEBUG_METADATA(descriptor, fmt); \
^
include/linux/printk.h:283:2: note: in expansion of macro 'dynamic_pr_debug'
dynamic_pr_debug(fmt, ##__VA_ARGS__)
^
include/net/bluetooth/bluetooth.h:129:26: note: in expansion of macro 'pr_debug'
#define BT_DBG(fmt, ...) pr_debug(fmt "\n", ##__VA_ARGS__)
^
>> net/bluetooth/sco.c:281:2: note: in expansion of macro 'BT_DBG'
BT_DBG("sk %p len %d", sk, len);
^
vim +/BT_DBG +281 net/bluetooth/sco.c
^1da177e Linus Torvalds 2005-04-16 265 done:
09fd0de5 Gustavo Padovan 2011-06-17 266 hci_dev_unlock(hdev);
^1da177e Linus Torvalds 2005-04-16 267 hci_dev_put(hdev);
^1da177e Linus Torvalds 2005-04-16 268 return err;
^1da177e Linus Torvalds 2005-04-16 269 }
^1da177e Linus Torvalds 2005-04-16 270
722dd7cd LABBE Corentin 2015-10-23 271 static int sco_send_frame(struct sock *sk, struct msghdr *msg, size_t len)
^1da177e Linus Torvalds 2005-04-16 272 {
^1da177e Linus Torvalds 2005-04-16 273 struct sco_conn *conn = sco_pi(sk)->conn;
^1da177e Linus Torvalds 2005-04-16 274 struct sk_buff *skb;
088ce088 Mikel Astiz 2012-04-11 275 int err;
^1da177e Linus Torvalds 2005-04-16 276
^1da177e Linus Torvalds 2005-04-16 277 /* Check outgoing MTU */
^1da177e Linus Torvalds 2005-04-16 278 if (len > conn->mtu)
^1da177e Linus Torvalds 2005-04-16 279 return -EINVAL;
^1da177e Linus Torvalds 2005-04-16 280
^1da177e Linus Torvalds 2005-04-16 @281 BT_DBG("sk %p len %d", sk, len);
^1da177e Linus Torvalds 2005-04-16 282
088ce088 Mikel Astiz 2012-04-11 283 skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err);
b9dbdbc1 Gustavo Padovan 2010-05-01 284 if (!skb)
^1da177e Linus Torvalds 2005-04-16 285 return err;
^1da177e Linus Torvalds 2005-04-16 286
6ce8e9ce Al Viro 2014-04-06 287 if (memcpy_from_msg(skb_put(skb, len), msg, len)) {
b9dbdbc1 Gustavo Padovan 2010-05-01 288 kfree_skb(skb);
b9dbdbc1 Gustavo Padovan 2010-05-01 289 return -EFAULT;
:::::: The code at line 281 was first introduced by commit
:::::: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 Linux-2.6.12-rc2
:::::: TO: Linus Torvalds <[email protected]>
:::::: CC: Linus Torvalds <[email protected]>
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
len is used in operation/function that wait for unsigned value.
Furthermore the only one call of sco_send_frame give a size_t as argument.
So the parameter need to be set as size_t.
Signed-off-by: LABBE Corentin <[email protected]>
---
net/bluetooth/sco.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index f315c8d..1ae4b36 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -268,7 +268,7 @@ done:
return err;
}
-static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len)
+static int sco_send_frame(struct sock *sk, struct msghdr *msg, size_t len)
{
struct sco_conn *conn = sco_pi(sk)->conn;
struct sk_buff *skb;
--
2.4.10