* [PATCH] usb: typec: tcpm: testing array offset 'port->logbuffer_head' before use
@ 2022-03-25 4:34 Haowen Bai
2022-03-25 4:45 ` Guenter Roeck
0 siblings, 1 reply; 2+ messages in thread
From: Haowen Bai @ 2022-03-25 4:34 UTC (permalink / raw)
To: linux, heikki.krogerus, gregkh; +Cc: linux-usb, linux-kernel, Haowen Bai
Fix possible indexing array of bound for
port->logbuffer[port->logbuffer_head], where port->logbuffer_head boundary
check happens later. so we do it before.
Signed-off-by: Haowen Bai <baihaowen@meizu.com>
---
drivers/usb/typec/tcpm/tcpm.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c
index 5fce795..541e9e4 100644
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -591,6 +591,14 @@ static void _tcpm_log(struct tcpm_port *port, const char *fmt, va_list args)
unsigned long rem_nsec;
mutex_lock(&port->logbuffer_lock);
+
+ if (port->logbuffer_head < 0 ||
+ port->logbuffer_head >= LOG_BUFFER_ENTRIES) {
+ dev_warn(port->dev,
+ "Bad log buffer index %d\n", port->logbuffer_head);
+ goto abort;
+ }
+
if (!port->logbuffer[port->logbuffer_head]) {
port->logbuffer[port->logbuffer_head] =
kzalloc(LOG_BUFFER_ENTRY_SIZE, GFP_KERNEL);
@@ -607,13 +615,6 @@ static void _tcpm_log(struct tcpm_port *port, const char *fmt, va_list args)
strcpy(tmpbuffer, "overflow");
}
- if (port->logbuffer_head < 0 ||
- port->logbuffer_head >= LOG_BUFFER_ENTRIES) {
- dev_warn(port->dev,
- "Bad log buffer index %d\n", port->logbuffer_head);
- goto abort;
- }
-
if (!port->logbuffer[port->logbuffer_head]) {
dev_warn(port->dev,
"Log buffer index %d is NULL\n", port->logbuffer_head);
--
2.7.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] usb: typec: tcpm: testing array offset 'port->logbuffer_head' before use
2022-03-25 4:34 [PATCH] usb: typec: tcpm: testing array offset 'port->logbuffer_head' before use Haowen Bai
@ 2022-03-25 4:45 ` Guenter Roeck
0 siblings, 0 replies; 2+ messages in thread
From: Guenter Roeck @ 2022-03-25 4:45 UTC (permalink / raw)
To: Haowen Bai, heikki.krogerus, gregkh; +Cc: linux-usb, linux-kernel
On 3/24/22 21:34, Haowen Bai wrote:
> Fix possible indexing array of bound for
> port->logbuffer[port->logbuffer_head], where port->logbuffer_head boundary
> check happens later. so we do it before.
>
> Signed-off-by: Haowen Bai <baihaowen@meizu.com>
> ---
> drivers/usb/typec/tcpm/tcpm.c | 15 ++++++++-------
> 1 file changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c
> index 5fce795..541e9e4 100644
> --- a/drivers/usb/typec/tcpm/tcpm.c
> +++ b/drivers/usb/typec/tcpm/tcpm.c
> @@ -591,6 +591,14 @@ static void _tcpm_log(struct tcpm_port *port, const char *fmt, va_list args)
> unsigned long rem_nsec;
>
> mutex_lock(&port->logbuffer_lock);
> +
> + if (port->logbuffer_head < 0 ||
> + port->logbuffer_head >= LOG_BUFFER_ENTRIES) {
> + dev_warn(port->dev,
> + "Bad log buffer index %d\n", port->logbuffer_head);
> + goto abort;
> + }
> +
> if (!port->logbuffer[port->logbuffer_head]) {
> port->logbuffer[port->logbuffer_head] =
> kzalloc(LOG_BUFFER_ENTRY_SIZE, GFP_KERNEL);
> @@ -607,13 +615,6 @@ static void _tcpm_log(struct tcpm_port *port, const char *fmt, va_list args)
> strcpy(tmpbuffer, "overflow");
> }
>
> - if (port->logbuffer_head < 0 ||
> - port->logbuffer_head >= LOG_BUFFER_ENTRIES) {
> - dev_warn(port->dev,
> - "Bad log buffer index %d\n", port->logbuffer_head);
> - goto abort;
> - }
> -
> if (!port->logbuffer[port->logbuffer_head]) {
> dev_warn(port->dev,
> "Log buffer index %d is NULL\n", port->logbuffer_head);
One could argue that the check is unnecessary and can be removed as it can be proven
that it logbuffer_head always in the range of [0, LOG_BUFFER_ENTRIES - 1]. Moving
the check, however, does not add any value unless you can _prove_ that it needs to
be moved, ie that logbuffer_head can be observed to be < 0 or >= LOG_BUFFER_ENTRIES.
I think that is quite unlikely.
Guenter
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-03-25 4:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-25 4:34 [PATCH] usb: typec: tcpm: testing array offset 'port->logbuffer_head' before use Haowen Bai
2022-03-25 4:45 ` Guenter Roeck
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.