Re: [PATCH v4 2/3] i2c: add support for Diolan DLN-2 USB-I2C adapter

[Johan Hovold <johan@kernel.org>]

On Thu, Sep 18, 2014 at 11:49:19AM +0300, Octavian Purdila wrote:
> On Thu, Sep 18, 2014 at 11:19 AM, Johan Hovold <johan@kernel.org> wrote:
> > On Wed, Sep 17, 2014 at 01:07:51PM +0300, Octavian Purdila wrote:
> >> On Wed, Sep 17, 2014 at 12:44 PM, Johan Hovold <johan@kernel.org> wrote:
> >>
> >> <snip>
> >>
> >> >> +     /*
> >> >> +      * Buffer to hold the packet for read or write transfers. One
> >> >> +      * is enough since we can't have multiple transfers in
> >> >> +      * parallel on the i2c adapter.
> >> >> +      */
> >> >> +     union {
> >> >> +             struct {
> >> >> +                     u8 port;
> >> >> +                     u8 addr;
> >> >> +                     u8 mem_addr_len;
> >> >> +                     __le32 mem_addr;
> >> >> +                     __le16 buf_len;
> >> >> +                     u8 buf[DLN2_I2C_MAX_XFER_SIZE];
> >> >> +             } __packed tx;
> >> >> +             struct {
> >> >> +                     __le16 buf_len;
> >> >> +                     u8 buf[DLN2_I2C_MAX_XFER_SIZE];
> >> >> +             } __packed rx;
> >> >> +     } buf;
> >> >
> >> > While this works in this case due to the extra copy you do in
> >> > dln2_transfer, allocating buffers that would (generally) be used for DMA
> >> > transfers as part of a larger structure is a recipe for trouble.
> >> >
> >> > It's probably better to allocate separately, if only to prevent people
> >> > from thinking there might be a bug here.
> >> >
> >>
> >> Just to make sure I understand this, what could the issues be? The
> >> buffers not being aligned or not allocated in continuous physical
> >> memory?
> >
> > Yes, the buffer (and any subsequent field) would have to be cache-line
> > aligned to avoid corruption due to cache-line sharing on some systems.
> >
> 
> Ah, ok, makes sense now. But is it safe to use kmalloc() in this case?
> Does kmalloc() prevent cache line sharing?

Yes, it does (as long as you allocate the buffer separately from the
containing struct).

> >> <snip>
> >>
> >> >> +
> >> >> +     rx_buf_len = le16_to_cpu(dln2->buf.rx.buf_len);
> >> >> +     if (rx_len < rx_buf_len + sizeof(dln2->buf.rx.buf_len))
> >> >> +             return -EPROTO;
> >> >> +
> >> >> +     if (data_len > rx_buf_len)
> >> >> +             data_len = rx_buf_len;
> >> >
> >> > You're still not checking that the received data does not overflow the
> >> > supplied buffer as I already commented on v3.
> >> >
> >> >> +
> >> >> +     memcpy(data, dln2->buf.rx.buf, data_len);
> >> >> +
> >> >> +     return data_len;
> >> >> +}
> >>
> >> Hmm, perhaps I am missing something, but we never transfer more then
> >> data_len, where data_len is the size of the buffer supplied by the
> >> user.
> >
> > That is the amount of data you request from the device, but you never
> > check how much is actually returned.
> >
> 
> Actually we check the receive buffer size here:
> 
>     if (data_len > rx_buf_len)
>         data_len = rx_buf_len;
> 
> rx_buf_len is the i2c received payload size while rx_len is the length
> of received message

Bah, you're right. You never explicitly check for overflow, but also
never use more than data_len bytes of the returned buffer.

I think you should add explicit checks, and return an error in this case
rather than silently truncate the data.

> > You really should clean up the error handling of this function as it is
> > currently not very readable.
> >
> 
> Perhaps adding some comments similar to the the explanation above would help?

It's more the logic of this function I find a bit twisted. I think you
should clean it up and consider adding appropriately named (temporary)
variables to make it more readable.

Johan