* [PATCH 1/1] comedi: ni_usb6501: fix transfer-buffer overflows
@ 2022-06-05 12:43 Xiaohui Zhang
2022-06-05 12:49 ` Greg Kroah-Hartman
2022-06-06 10:03 ` Ian Abbott
0 siblings, 2 replies; 6+ messages in thread
From: Xiaohui Zhang @ 2022-06-05 12:43 UTC (permalink / raw)
To: Xiaohui Zhang, Ian Abbott, H Hartley Sweeten, Greg Kroah-Hartman,
Johan Hovold, linux-kernel
From: xiaohuizhang98 <ruc_zhangxiaohui@163.com>
We detected a suspected bug with our code clone detection tool.
Similar to the handling of vmk80xx_alloc_usb_buffers in commit
a23461c47482("comedi: vmk80xx: fix transfer-buffer overflows"),
we thought a patch might be needed here as well.
The driver uses endpoint-sized USB transfer buffers but up until
recently had no sanity checks on the sizes.
Signed-off-by: xiaohuizhang98 <ruc_zhangxiaohui@163.com>
---
drivers/comedi/drivers/ni_usb6501.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/comedi/drivers/ni_usb6501.c b/drivers/comedi/drivers/ni_usb6501.c
index 0dd9edf7bced..3e2b9f4d840b 100644
--- a/drivers/comedi/drivers/ni_usb6501.c
+++ b/drivers/comedi/drivers/ni_usb6501.c
@@ -90,6 +90,7 @@
#include <linux/comedi/comedi_usb.h>
#define NI6501_TIMEOUT 1000
+#define MIN_BUF_SIZE 64
/* Port request packets */
static const u8 READ_PORT_REQUEST[] = {0x00, 0x01, 0x00, 0x10,
@@ -459,12 +460,12 @@ static int ni6501_alloc_usb_buffers(struct comedi_device *dev)
struct ni6501_private *devpriv = dev->private;
size_t size;
- size = usb_endpoint_maxp(devpriv->ep_rx);
+ size = max(usb_endpoint_maxp(devpriv->ep_rx), MIN_BUF_SIZE);
devpriv->usb_rx_buf = kzalloc(size, GFP_KERNEL);
if (!devpriv->usb_rx_buf)
return -ENOMEM;
- size = usb_endpoint_maxp(devpriv->ep_tx);
+ size = max(usb_endpoint_maxp(devpriv->ep_rx), MIN_BUF_SIZE);
devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL);
if (!devpriv->usb_tx_buf)
return -ENOMEM;
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] comedi: ni_usb6501: fix transfer-buffer overflows
2022-06-05 12:43 [PATCH 1/1] comedi: ni_usb6501: fix transfer-buffer overflows Xiaohui Zhang
@ 2022-06-05 12:49 ` Greg Kroah-Hartman
2022-06-06 10:03 ` Ian Abbott
1 sibling, 0 replies; 6+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-05 12:49 UTC (permalink / raw)
To: Xiaohui Zhang; +Cc: Ian Abbott, H Hartley Sweeten, Johan Hovold, linux-kernel
On Sun, Jun 05, 2022 at 08:43:22PM +0800, Xiaohui Zhang wrote:
> From: xiaohuizhang98 <ruc_zhangxiaohui@163.com>
>
> We detected a suspected bug with our code clone detection tool.
What tool exactly?
Please read Documentation/process/researcher-guidelines.rst for how to
write a good changelog when you are using automated tools like this.
>
> Similar to the handling of vmk80xx_alloc_usb_buffers in commit
> a23461c47482("comedi: vmk80xx: fix transfer-buffer overflows"),
> we thought a patch might be needed here as well.
>
> The driver uses endpoint-sized USB transfer buffers but up until
> recently had no sanity checks on the sizes.
>
> Signed-off-by: xiaohuizhang98 <ruc_zhangxiaohui@163.com>
I strongly doubt you sign legal documents like "xiaohuizhang98", right?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] comedi: ni_usb6501: fix transfer-buffer overflows
2022-06-05 12:43 [PATCH 1/1] comedi: ni_usb6501: fix transfer-buffer overflows Xiaohui Zhang
2022-06-05 12:49 ` Greg Kroah-Hartman
@ 2022-06-06 10:03 ` Ian Abbott
1 sibling, 0 replies; 6+ messages in thread
From: Ian Abbott @ 2022-06-06 10:03 UTC (permalink / raw)
To: Xiaohui Zhang, H Hartley Sweeten, Greg Kroah-Hartman,
Johan Hovold, linux-kernel
On 05/06/2022 13:43, Xiaohui Zhang wrote:
> From: xiaohuizhang98 <ruc_zhangxiaohui@163.com>
>
> We detected a suspected bug with our code clone detection tool.
>
> Similar to the handling of vmk80xx_alloc_usb_buffers in commit
> a23461c47482("comedi: vmk80xx: fix transfer-buffer overflows"),
> we thought a patch might be needed here as well.
>
> The driver uses endpoint-sized USB transfer buffers but up until
> recently had no sanity checks on the sizes.
>
> Signed-off-by: xiaohuizhang98 <ruc_zhangxiaohui@163.com>
> ---
> drivers/comedi/drivers/ni_usb6501.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/comedi/drivers/ni_usb6501.c b/drivers/comedi/drivers/ni_usb6501.c
> index 0dd9edf7bced..3e2b9f4d840b 100644
> --- a/drivers/comedi/drivers/ni_usb6501.c
> +++ b/drivers/comedi/drivers/ni_usb6501.c
> @@ -90,6 +90,7 @@
> #include <linux/comedi/comedi_usb.h>
>
> #define NI6501_TIMEOUT 1000
> +#define MIN_BUF_SIZE 64
>
> /* Port request packets */
> static const u8 READ_PORT_REQUEST[] = {0x00, 0x01, 0x00, 0x10,
> @@ -459,12 +460,12 @@ static int ni6501_alloc_usb_buffers(struct comedi_device *dev)
> struct ni6501_private *devpriv = dev->private;
> size_t size;
>
> - size = usb_endpoint_maxp(devpriv->ep_rx);
> + size = max(usb_endpoint_maxp(devpriv->ep_rx), MIN_BUF_SIZE);
> devpriv->usb_rx_buf = kzalloc(size, GFP_KERNEL);
> if (!devpriv->usb_rx_buf)
> return -ENOMEM;
>
> - size = usb_endpoint_maxp(devpriv->ep_tx);
> + size = max(usb_endpoint_maxp(devpriv->ep_rx), MIN_BUF_SIZE);
> devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL);
> if (!devpriv->usb_tx_buf)
> return -ENOMEM;
Actually, there is a typo in the last bit of the patch that was copied
from the similar patch to vmk80xx. It is using the wrong endpoint to
determine the size for usb_tx_buf.
--
-=( Ian Abbott <abbotti@mev.co.uk> || MEV Ltd. is a company )=-
-=( registered in England & Wales. Regd. number: 02862268. )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/1] comedi: ni_usb6501: fix transfer-buffer overflows
@ 2022-06-07 11:18 Xiaohui Zhang
2022-06-07 12:30 ` Ian Abbott
2022-06-07 12:48 ` Greg Kroah-Hartman
0 siblings, 2 replies; 6+ messages in thread
From: Xiaohui Zhang @ 2022-06-07 11:18 UTC (permalink / raw)
To: Xiaohui Zhang, Ian Abbott, H Hartley Sweeten, Greg Kroah-Hartman,
Johan Hovold, linux-kernel
Similar to the handling of vmk80xx_alloc_usb_buffers in commit
a23461c47482("comedi: vmk80xx: fix transfer-buffer overflows"),
we thought a patch might be needed here as well.
The driver uses endpoint-sized USB transfer buffers but up until
recently had no sanity checks on the sizes.
Signed-off-by: Xiaohui Zhang <xiaohuizhang@ruc.edu.cn>
---
drivers/comedi/drivers/ni_usb6501.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/comedi/drivers/ni_usb6501.c b/drivers/comedi/drivers/ni_usb6501.c
index 0dd9edf7bced..8303bfc305c5 100644
--- a/drivers/comedi/drivers/ni_usb6501.c
+++ b/drivers/comedi/drivers/ni_usb6501.c
@@ -90,6 +90,7 @@
#include <linux/comedi/comedi_usb.h>
#define NI6501_TIMEOUT 1000
+#define MIN_BUF_SIZE 64
/* Port request packets */
static const u8 READ_PORT_REQUEST[] = {0x00, 0x01, 0x00, 0x10,
@@ -459,12 +460,12 @@ static int ni6501_alloc_usb_buffers(struct comedi_device *dev)
struct ni6501_private *devpriv = dev->private;
size_t size;
- size = usb_endpoint_maxp(devpriv->ep_rx);
+ size = max(usb_endpoint_maxp(devpriv->ep_rx), MIN_BUF_SIZE);
devpriv->usb_rx_buf = kzalloc(size, GFP_KERNEL);
if (!devpriv->usb_rx_buf)
return -ENOMEM;
- size = usb_endpoint_maxp(devpriv->ep_tx);
+ size = max(usb_endpoint_maxp(devpriv->ep_tx), MIN_BUF_SIZE);
devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL);
if (!devpriv->usb_tx_buf)
return -ENOMEM;
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] comedi: ni_usb6501: fix transfer-buffer overflows
2022-06-07 11:18 Xiaohui Zhang
@ 2022-06-07 12:30 ` Ian Abbott
2022-06-07 12:48 ` Greg Kroah-Hartman
1 sibling, 0 replies; 6+ messages in thread
From: Ian Abbott @ 2022-06-07 12:30 UTC (permalink / raw)
To: Xiaohui Zhang, H Hartley Sweeten, Greg Kroah-Hartman,
Johan Hovold, linux-kernel
On 07/06/2022 12:18, Xiaohui Zhang wrote:
> Similar to the handling of vmk80xx_alloc_usb_buffers in commit
> a23461c47482("comedi: vmk80xx: fix transfer-buffer overflows"),
> we thought a patch might be needed here as well.
>
> The driver uses endpoint-sized USB transfer buffers but up until
> recently had no sanity checks on the sizes.
>
> Signed-off-by: Xiaohui Zhang <xiaohuizhang@ruc.edu.cn>
> ---
> drivers/comedi/drivers/ni_usb6501.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/comedi/drivers/ni_usb6501.c b/drivers/comedi/drivers/ni_usb6501.c
> index 0dd9edf7bced..8303bfc305c5 100644
> --- a/drivers/comedi/drivers/ni_usb6501.c
> +++ b/drivers/comedi/drivers/ni_usb6501.c
> @@ -90,6 +90,7 @@
> #include <linux/comedi/comedi_usb.h>
>
> #define NI6501_TIMEOUT 1000
> +#define MIN_BUF_SIZE 64
>
> /* Port request packets */
> static const u8 READ_PORT_REQUEST[] = {0x00, 0x01, 0x00, 0x10,
> @@ -459,12 +460,12 @@ static int ni6501_alloc_usb_buffers(struct comedi_device *dev)
> struct ni6501_private *devpriv = dev->private;
> size_t size;
>
> - size = usb_endpoint_maxp(devpriv->ep_rx);
> + size = max(usb_endpoint_maxp(devpriv->ep_rx), MIN_BUF_SIZE);
> devpriv->usb_rx_buf = kzalloc(size, GFP_KERNEL);
> if (!devpriv->usb_rx_buf)
> return -ENOMEM;
>
> - size = usb_endpoint_maxp(devpriv->ep_tx);
> + size = max(usb_endpoint_maxp(devpriv->ep_tx), MIN_BUF_SIZE);
> devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL);
> if (!devpriv->usb_tx_buf)
> return -ENOMEM;
The code change looks OK but this patch should have been sent as a "v2"
patch and should have a brief description of the v2 changes after the
"---" line.
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
--
-=( Ian Abbott <abbotti@mev.co.uk> || MEV Ltd. is a company )=-
-=( registered in England & Wales. Regd. number: 02862268. )=-
-=( Regd. addr.: S11 & 12 Building 67, Europa Business Park, )=-
-=( Bird Hall Lane, STOCKPORT, SK3 0XA, UK. || www.mev.co.uk )=-
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] comedi: ni_usb6501: fix transfer-buffer overflows
2022-06-07 11:18 Xiaohui Zhang
2022-06-07 12:30 ` Ian Abbott
@ 2022-06-07 12:48 ` Greg Kroah-Hartman
1 sibling, 0 replies; 6+ messages in thread
From: Greg Kroah-Hartman @ 2022-06-07 12:48 UTC (permalink / raw)
To: Xiaohui Zhang; +Cc: Ian Abbott, H Hartley Sweeten, Johan Hovold, linux-kernel
On Tue, Jun 07, 2022 at 07:18:02PM +0800, Xiaohui Zhang wrote:
> Similar to the handling of vmk80xx_alloc_usb_buffers in commit
> a23461c47482("comedi: vmk80xx: fix transfer-buffer overflows"),
> we thought a patch might be needed here as well.
>
> The driver uses endpoint-sized USB transfer buffers but up until
> recently had no sanity checks on the sizes.
>
> Signed-off-by: Xiaohui Zhang <xiaohuizhang@ruc.edu.cn>
> ---
> drivers/comedi/drivers/ni_usb6501.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/comedi/drivers/ni_usb6501.c b/drivers/comedi/drivers/ni_usb6501.c
> index 0dd9edf7bced..8303bfc305c5 100644
> --- a/drivers/comedi/drivers/ni_usb6501.c
> +++ b/drivers/comedi/drivers/ni_usb6501.c
> @@ -90,6 +90,7 @@
> #include <linux/comedi/comedi_usb.h>
>
> #define NI6501_TIMEOUT 1000
> +#define MIN_BUF_SIZE 64
>
> /* Port request packets */
> static const u8 READ_PORT_REQUEST[] = {0x00, 0x01, 0x00, 0x10,
> @@ -459,12 +460,12 @@ static int ni6501_alloc_usb_buffers(struct comedi_device *dev)
> struct ni6501_private *devpriv = dev->private;
> size_t size;
>
> - size = usb_endpoint_maxp(devpriv->ep_rx);
> + size = max(usb_endpoint_maxp(devpriv->ep_rx), MIN_BUF_SIZE);
> devpriv->usb_rx_buf = kzalloc(size, GFP_KERNEL);
> if (!devpriv->usb_rx_buf)
> return -ENOMEM;
>
> - size = usb_endpoint_maxp(devpriv->ep_tx);
> + size = max(usb_endpoint_maxp(devpriv->ep_tx), MIN_BUF_SIZE);
> devpriv->usb_tx_buf = kzalloc(size, GFP_KERNEL);
> if (!devpriv->usb_tx_buf)
> return -ENOMEM;
> --
> 2.17.1
>
Hi,
This is the friendly patch-bot of Greg Kroah-Hartman. You have sent him
a patch that has triggered this response. He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created. Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.
You are receiving this message because of the following common error(s)
as indicated below:
- You did not specify a description of why the patch is needed, or
possibly, any description at all, in the email body. Please read the
section entitled "The canonical patch format" in the kernel file,
Documentation/SubmittingPatches for what is needed in order to
properly describe the change.
- You did not write a descriptive Subject: for the patch, allowing Greg,
and everyone else, to know what this patch is all about. Please read
the section entitled "The canonical patch format" in the kernel file,
Documentation/SubmittingPatches for what a proper Subject: line should
look like.
- This looks like a new version of a previously submitted patch, but you
did not list below the --- line any changes from the previous version.
Please read the section entitled "The canonical patch format" in the
kernel file, Documentation/SubmittingPatches for what needs to be done
here to properly describe this.
If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.
thanks,
greg k-h's patch email bot
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-06-07 12:48 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-05 12:43 [PATCH 1/1] comedi: ni_usb6501: fix transfer-buffer overflows Xiaohui Zhang
2022-06-05 12:49 ` Greg Kroah-Hartman
2022-06-06 10:03 ` Ian Abbott
2022-06-07 11:18 Xiaohui Zhang
2022-06-07 12:30 ` Ian Abbott
2022-06-07 12:48 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).