On Thursday 03 December 2015 12:26:34 Lee Jones wrote: > > > > > > +static ssize_t rproc_state_write(struct file *filp, const char __user *userbuf, > > > + size_t count, loff_t *ppos) > > > +{ > > > + struct rproc *rproc = filp->private_data; > > > + char buf[10]; > > > + int ret; > > > + > > > + if (count > sizeof(buf)) > > > + return count; > > > + ret = copy_from_user(buf, userbuf, count); > > > + if (ret) > > > + return -EFAULT; > > > + > > > + if (buf[count - 1] == '\n') > > > + buf[count - 1] = '\0'; > > > > I believe you can get here with count = 0. > > I'm pretty sure you can't. > > If you are sure that you can, if you can provide me with a way of > testing, I'd be happy to put in provisions. > I think that a zero-length write() from user space ends up in the write file operation. Also, we get a gcc warning about the out-of-bounds access for code like this, and checking that count is larger than zero avoids the warning. Arnd -- To unsubscribe from this list: send the line "unsubscribe devicetree" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html