Hello Christian Gromm,
The patch 57562a72414c: "Staging: most: add MOST driver's core
module" from Jul 24, 2015, leads to the following static checker
warning:
drivers/staging/most/mostcore/core.c:1277 arm_mbo_chain()
warn: integer overflows 'coherent_buf_size'
drivers/staging/most/mostcore/core.c
1258 int arm_mbo_chain(struct most_c_obj *c, int dir, void (*compl)(struct mbo *))
1259 {
1260 unsigned int i;
1261 int retval;
1262 struct mbo *mbo;
1263 u16 coherent_buf_size = c->cfg.buffer_size + c->cfg.extra_len;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
We could have an integer overflow here.
1264
1265 atomic_set(&c->mbo_nq_level, 0);
1266
1267 for (i = 0; i < c->cfg.num_buffers; i++) {
1268 mbo = kzalloc(sizeof(*mbo), GFP_KERNEL);
1269 if (!mbo) {
1270 pr_info("WARN: Allocation of MBO failed.\n");
1271 retval = i;
1272 goto _exit;
1273 }
1274 mbo->context = c;
1275 mbo->ifp = c->iface;
1276 mbo->hdm_channel_id = c->channel_id;
1277 mbo->virt_address = dma_alloc_coherent(NULL,
1278 coherent_buf_size,
^^^^^^^^^^^^^^^^^
Leading to a smaller than expect size here. I assume this is root
only but the USHRT_MAX is quite small so I could imagine someone hitting
this limit by mistake.
1279 &mbo->bus_address,
1280 GFP_KERNEL);
1281 if (!mbo->virt_address) {
1282 pr_info("WARN: No DMA coherent buffer.\n");
1283 retval = i;
1284 goto _error1;
1285 }
regards,
dan carpenter
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
