On Thu, Sep 18, 2014 at 11:19 AM, Johan Hovold <johan@xxxxxxxxxx> wrote: > On Wed, Sep 17, 2014 at 01:07:51PM +0300, Octavian Purdila wrote: >> On Wed, Sep 17, 2014 at 12:44 PM, Johan Hovold <johan@xxxxxxxxxx> wrote: >> >> <snip> >> >> >> + /* >> >> + * Buffer to hold the packet for read or write transfers. One >> >> + * is enough since we can't have multiple transfers in >> >> + * parallel on the i2c adapter. >> >> + */ >> >> + union { >> >> + struct { >> >> + u8 port; >> >> + u8 addr; >> >> + u8 mem_addr_len; >> >> + __le32 mem_addr; >> >> + __le16 buf_len; >> >> + u8 buf[DLN2_I2C_MAX_XFER_SIZE]; >> >> + } __packed tx; >> >> + struct { >> >> + __le16 buf_len; >> >> + u8 buf[DLN2_I2C_MAX_XFER_SIZE]; >> >> + } __packed rx; >> >> + } buf; >> > >> > While this works in this case due to the extra copy you do in >> > dln2_transfer, allocating buffers that would (generally) be used for DMA >> > transfers as part of a larger structure is a recipe for trouble. >> > >> > It's probably better to allocate separately, if only to prevent people >> > from thinking there might be a bug here. >> > >> >> Just to make sure I understand this, what could the issues be? The >> buffers not being aligned or not allocated in continuous physical >> memory? > > Yes, the buffer (and any subsequent field) would have to be cache-line > aligned to avoid corruption due to cache-line sharing on some systems. > Ah, ok, makes sense now. But is it safe to use kmalloc() in this case? Does kmalloc() prevent cache line sharing? >> <snip> >> >> >> + >> >> + rx_buf_len = le16_to_cpu(dln2->buf.rx.buf_len); >> >> + if (rx_len < rx_buf_len + sizeof(dln2->buf.rx.buf_len)) >> >> + return -EPROTO; >> >> + >> >> + if (data_len > rx_buf_len) >> >> + data_len = rx_buf_len; >> > >> > You're still not checking that the received data does not overflow the >> > supplied buffer as I already commented on v3. >> > >> >> + >> >> + memcpy(data, dln2->buf.rx.buf, data_len); >> >> + >> >> + return data_len; >> >> +} >> >> Hmm, perhaps I am missing something, but we never transfer more then >> data_len, where data_len is the size of the buffer supplied by the >> user. > > That is the amount of data you request from the device, but you never > check how much is actually returned. > Actually we check the receive buffer size here: if (data_len > rx_buf_len) data_len = rx_buf_len; rx_buf_len is the i2c received payload size while rx_len is the length of received message > You really should clean up the error handling of this function as it is > currently not very readable. > Perhaps adding some comments similar to the the explanation above would help? -- To unsubscribe from this list: send the line "unsubscribe linux-gpio" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html