On Sun, Sep 03, 2017 at 10:12:46PM -0400, Brian Masney wrote: > On Sun, Sep 03, 2017 at 12:35:05PM +0100, Jonathan Cameron wrote: > > On Mon, 21 Aug 2017 13:11:03 +0300 > > Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote: > > > > > The second part of this patch is probably the most interesting. We > > > use "TSL2X7X_MAX_LUX_TABLE_SIZE * 3" as the limit instead of just > > > "TSL2X7X_MAX_LUX_TABLE_SIZE". It creates a static checker warning that > > > we are going of of bounds, but in real life we always hit the break > > > statement on the last element so it's fine. > > > > > > The situation is that we normally have arrays with 3 elements of struct > > > tsl2x7x_lux which has 3 unsigned integers. If we load the table with > > > sysfs then we're allow to have 9 elements instead. > > > > > > So the size of the default table in bytes is sizeof(int) times 3 struct > > > members times 3 elements. The original code wrote it as sizeof(int) > > > times the number of elements in the bigger table (9). It happens that > > > 9 is the same thing as 3 * 3 but expressing it that way is misleading. > > > > > > For the second part of the patch, the original code just had an extra > > > "multiply by three" and now that is removed. The last element in the > > > array is always zeroed memory whether this uses the default tables or it > > > gets loaded with sysfs so we always hit the break statement anyway. > > > > > > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > > > > Looks sensible to me. > > > > Cc'd Brian who has been working extensively on this driver recently as I'd > > like his input. > > > > Jonathan > > > > > > diff --git a/drivers/staging/iio/light/tsl2x7x.h b/drivers/staging/iio/light/tsl2x7x.h > > > index ecae92211216..1beb8d2eb848 100644 > > > --- a/drivers/staging/iio/light/tsl2x7x.h > > > +++ b/drivers/staging/iio/light/tsl2x7x.h > > > @@ -23,10 +23,6 @@ > > > #define __TSL2X7X_H > > > #include <linux/pm.h> > > > > > > -/* Max number of segments allowable in LUX table */ > > > -#define TSL2X7X_MAX_LUX_TABLE_SIZE 9 > > > -#define MAX_DEFAULT_TABLE_BYTES (sizeof(int) * TSL2X7X_MAX_LUX_TABLE_SIZE) > > > - > > > struct iio_dev; > > > > > > struct tsl2x7x_lux { > > > @@ -35,6 +31,11 @@ struct tsl2x7x_lux { > > > unsigned int ch1; > > > }; > > > > > > +/* Max number of segments allowable in LUX table */ > > > +#define TSL2X7X_MAX_LUX_TABLE_SIZE 9 > > > +/* The default tables are all 3 elements */ > > > +#define MAX_DEFAULT_TABLE_BYTES (sizeof(struct tsl2x7x_lux) * 3) > > > + > > > /** > > > * struct tsl2x7x_default_settings - power on defaults unless > > > * overridden by platform data. > > > diff --git a/drivers/staging/iio/light/tsl2x7x.c b/drivers/staging/iio/light/tsl2x7x.c > > > index 786e93f16ce9..2db1715ff659 100644 > > > --- a/drivers/staging/iio/light/tsl2x7x.c > > > +++ b/drivers/staging/iio/light/tsl2x7x.c > > > @@ -1113,7 +1113,7 @@ static ssize_t in_illuminance0_lux_table_show(struct device *dev, > > > int i = 0; > > > int offset = 0; > > > > > > - while (i < (TSL2X7X_MAX_LUX_TABLE_SIZE * 3)) { > > > + while (i < TSL2X7X_MAX_LUX_TABLE_SIZE) { > > > offset += snprintf(buf + offset, PAGE_SIZE, "%u,%u,%u,", > > > chip->tsl2x7x_device_lux[i].ratio, > > > chip->tsl2x7x_device_lux[i].ch0, > > There is a minor issue regarding the structure sizes in with both this > patch and the in-tree code. The following two structures define nine > rows in the lux table: > > tsl2x7x.h: > #define TSL2X7X_MAX_LUX_TABLE_SIZE 9 > > struct tsl2X7X_platform_data { > ... > struct tsl2x7x_lux platform_lux_table[TSL2X7X_MAX_LUX_TABLE_SIZE]; > } > > tsl2x7x.c: > struct tsl2X7X_chip { > ... > struct tsl2x7x_lux tsl2x7x_device_lux[TSL2X7X_MAX_LUX_TABLE_SIZE]; > } > > tsl2x7x_defaults() has this code snippet: > > memcpy(chip->tsl2x7x_device_lux, > (struct tsl2x7x_lux *)tsl2x7x_default_lux_table_group[chip->id], > MAX_DEFAULT_TABLE_BYTES); > > With the old and new code, memcpy will only copy the first three rows of > the lux table. There is no security issue though with the actual > implementation since the four *_lux_table structures that are defined in > code only have three rows defined. Agreed. > > I believe that the correct fix is to define MAX_DEFAULT_TABLE_BYTES in > Dan's patch as follows (and keeping his other changes): > > #define MAX_DEFAULT_TABLE_BYTES (sizeof(struct tsl2x7x_lux) * > TSL2X7X_MAX_LUX_TABLE_SIZE) > > We may also want to shorten those #defines to keep it under 80 > characters. > That's not a good idea because we would be filling chip->tsl2x7x_device_lux with garbage from beyond the end of the tsl2x7x_default_lux_table_group[] element. It would be harmless but ugly. We could just add a: memset(chip->tsl2x7x_device_lux, 0, sizeof(chip->tsl2x7x_device_lux)); to the start of the tsl2x7x_defaults() and the in_illuminance0_lux_table_store() functions. But I don't really see a need... This code will need to be restructured a bit if we start using different sized default tables, yes, but we can't really "future proof" this code without seeing what the future change is. regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html