On Thu, Sep 18, 2014 at 11:49:19AM +0300, Octavian Purdila wrote: > On Thu, Sep 18, 2014 at 11:19 AM, Johan Hovold <johan@xxxxxxxxxx> wrote: > > On Wed, Sep 17, 2014 at 01:07:51PM +0300, Octavian Purdila wrote: > >> On Wed, Sep 17, 2014 at 12:44 PM, Johan Hovold <johan@xxxxxxxxxx> wrote: > >> > >> <snip> > >> > >> >> + /* > >> >> + * Buffer to hold the packet for read or write transfers. One > >> >> + * is enough since we can't have multiple transfers in > >> >> + * parallel on the i2c adapter. > >> >> + */ > >> >> + union { > >> >> + struct { > >> >> + u8 port; > >> >> + u8 addr; > >> >> + u8 mem_addr_len; > >> >> + __le32 mem_addr; > >> >> + __le16 buf_len; > >> >> + u8 buf[DLN2_I2C_MAX_XFER_SIZE]; > >> >> + } __packed tx; > >> >> + struct { > >> >> + __le16 buf_len; > >> >> + u8 buf[DLN2_I2C_MAX_XFER_SIZE]; > >> >> + } __packed rx; > >> >> + } buf; > >> > > >> > While this works in this case due to the extra copy you do in > >> > dln2_transfer, allocating buffers that would (generally) be used for DMA > >> > transfers as part of a larger structure is a recipe for trouble. > >> > > >> > It's probably better to allocate separately, if only to prevent people > >> > from thinking there might be a bug here. > >> > > >> > >> Just to make sure I understand this, what could the issues be? The > >> buffers not being aligned or not allocated in continuous physical > >> memory? > > > > Yes, the buffer (and any subsequent field) would have to be cache-line > > aligned to avoid corruption due to cache-line sharing on some systems. > > > > Ah, ok, makes sense now. But is it safe to use kmalloc() in this case? > Does kmalloc() prevent cache line sharing? Yes, it does (as long as you allocate the buffer separately from the containing struct). > >> <snip> > >> > >> >> + > >> >> + rx_buf_len = le16_to_cpu(dln2->buf.rx.buf_len); > >> >> + if (rx_len < rx_buf_len + sizeof(dln2->buf.rx.buf_len)) > >> >> + return -EPROTO; > >> >> + > >> >> + if (data_len > rx_buf_len) > >> >> + data_len = rx_buf_len; > >> > > >> > You're still not checking that the received data does not overflow the > >> > supplied buffer as I already commented on v3. > >> > > >> >> + > >> >> + memcpy(data, dln2->buf.rx.buf, data_len); > >> >> + > >> >> + return data_len; > >> >> +} > >> > >> Hmm, perhaps I am missing something, but we never transfer more then > >> data_len, where data_len is the size of the buffer supplied by the > >> user. > > > > That is the amount of data you request from the device, but you never > > check how much is actually returned. > > > > Actually we check the receive buffer size here: > > if (data_len > rx_buf_len) > data_len = rx_buf_len; > > rx_buf_len is the i2c received payload size while rx_len is the length > of received message Bah, you're right. You never explicitly check for overflow, but also never use more than data_len bytes of the returned buffer. I think you should add explicit checks, and return an error in this case rather than silently truncate the data. > > You really should clean up the error handling of this function as it is > > currently not very readable. > > > > Perhaps adding some comments similar to the the explanation above would help? It's more the logic of this function I find a bit twisted. I think you should clean it up and consider adding appropriately named (temporary) variables to make it more readable. Johan -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html