lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 4 Dec 2020 15:41:30 +0100
From:   Johan Hovold <johan@...nel.org>
To:     Anant Thazhemadam <anant.thazhemadam@...il.com>
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 05/15] usb: misc: emi26: update to use
 usb_control_msg_send()

On Mon, Nov 30, 2020 at 06:58:47AM +0530, Anant Thazhemadam wrote:
> The newer usb_control_msg_{send|recv}() API are an improvement on the
> existing usb_control_msg() as it ensures that a short read/write is treated
> as an error,

Short writes have always been treated as an error. The new send helper
only changes the return value from the transfer size to 0.

And this driver never reads.

Try to describe the motivation for changing this driver which is to
avoid the explicit kmemdup().

> data can be used off the stack, and raw usb pipes need not be
> created in the calling functions.
> For this reason, the instance of usb_control_msg() has been replaced with
> usb_control_msg_send() appropriately.
> 
> Signed-off-by: Anant Thazhemadam <anant.thazhemadam@...il.com>
> ---
>  drivers/usb/misc/emi26.c | 31 ++++++++-----------------------
>  1 file changed, 8 insertions(+), 23 deletions(-)
> 
> diff --git a/drivers/usb/misc/emi26.c b/drivers/usb/misc/emi26.c
> index 24d841850e05..1dd024507f40 100644
> --- a/drivers/usb/misc/emi26.c
> +++ b/drivers/usb/misc/emi26.c
> @@ -27,7 +27,7 @@
>  #define INTERNAL_RAM(address)   (address <= MAX_INTERNAL_ADDRESS)
>  
>  static int emi26_writememory( struct usb_device *dev, int address,
> -			      const unsigned char *data, int length,
> +			      const void *data, int length,

Why is this needed?

>  			      __u8 bRequest);
>  static int emi26_set_reset(struct usb_device *dev, unsigned char reset_bit);
>  static int emi26_load_firmware (struct usb_device *dev);
> @@ -35,22 +35,12 @@ static int emi26_probe(struct usb_interface *intf, const struct usb_device_id *i
>  static void emi26_disconnect(struct usb_interface *intf);
>  
>  /* thanks to drivers/usb/serial/keyspan_pda.c code */
> -static int emi26_writememory (struct usb_device *dev, int address,
> -			      const unsigned char *data, int length,
> +static int emi26_writememory(struct usb_device *dev, int address,
> +			      const void *data, int length,
>  			      __u8 request)
>  {
> -	int result;
> -	unsigned char *buffer =  kmemdup(data, length, GFP_KERNEL);
> -
> -	if (!buffer) {
> -		dev_err(&dev->dev, "kmalloc(%d) failed.\n", length);
> -		return -ENOMEM;
> -	}
> -	/* Note: usb_control_msg returns negative value on error or length of the
> -	 * 		 data that was written! */
> -	result = usb_control_msg (dev, usb_sndctrlpipe(dev, 0), request, 0x40, address, 0, buffer, length, 300);
> -	kfree (buffer);
> -	return result;
> +	return usb_control_msg_send(dev, 0, request, 0x40, address, 0,
> +				    data, length, 300, GFP_KERNEL);

So you're changing the return value on success from length to 0 here.
Did you make sure that all callers can handle that?

>  }
>  
>  /* thanks to drivers/usb/serial/keyspan_pda.c code */
> @@ -77,11 +67,7 @@ static int emi26_load_firmware (struct usb_device *dev)
>  	int err = -ENOMEM;
>  	int i;
>  	__u32 addr;	/* Address to write */
> -	__u8 *buf;
> -
> -	buf = kmalloc(FW_LOAD_SIZE, GFP_KERNEL);
> -	if (!buf)
> -		goto wraperr;
> +	__u8 buf[FW_LOAD_SIZE];

As the build bots reported, you must not put large structures like this
on the stack.

>  
>  	err = request_ihex_firmware(&loader_fw, "emi26/loader.fw", &dev->dev);
>  	if (err)
> @@ -133,11 +119,11 @@ static int emi26_load_firmware (struct usb_device *dev)
>  
>  		/* intel hex records are terminated with type 0 element */
>  		while (rec && (i + be16_to_cpu(rec->len) < FW_LOAD_SIZE)) {
> -			memcpy(buf + i, rec->data, be16_to_cpu(rec->len));
> +			memcpy(&buf[i], rec->data, be16_to_cpu(rec->len));
>  			i += be16_to_cpu(rec->len);
>  			rec = ihex_next_binrec(rec);
>  		}
> -		err = emi26_writememory(dev, addr, buf, i, ANCHOR_LOAD_FPGA);
> +		err = emi26_writememory(dev, addr, &buf, i, ANCHOR_LOAD_FPGA);
>  		if (err < 0)
>  			goto wraperr;
>  	} while (rec);
> @@ -211,7 +197,6 @@ static int emi26_load_firmware (struct usb_device *dev)
>  	release_firmware(bitstream_fw);
>  	release_firmware(firmware_fw);
>  
> -	kfree(buf);
>  	return err;
>  }

Looks good otherwise.

Johan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ